scram-sha-256 authentication

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

scram-sha-256 authentication

apt.postgresql.org Repository Update
The following documentation comment has been logged on the website:

Page: https://www.postgresql.org/docs/11/auth-password.html
Description:

How do you encode a plain password to the corresponding SCRAM-SHA-256
encryption? Using online tools I obtain a result in a different format the
in e.g. the "PostgreSQL Administration Cookbook", where the encrypted value
starts with "SCRAM-SHA-256$4096:".
Reply | Threaded
Open this post in threaded view
|

Re: scram-sha-256 authentication

Jonathan S. Katz-3
On 1/4/21 12:04 PM, PG Doc comments form wrote:
> The following documentation comment has been logged on the website:
>
> Page: https://www.postgresql.org/docs/11/auth-password.html
> Description:
>
> How do you encode a plain password to the corresponding SCRAM-SHA-256
> encryption? Using online tools I obtain a result in a different format the
> in e.g. the "PostgreSQL Administration Cookbook", where the encrypted value
> starts with "SCRAM-SHA-256$4096:".

It's better to ask these questions in one of the community support
areas[1] as the form on the documentation page is intended for
documentation suggestions/corrections. I will provide some guidance below :)

I am not sure what your end goal is, but there are a few ways to create
the hashed SCRAM verifier:

- Using the \password flag in "psql"
- Using one of the connection drivers that interfaces with libpq's
PQencryptPasswordConn function[2]
  - Some driver's handle the password hashing independently

If those are not acceptable, I also have a talk that goes through an
example for how to create a SCRAM verifier and what the different parts
mean[3] as well as an example of creating the verifier in Python[4].

In terms of how things start above, i.e. "SCRAM-SHA-256$4096:" that
presents the hashing function to use and the number of iterations to use
to hash the password (similar to PBKDF2). The full verifier has the
following components with the following delimters:

        DIGEST$ITERATIONS:SALT$STORED_KEY:SERVER_KEY

Hope this helps,

Jonathan

[1] https://www.postgresql.org/support/
[2]
https://www.postgresql.org/docs/current/libpq-misc.html#LIBPQ-PQENCRYPTPASSWORDCONN
[3]
https://www2.slideshare.net/jkatz05/get-your-insecure-postgresql-passwords-to-scram
[4] https://gist.github.com/jkatz/e0a1f52f66fa03b732945f6eb94d9c21


OpenPGP_signature (855 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: scram-sha-256 authentication

Michael Paquier-2
On Tue, Jan 05, 2021 at 09:12:58AM -0500, Jonathan S. Katz wrote:
> I am not sure what your end goal is, but there are a few ways to create
> the hashed SCRAM verifier:
>
> - Using the \password flag in "psql"
> - Using one of the connection drivers that interfaces with libpq's
> PQencryptPasswordConn function[2]
>   - Some driver's handle the password hashing independently

Another thing to be careful about is the value of password_encryption
in postgresql.conf.  The default has been changed to scram-sha-256 in
c7eab0e, meaning that this change will be available in Postgres 14~.
But if your environment is using the default configuration of 11, that
may be set to "md5".
--
Michael

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: scram-sha-256 authentication

Sébastien Hoorens
Hi Jonathan and Michael,

Thank you for the quick reply, I will ask my questions in community support areas from now on, my apologies.

Your answers were very helpful. I will use psql’s \password command to set the users’ passwords for me instead of trying to generate and set the encoded password myself. I tried out this solution with success.


Best regards,
Sébastien



On 6 Jan 2021, at 02:57, Michael Paquier <[hidden email]> wrote:

On Tue, Jan 05, 2021 at 09:12:58AM -0500, Jonathan S. Katz wrote:
I am not sure what your end goal is, but there are a few ways to create
the hashed SCRAM verifier:

- Using the \password flag in "psql"
- Using one of the connection drivers that interfaces with libpq's
PQencryptPasswordConn function[2]
 - Some driver's handle the password hashing independently

Another thing to be careful about is the value of password_encryption
in postgresql.conf.  The default has been changed to scram-sha-256 in
c7eab0e, meaning that this change will be available in Postgres 14~.
But if your environment is using the default configuration of 11, that
may be set to "md5".
--
Michael