Thread: scram-sha-256 authentication
The following documentation comment has been logged on the website: Page: https://www.postgresql.org/docs/11/auth-password.html Description: How do you encode a plain password to the corresponding SCRAM-SHA-256 encryption? Using online tools I obtain a result in a different format the in e.g. the "PostgreSQL Administration Cookbook", where the encrypted value starts with "SCRAM-SHA-256$4096:".
On 1/4/21 12:04 PM, PG Doc comments form wrote: > The following documentation comment has been logged on the website: > > Page: https://www.postgresql.org/docs/11/auth-password.html > Description: > > How do you encode a plain password to the corresponding SCRAM-SHA-256 > encryption? Using online tools I obtain a result in a different format the > in e.g. the "PostgreSQL Administration Cookbook", where the encrypted value > starts with "SCRAM-SHA-256$4096:". It's better to ask these questions in one of the community support areas[1] as the form on the documentation page is intended for documentation suggestions/corrections. I will provide some guidance below :) I am not sure what your end goal is, but there are a few ways to create the hashed SCRAM verifier: - Using the \password flag in "psql" - Using one of the connection drivers that interfaces with libpq's PQencryptPasswordConn function[2] - Some driver's handle the password hashing independently If those are not acceptable, I also have a talk that goes through an example for how to create a SCRAM verifier and what the different parts mean[3] as well as an example of creating the verifier in Python[4]. In terms of how things start above, i.e. "SCRAM-SHA-256$4096:" that presents the hashing function to use and the number of iterations to use to hash the password (similar to PBKDF2). The full verifier has the following components with the following delimters: DIGEST$ITERATIONS:SALT$STORED_KEY:SERVER_KEY Hope this helps, Jonathan [1] https://www.postgresql.org/support/ [2] https://www.postgresql.org/docs/current/libpq-misc.html#LIBPQ-PQENCRYPTPASSWORDCONN [3] https://www2.slideshare.net/jkatz05/get-your-insecure-postgresql-passwords-to-scram [4] https://gist.github.com/jkatz/e0a1f52f66fa03b732945f6eb94d9c21
Attachment
On Tue, Jan 05, 2021 at 09:12:58AM -0500, Jonathan S. Katz wrote: > I am not sure what your end goal is, but there are a few ways to create > the hashed SCRAM verifier: > > - Using the \password flag in "psql" > - Using one of the connection drivers that interfaces with libpq's > PQencryptPasswordConn function[2] > - Some driver's handle the password hashing independently Another thing to be careful about is the value of password_encryption in postgresql.conf. The default has been changed to scram-sha-256 in c7eab0e, meaning that this change will be available in Postgres 14~. But if your environment is using the default configuration of 11, that may be set to "md5". -- Michael
Attachment
Hi Jonathan and Michael,
Thank you for the quick reply, I will ask my questions in community support areas from now on, my apologies.
Your answers were very helpful. I will use psql’s \password command to set the users’ passwords for me instead of trying to generate and set the encoded password myself. I tried out this solution with success.
Best regards,
Sébastien
On 6 Jan 2021, at 02:57, Michael Paquier <michael@paquier.xyz> wrote:On Tue, Jan 05, 2021 at 09:12:58AM -0500, Jonathan S. Katz wrote:I am not sure what your end goal is, but there are a few ways to create
the hashed SCRAM verifier:
- Using the \password flag in "psql"
- Using one of the connection drivers that interfaces with libpq's
PQencryptPasswordConn function[2]
- Some driver's handle the password hashing independently
Another thing to be careful about is the value of password_encryption
in postgresql.conf. The default has been changed to scram-sha-256 in
c7eab0e, meaning that this change will be available in Postgres 14~.
But if your environment is using the default configuration of 11, that
may be set to "md5".
--
Michael