Quantcast

BUG #14661: authentication behavior(SCRAM-MD5)

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

BUG #14661: authentication behavior(SCRAM-MD5)

asotolongo
The following bug has been logged on the website:

Bug reference:      14661
Logged by:          Anthony Sotolongo León
Email address:      [hidden email]
PostgreSQL version: 10beta1
Operating system:   Ubuntu 14.04
Description:        

I have a pg_hba.conf like this:

host    all             usuario         0.0.0.0/0            scram-sha-256
host    all             postgres        0.0.0.0/0            scram-sha-256

and my user with md5 password encryption
select usename,passwd from pg_shadow ;

usename  |               passwd              
----------+------------
 postgres |      md50005a4b0ccaccbd18bcf64e90e242c90          
 usuario  |    md541f55d102ea5687e95fb361019a12da4        

and when try to  login,  login error, and return error

2017-05-19 16:51:20.312 CEST [1418] FATAL:  la autentificación password
falló para el usuario «postgres»
2017-05-19 16:51:20.312 CEST [1418] DETALLE:  User "postgres" does not have
a valid SCRAM verifier.
        La conexión coincidió con la línea 83 de pg_hba.conf: «host    all        
   postgres        0.0.0.0/0            scram-sha-256»


i think that is correct, but when i have the next configuracion:
pg_hba.conf
host    all             usuario         0.0.0.0/0            md5
host    all             postgres        0.0.0.0/0            md5

and my user with SCRAM encryption
postgres=# select usename,passwd from pg_shadow ;
 usename  |                                                          
passwd                                                            
----------+-------------------------------------------------------------------------------------------------------------------------------
 usuario  |
SCRAM-SHA-256$4096:Fhqo2W7V4FlVQk7+$fkQJ02YBGMhePbhVnKOcHjON/VPUTDzT/pZboiwHofY=:XliKl0leu/kpN4ZGmNPnHKKWj76f7qN8lIjrY8jOVcA=
 postgres |
SCRAM-SHA-256$4096:5DcjppjZNyrGb0Jo$iomUsf0Mo0RSSjkwzhwHwRphhVG5EKLRRMVp/eiENuI=:XFIOQcd1nA1IKclPrVSwFym9N5dLuYB43CfI3Lf5zGA=
(2 filas)


and when try to  login, login successfully
is correct this behavior?

Greettings




--
Sent via pgsql-bugs mailing list ([hidden email])
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-bugs
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: BUG #14661: authentication behavior(SCRAM-MD5)

Heikki Linnakangas
On 05/19/2017 06:05 PM, [hidden email] wrote:

> i think that is correct, but when i have the next configuracion:
> pg_hba.conf
> host    all             usuario         0.0.0.0/0            md5
> host    all             postgres        0.0.0.0/0            md5
>
> and my user with SCRAM encryption
> postgres=# select usename,passwd from pg_shadow ;
>  usename  |
> passwd
> ----------+-------------------------------------------------------------------------------------------------------------------------------
>  usuario  |
> SCRAM-SHA-256$4096:Fhqo2W7V4FlVQk7+$fkQJ02YBGMhePbhVnKOcHjON/VPUTDzT/pZboiwHofY=:XliKl0leu/kpN4ZGmNPnHKKWj76f7qN8lIjrY8jOVcA=
>  postgres |
> SCRAM-SHA-256$4096:5DcjppjZNyrGb0Jo$iomUsf0Mo0RSSjkwzhwHwRphhVG5EKLRRMVp/eiENuI=:XFIOQcd1nA1IKclPrVSwFym9N5dLuYB43CfI3Lf5zGA=
> (2 filas)
>
>
> and when try to  login, login successfully
> is correct this behavior?

Yeah, "md5" in pg_hba.conf really means "md5 or scram-sha-256, depending
on what kind of password hash the user has".

The documentation at
https://www.postgresql.org/docs/devel/static/auth-methods.html#auth-password 
tries to explain it:

> scram-sha-256 performs SCRAM-SHA-256 authentication, as described in
> RFC5802. It is a challenge-response scheme, that prevents password
> sniffing on untrusted connections. It is more secure than the md5
> method, but might not be supported by older clients.
>
> md5 allows falling back to a less secure challenge-response mechanism
> for those users with an MD5 hashed password. The fallback mechanism
> also prevents password sniffing, but provides no protection if an
> attacker manages to steal the password hash from the server, and it
> cannot be used with the db_user_namespace feature. For all other
> users, md5 works the same as scram-sha-256.


- Heikki



--
Sent via pgsql-bugs mailing list ([hidden email])
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-bugs
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: BUG #14661: authentication behavior(SCRAM-MD5)

asotolongo
Thanks!!! :D


On 19/05/17 11:47, Heikki Linnakangas wrote:

> On 05/19/2017 06:05 PM, [hidden email] wrote:
>> i think that is correct, but when i have the next configuracion:
>> pg_hba.conf
>> host    all             usuario         0.0.0.0/0            md5
>> host    all             postgres        0.0.0.0/0            md5
>>
>> and my user with SCRAM encryption
>> postgres=# select usename,passwd from pg_shadow ;
>>  usename  |
>> passwd
>> ----------+-------------------------------------------------------------------------------------------------------------------------------
>>
>>  usuario  |
>> SCRAM-SHA-256$4096:Fhqo2W7V4FlVQk7+$fkQJ02YBGMhePbhVnKOcHjON/VPUTDzT/pZboiwHofY=:XliKl0leu/kpN4ZGmNPnHKKWj76f7qN8lIjrY8jOVcA=
>>
>>  postgres |
>> SCRAM-SHA-256$4096:5DcjppjZNyrGb0Jo$iomUsf0Mo0RSSjkwzhwHwRphhVG5EKLRRMVp/eiENuI=:XFIOQcd1nA1IKclPrVSwFym9N5dLuYB43CfI3Lf5zGA=
>>
>> (2 filas)
>>
>>
>> and when try to  login, login successfully
>> is correct this behavior?
>
> Yeah, "md5" in pg_hba.conf really means "md5 or scram-sha-256,
> depending on what kind of password hash the user has".
>
> The documentation at
> https://www.postgresql.org/docs/devel/static/auth-methods.html#auth-password 
> tries to explain it:
>
>> scram-sha-256 performs SCRAM-SHA-256 authentication, as described in
>> RFC5802. It is a challenge-response scheme, that prevents password
>> sniffing on untrusted connections. It is more secure than the md5
>> method, but might not be supported by older clients.
>>
>> md5 allows falling back to a less secure challenge-response mechanism
>> for those users with an MD5 hashed password. The fallback mechanism
>> also prevents password sniffing, but provides no protection if an
>> attacker manages to steal the password hash from the server, and it
>> cannot be used with the db_user_namespace feature. For all other
>> users, md5 works the same as scram-sha-256.
>
>
> - Heikki
>



--
Sent via pgsql-bugs mailing list ([hidden email])
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-bugs
Previous Thread Next Thread
Loading...