- scram
+ scram-sha-256
Perform SCRAM-SHA-256 authentication to verify the user's
# "postgres" if the user's password is correctly supplied.
#
# TYPE DATABASE USER ADDRESS METHOD
-host postgres all 192.168.12.10/32 scram
+host postgres all 192.168.12.10/32 scram-sha-256
# Allow any user from hosts in the example.com domain to connect to
# any database if the user's password is correctly supplied.
#
# TYPE DATABASE USER ADDRESS METHOD
host all mike .example.com md5
-host all all .example.com scram
+host all all .example.com scram-sha-256
# In the absence of preceding "host" lines, these two lines will
# reject all connections from 192.168.54.1 (since that entry will be
- The password-based authentication methods are scram,
+ The password-based authentication methods are scram-sha-256,
md5, and password. These methods operate
similarly except for the way that the password is sent across the
connection.
- scram performs SCRAM-SHA-256 authentication, as described
+ scram-sha-256 performs SCRAM-SHA-256 authentication, as
+ described in
is a challenge-response scheme, that prevents password sniffing on
untrusted connections. It is more secure than the md5
method, but might not be supported by older clients.
protection if an attacker manages to steal the password hash from the
server, and it cannot be used with the
linkend="guc-db-user-namespace"> feature. For all other users,
- md5 works the same as scram.
+ md5 works the same as scram-sha-256.
stores the password as an MD5 hash. Setting this to plain stores
it in plaintext. on and off are also accepted, as
aliases for md5 and plain, respectively. Setting
- this parameter to scram will encrypt the password with
- SCRAM-SHA-256.
+ this parameter to scram-sha-256 will encrypt the password
+ with SCRAM-SHA-256.
dpassword = defel;
if (strcmp(defel->defname, "encryptedPassword") == 0)
{
- if (Password_encryption == PASSWORD_TYPE_SCRAM)
- password_type = PASSWORD_TYPE_SCRAM;
+ if (Password_encryption == PASSWORD_TYPE_SCRAM_SHA_256)
+ password_type = PASSWORD_TYPE_SCRAM_SHA_256;
else
password_type = PASSWORD_TYPE_MD5;
}
dpassword = defel;
if (strcmp(defel->defname, "encryptedPassword") == 0)
{
- if (Password_encryption == PASSWORD_TYPE_SCRAM)
- password_type = PASSWORD_TYPE_SCRAM;
+ if (Password_encryption == PASSWORD_TYPE_SCRAM_SHA_256)
+ password_type = PASSWORD_TYPE_SCRAM_SHA_256;
else
password_type = PASSWORD_TYPE_MD5;
}
{
int password_type = get_password_type(shadow_pass);
- if (password_type == PASSWORD_TYPE_SCRAM)
+ if (password_type == PASSWORD_TYPE_SCRAM_SHA_256)
{
if (parse_scram_verifier(shadow_pass, &state->salt, &state->iterations,
state->StoredKey, state->ServerKey))
/*----------------------------------------------------------------
- * Password-based authentication methods (password, md5, and scram)
+ * Password-based authentication methods (password, md5, and scram-sha-256)
*----------------------------------------------------------------
*/
static int CheckPasswordAuth(Port *port, char **logdetail);
* If the user does not exist, or has no password, we still go through the
* motions of authentication, to avoid revealing to the client that the
* user didn't exist. If 'md5' is allowed, we choose whether to use 'md5'
- * or 'scram' authentication based on current password_encryption setting.
- * The idea is that most genuine users probably have a password of that
- * type, if we pretend that this user had a password of that type, too, it
- * "blends in" best.
+ * or 'scram-sha-256' authentication based on current password_encryption
+ * setting. The idea is that most genuine users probably have a password
+ * of that type, if we pretend that this user had a password of that type,
+ * too, it "blends in" best.
*
* If the user had a password, but it was expired, we'll use the details
* of the expired password for the authentication, but report it as
/*
* If 'md5' authentication is allowed, decide whether to perform 'md5' or
- * 'scram' authentication based on the type of password the user has. If
- * it's an MD5 hash, we must do MD5 authentication, and if it's a SCRAM
- * verifier, we must do SCRAM authentication. If it's stored in
+ * 'scram-sha-256' authentication based on the type of password the user
+ * has. If it's an MD5 hash, we must do MD5 authentication, and if it's
+ * a SCRAM verifier, we must do SCRAM authentication. If it's stored in
* plaintext, we could do either one, so we opt for the more secure
* mechanism, SCRAM.
*
if (strncmp(shadow_pass, "md5", 3) == 0 && strlen(shadow_pass) == MD5_PASSWD_LEN)
return PASSWORD_TYPE_MD5;
if (strncmp(shadow_pass, "scram-sha-256:", strlen("scram-sha-256:")) == 0)
- return PASSWORD_TYPE_SCRAM;
+ return PASSWORD_TYPE_SCRAM_SHA_256;
return PASSWORD_TYPE_PLAINTEXT;
}
elog(ERROR, "password encryption failed");
return encrypted_password;
- case PASSWORD_TYPE_SCRAM:
+ case PASSWORD_TYPE_SCRAM_SHA_256:
/*
* cannot convert a SCRAM verifier to an MD5 hash, so fall
}
break;
- case PASSWORD_TYPE_SCRAM:
+ case PASSWORD_TYPE_SCRAM_SHA_256:
switch (guessed_type)
{
case PASSWORD_TYPE_PLAINTEXT:
* cannot convert an MD5 hash to a SCRAM verifier, so fall
* through to save the MD5 hash instead.
*/
- case PASSWORD_TYPE_SCRAM:
+ case PASSWORD_TYPE_SCRAM_SHA_256:
return pstrdup(password);
}
break;
*/
switch (get_password_type(shadow_pass))
{
- case PASSWORD_TYPE_SCRAM:
+ case PASSWORD_TYPE_SCRAM_SHA_256:
if (scram_verify_plain_password(role,
client_pass,
shadow_pass))
"ident",
"password",
"md5",
- "scram",
+ "scram-sha256",
"gss",
"sspi",
"pam",
}
parsedline->auth_method = uaMD5;
}
- else if (strcmp(token->string, "scram") == 0)
+ else if (strcmp(token->string, "scram-sha-256") == 0)
parsedline->auth_method = uaSCRAM;
else if (strcmp(token->string, "pam") == 0)
#ifdef USE_PAM
# or "samenet" to match any address in any subnet that the server is
# directly connected to.
#
-# METHOD can be "trust", "reject", "md5", "password", "scram", "gss",
-# "sspi", "ident", "peer", "pam", "ldap", "radius" or "cert". Note that
-# "password" sends passwords in clear text; "md5" or "scram" are preferred
-# since they send encrypted passwords.
+# METHOD can be "trust", "reject", "md5", "password", "scram-sha-256",
+# "gss", "sspi", "ident", "peer", "pam", "ldap", "radius" or "cert".
+# Note that "password" sends passwords in clear text; "md5" or
+# "scram-sha-256" are preferred since they send encrypted passwords.
#
# OPTIONS are a set of options for the authentication in the format
# NAME=VALUE. The available options depend on the different
static const struct config_enum_entry password_encryption_options[] = {
{"plain", PASSWORD_TYPE_PLAINTEXT, false},
{"md5", PASSWORD_TYPE_MD5, false},
- {"scram", PASSWORD_TYPE_SCRAM, false},
+ {"scram-sha-256", PASSWORD_TYPE_SCRAM_SHA_256, false},
{"off", PASSWORD_TYPE_PLAINTEXT, false},
{"on", PASSWORD_TYPE_MD5, false},
{"true", PASSWORD_TYPE_MD5, true},
extern const char *select_default_timezone(const char *share_path);
static const char *const auth_methods_host[] = {
- "trust", "reject", "md5", "password", "scram", "ident", "radius",
+ "trust", "reject", "scram-sha-256", "md5", "password", "ident", "radius",
#ifdef ENABLE_GSS
"gss",
#endif
NULL
};
static const char *const auth_methods_local[] = {
- "trust", "reject", "md5", "scram", "password", "peer", "radius",
+ "trust", "reject", "scram-sha-256", "md5", "password", "peer", "radius",
#ifdef USE_PAM
"pam", "pam ",
#endif
"#update_process_title = off");
#endif
- if (strcmp(authmethodlocal, "scram") == 0 ||
- strcmp(authmethodhost, "scram") == 0)
+ if (strcmp(authmethodlocal, "scram-sha-256") == 0 ||
+ strcmp(authmethodhost, "scram-sha-256") == 0)
{
conflines = replace_token(conflines,
"#password_encryption = md5",
- "password_encryption = scram");
+ "password_encryption = scram-sha-256");
}
snprintf(path, sizeof(path), "%s/postgresql.conf", pg_data);
{
if ((strcmp(authmethodlocal, "md5") == 0 ||
strcmp(authmethodlocal, "password") == 0 ||
- strcmp(authmethodlocal, "scram") == 0) &&
+ strcmp(authmethodlocal, "scram-sha-256") == 0) &&
(strcmp(authmethodhost, "md5") == 0 ||
strcmp(authmethodhost, "password") == 0 ||
- strcmp(authmethodhost, "scram") == 0) &&
+ strcmp(authmethodhost, "scram-sha-256") == 0) &&
!(pwprompt || pwfilename))
{
fprintf(stderr, _("%s: must specify a password for the superuser to enable %s authentication\n"), progname,
(strcmp(authmethodlocal, "md5") == 0 ||
strcmp(authmethodlocal, "password") == 0 ||
- strcmp(authmethodlocal, "scram") == 0)
+ strcmp(authmethodlocal, "scram-sha-256") == 0)
? authmethodlocal
: authmethodhost);
exit(1);
{
PASSWORD_TYPE_PLAINTEXT = 0,
PASSWORD_TYPE_MD5,
- PASSWORD_TYPE_SCRAM
+ PASSWORD_TYPE_SCRAM_SHA_256
} PasswordType;
extern PasswordType get_password_type(const char *shadow_pass);
# Create 3 roles with different password methods for each one. The same
# password is used for all of them.
- $node->safe_psql('postgres', "SET password_encryption='scram'; CREATE ROLE scram_role LOGIN PASSWORD 'pass';");
+ $node->safe_psql('postgres', "SET password_encryption='scram-sha-256'; CREATE ROLE scram_role LOGIN PASSWORD 'pass';");
$node->safe_psql('postgres', "SET password_encryption='md5'; CREATE ROLE md5_role LOGIN PASSWORD 'pass';");
$node->safe_psql('postgres', "SET password_encryption='plain'; CREATE ROLE plain_role LOGIN PASSWORD 'pass';");
$ENV{"PGPASSWORD"} = 'pass';
test_role($node, 'md5_role', 'password', 0);
test_role($node, 'plain_role', 'password', 0);
- # For "scram" method, user "plain_role" and "scram_role" should be able to
- # connect.
- reset_pg_hba($node, 'scram');
- test_role($node, 'scram_role', 'scram', 0);
- test_role($node, 'md5_role', 'scram', 2);
- test_role($node, 'plain_role', 'scram', 0);
+ # For "scram-sha-256" method, user "plain_role" and "scram_role" should
+ # be able to connect.
+ reset_pg_hba($node, 'scram-sha-256');
+ test_role($node, 'scram_role', 'scram-sha-256', 0);
+ test_role($node, 'md5_role', 'scram-sha-256', 2);
+ test_role($node, 'plain_role', 'scram-sha-256', 0);
# For "md5" method, all users should be able to connect (SCRAM
# authentication will be performed for the user with a scram verifier.)
# Create test roles.
$node->safe_psql('postgres',
-"SET password_encryption='scram';
+"SET password_encryption='scram-sha-256';
SET client_encoding='utf8';
CREATE ROLE saslpreptest1_role LOGIN PASSWORD 'IX';
CREATE ROLE saslpreptest4a_role LOGIN PASSWORD 'a';
");
# Require password from now on.
- reset_pg_hba($node, 'scram');
+ reset_pg_hba($node, 'scram-sha-256');
# Check that #1 and #5 are treated the same as just 'IX'
test_login($node, 'saslpreptest1_role', "I\xc2\xadX", 0);
-- Tests for GUC password_encryption
SET password_encryption = 'novalue'; -- error
ERROR: invalid value for parameter "password_encryption": "novalue"
-HINT: Available values: plain, md5, scram, off, on.
+HINT: Available values: plain, md5, scram-sha-256, off, on.
SET password_encryption = true; -- ok
SET password_encryption = 'md5'; -- ok
SET password_encryption = 'plain'; -- ok
-SET password_encryption = 'scram'; -- ok
+SET password_encryption = 'scram-sha-256'; -- ok
-- consistency of password entries
SET password_encryption = 'plain';
CREATE ROLE regress_passwd1 PASSWORD 'role_pwd1';
CREATE ROLE regress_passwd2 PASSWORD 'role_pwd2';
SET password_encryption = 'on';
CREATE ROLE regress_passwd3 PASSWORD 'role_pwd3';
-SET password_encryption = 'scram';
+SET password_encryption = 'scram-sha-256';
CREATE ROLE regress_passwd4 PASSWORD 'role_pwd4';
SET password_encryption = 'plain';
CREATE ROLE regress_passwd5 PASSWORD NULL;
SET password_encryption = 'md5';
ALTER ROLE regress_passwd3 ENCRYPTED PASSWORD 'foo'; -- encrypted with MD5
ALTER ROLE regress_passwd4 ENCRYPTED PASSWORD 'scram-sha-256:VLK4RMaQLCvNtQ==:4096:3ded2376f7aafa93b1bdbd71bcc18b7d6ee50ed018029cc583d152ef3fc7d430:a6dd36dfc94c181956a6ae95f05e01b1864f0a22a2657d1de4ba84d2a24dc438'; -- client-supplied SCRAM verifier, use as it is
-SET password_encryption = 'scram';
+SET password_encryption = 'scram-sha-256';
ALTER ROLE regress_passwd5 ENCRYPTED PASSWORD 'foo'; -- create SCRAM verifier
CREATE ROLE regress_passwd6 ENCRYPTED PASSWORD 'md53725413363ab045e20521bf36b8d8d7f'; -- encrypted with MD5, use as it is
SELECT rolname, regexp_replace(rolpassword, '(scram-sha-256):([a-zA-Z0-9+/]+==):(\d+):(\w+):(\w+)', '\1::\3::') as rolpassword_masked
SET password_encryption = true; -- ok
SET password_encryption = 'md5'; -- ok
SET password_encryption = 'plain'; -- ok
-SET password_encryption = 'scram'; -- ok
+SET password_encryption = 'scram-sha-256'; -- ok
-- consistency of password entries
SET password_encryption = 'plain';
CREATE ROLE regress_passwd2 PASSWORD 'role_pwd2';
SET password_encryption = 'on';
CREATE ROLE regress_passwd3 PASSWORD 'role_pwd3';
-SET password_encryption = 'scram';
+SET password_encryption = 'scram-sha-256';
CREATE ROLE regress_passwd4 PASSWORD 'role_pwd4';
SET password_encryption = 'plain';
CREATE ROLE regress_passwd5 PASSWORD NULL;
ALTER ROLE regress_passwd4 ENCRYPTED PASSWORD 'scram-sha-256:VLK4RMaQLCvNtQ==:4096:3ded2376f7aafa93b1bdbd71bcc18b7d6ee50ed018029cc583d152ef3fc7d430:a6dd36dfc94c181956a6ae95f05e01b1864f0a22a2657d1de4ba84d2a24dc438'; -- client-supplied SCRAM verifier, use as it is
-SET password_encryption = 'scram';
+SET password_encryption = 'scram-sha-256';
ALTER ROLE regress_passwd5 ENCRYPTED PASSWORD 'foo'; -- create SCRAM verifier
CREATE ROLE regress_passwd6 ENCRYPTED PASSWORD 'md53725413363ab045e20521bf36b8d8d7f'; -- encrypted with MD5, use as it is
projects / postgresql.git / commitdiff