</varlistentry>
<varlistentry>
- <term><literal>scram</></term>
+ <term><literal>scram-sha-256</></term>
<listitem>
<para>
Perform SCRAM-SHA-256 authentication to verify the user's
# "postgres" if the user's password is correctly supplied.
#
# TYPE DATABASE USER ADDRESS METHOD
-host postgres all 192.168.12.10/32 scram
+host postgres all 192.168.12.10/32 scram-sha-256
# Allow any user from hosts in the example.com domain to connect to
# any database if the user's password is correctly supplied.
#
# TYPE DATABASE USER ADDRESS METHOD
host all mike .example.com md5
-host all all .example.com scram
+host all all .example.com scram-sha-256
# In the absence of preceding "host" lines, these two lines will
# reject all connections from 192.168.54.1 (since that entry will be
</indexterm>
<para>
- The password-based authentication methods are <literal>scram</>,
+ The password-based authentication methods are <literal>scram-sha-256</>,
<literal>md5</>, and <literal>password</>. These methods operate
similarly except for the way that the password is sent across the
connection.
<para>
- <literal>scram</> performs SCRAM-SHA-256 authentication, as described
- in <ulink url="https://tools.ietf.org/html/rfc5802">RFC5802</ulink>. It
+ <literal>scram-sha-256</> performs SCRAM-SHA-256 authentication, as
+ described in
+ <ulink url="https://tools.ietf.org/html/rfc5802">RFC5802</ulink>. It
is a challenge-response scheme, that prevents password sniffing on
untrusted connections. It is more secure than the <literal>md5</>
method, but might not be supported by older clients.
protection if an attacker manages to steal the password hash from the
server, and it cannot be used with the <xref
linkend="guc-db-user-namespace"> feature. For all other users,
- <literal>md5</> works the same as <literal>scram</>.
+ <literal>md5</> works the same as <literal>scram-sha-256</>.
</para>
<para>
stores the password as an MD5 hash. Setting this to <literal>plain</> stores
it in plaintext. <literal>on</> and <literal>off</> are also accepted, as
aliases for <literal>md5</> and <literal>plain</>, respectively. Setting
- this parameter to <literal>scram</> will encrypt the password with
- SCRAM-SHA-256.
+ this parameter to <literal>scram-sha-256</> will encrypt the password
+ with SCRAM-SHA-256.
</para>
</listitem>
</varlistentry>
dpassword = defel;
if (strcmp(defel->defname, "encryptedPassword") == 0)
{
- if (Password_encryption == PASSWORD_TYPE_SCRAM)
- password_type = PASSWORD_TYPE_SCRAM;
+ if (Password_encryption == PASSWORD_TYPE_SCRAM_SHA_256)
+ password_type = PASSWORD_TYPE_SCRAM_SHA_256;
else
password_type = PASSWORD_TYPE_MD5;
}
dpassword = defel;
if (strcmp(defel->defname, "encryptedPassword") == 0)
{
- if (Password_encryption == PASSWORD_TYPE_SCRAM)
- password_type = PASSWORD_TYPE_SCRAM;
+ if (Password_encryption == PASSWORD_TYPE_SCRAM_SHA_256)
+ password_type = PASSWORD_TYPE_SCRAM_SHA_256;
else
password_type = PASSWORD_TYPE_MD5;
}
{
int password_type = get_password_type(shadow_pass);
- if (password_type == PASSWORD_TYPE_SCRAM)
+ if (password_type == PASSWORD_TYPE_SCRAM_SHA_256)
{
if (parse_scram_verifier(shadow_pass, &state->salt, &state->iterations,
state->StoredKey, state->ServerKey))
/*----------------------------------------------------------------
- * Password-based authentication methods (password, md5, and scram)
+ * Password-based authentication methods (password, md5, and scram-sha-256)
*----------------------------------------------------------------
*/
static int CheckPasswordAuth(Port *port, char **logdetail);
* If the user does not exist, or has no password, we still go through the
* motions of authentication, to avoid revealing to the client that the
* user didn't exist. If 'md5' is allowed, we choose whether to use 'md5'
- * or 'scram' authentication based on current password_encryption setting.
- * The idea is that most genuine users probably have a password of that
- * type, if we pretend that this user had a password of that type, too, it
- * "blends in" best.
+ * or 'scram-sha-256' authentication based on current password_encryption
+ * setting. The idea is that most genuine users probably have a password
+ * of that type, if we pretend that this user had a password of that type,
+ * too, it "blends in" best.
*
* If the user had a password, but it was expired, we'll use the details
* of the expired password for the authentication, but report it as
/*
* If 'md5' authentication is allowed, decide whether to perform 'md5' or
- * 'scram' authentication based on the type of password the user has. If
- * it's an MD5 hash, we must do MD5 authentication, and if it's a SCRAM
- * verifier, we must do SCRAM authentication. If it's stored in
+ * 'scram-sha-256' authentication based on the type of password the user
+ * has. If it's an MD5 hash, we must do MD5 authentication, and if it's
+ * a SCRAM verifier, we must do SCRAM authentication. If it's stored in
* plaintext, we could do either one, so we opt for the more secure
* mechanism, SCRAM.
*
if (strncmp(shadow_pass, "md5", 3) == 0 && strlen(shadow_pass) == MD5_PASSWD_LEN)
return PASSWORD_TYPE_MD5;
if (strncmp(shadow_pass, "scram-sha-256:", strlen("scram-sha-256:")) == 0)
- return PASSWORD_TYPE_SCRAM;
+ return PASSWORD_TYPE_SCRAM_SHA_256;
return PASSWORD_TYPE_PLAINTEXT;
}
elog(ERROR, "password encryption failed");
return encrypted_password;
- case PASSWORD_TYPE_SCRAM:
+ case PASSWORD_TYPE_SCRAM_SHA_256:
/*
* cannot convert a SCRAM verifier to an MD5 hash, so fall
}
break;
- case PASSWORD_TYPE_SCRAM:
+ case PASSWORD_TYPE_SCRAM_SHA_256:
switch (guessed_type)
{
case PASSWORD_TYPE_PLAINTEXT:
* cannot convert an MD5 hash to a SCRAM verifier, so fall
* through to save the MD5 hash instead.
*/
- case PASSWORD_TYPE_SCRAM:
+ case PASSWORD_TYPE_SCRAM_SHA_256:
return pstrdup(password);
}
break;
*/
switch (get_password_type(shadow_pass))
{
- case PASSWORD_TYPE_SCRAM:
+ case PASSWORD_TYPE_SCRAM_SHA_256:
if (scram_verify_plain_password(role,
client_pass,
shadow_pass))
"ident",
"password",
"md5",
- "scram",
+ "scram-sha256",
"gss",
"sspi",
"pam",
}
parsedline->auth_method = uaMD5;
}
- else if (strcmp(token->string, "scram") == 0)
+ else if (strcmp(token->string, "scram-sha-256") == 0)
parsedline->auth_method = uaSCRAM;
else if (strcmp(token->string, "pam") == 0)
#ifdef USE_PAM
# or "samenet" to match any address in any subnet that the server is
# directly connected to.
#
-# METHOD can be "trust", "reject", "md5", "password", "scram", "gss",
-# "sspi", "ident", "peer", "pam", "ldap", "radius" or "cert". Note that
-# "password" sends passwords in clear text; "md5" or "scram" are preferred
-# since they send encrypted passwords.
+# METHOD can be "trust", "reject", "md5", "password", "scram-sha-256",
+# "gss", "sspi", "ident", "peer", "pam", "ldap", "radius" or "cert".
+# Note that "password" sends passwords in clear text; "md5" or
+# "scram-sha-256" are preferred since they send encrypted passwords.
#
# OPTIONS are a set of options for the authentication in the format
# NAME=VALUE. The available options depend on the different
static const struct config_enum_entry password_encryption_options[] = {
{"plain", PASSWORD_TYPE_PLAINTEXT, false},
{"md5", PASSWORD_TYPE_MD5, false},
- {"scram", PASSWORD_TYPE_SCRAM, false},
+ {"scram-sha-256", PASSWORD_TYPE_SCRAM_SHA_256, false},
{"off", PASSWORD_TYPE_PLAINTEXT, false},
{"on", PASSWORD_TYPE_MD5, false},
{"true", PASSWORD_TYPE_MD5, true},
extern const char *select_default_timezone(const char *share_path);
static const char *const auth_methods_host[] = {
- "trust", "reject", "md5", "password", "scram", "ident", "radius",
+ "trust", "reject", "scram-sha-256", "md5", "password", "ident", "radius",
#ifdef ENABLE_GSS
"gss",
#endif
NULL
};
static const char *const auth_methods_local[] = {
- "trust", "reject", "md5", "scram", "password", "peer", "radius",
+ "trust", "reject", "scram-sha-256", "md5", "password", "peer", "radius",
#ifdef USE_PAM
"pam", "pam ",
#endif
"#update_process_title = off");
#endif
- if (strcmp(authmethodlocal, "scram") == 0 ||
- strcmp(authmethodhost, "scram") == 0)
+ if (strcmp(authmethodlocal, "scram-sha-256") == 0 ||
+ strcmp(authmethodhost, "scram-sha-256") == 0)
{
conflines = replace_token(conflines,
"#password_encryption = md5",
- "password_encryption = scram");
+ "password_encryption = scram-sha-256");
}
snprintf(path, sizeof(path), "%s/postgresql.conf", pg_data);
{
if ((strcmp(authmethodlocal, "md5") == 0 ||
strcmp(authmethodlocal, "password") == 0 ||
- strcmp(authmethodlocal, "scram") == 0) &&
+ strcmp(authmethodlocal, "scram-sha-256") == 0) &&
(strcmp(authmethodhost, "md5") == 0 ||
strcmp(authmethodhost, "password") == 0 ||
- strcmp(authmethodhost, "scram") == 0) &&
+ strcmp(authmethodhost, "scram-sha-256") == 0) &&
!(pwprompt || pwfilename))
{
fprintf(stderr, _("%s: must specify a password for the superuser to enable %s authentication\n"), progname,
(strcmp(authmethodlocal, "md5") == 0 ||
strcmp(authmethodlocal, "password") == 0 ||
- strcmp(authmethodlocal, "scram") == 0)
+ strcmp(authmethodlocal, "scram-sha-256") == 0)
? authmethodlocal
: authmethodhost);
exit(1);
{
PASSWORD_TYPE_PLAINTEXT = 0,
PASSWORD_TYPE_MD5,
- PASSWORD_TYPE_SCRAM
+ PASSWORD_TYPE_SCRAM_SHA_256
} PasswordType;
extern PasswordType get_password_type(const char *shadow_pass);
# Create 3 roles with different password methods for each one. The same
# password is used for all of them.
- $node->safe_psql('postgres', "SET password_encryption='scram'; CREATE ROLE scram_role LOGIN PASSWORD 'pass';");
+ $node->safe_psql('postgres', "SET password_encryption='scram-sha-256'; CREATE ROLE scram_role LOGIN PASSWORD 'pass';");
$node->safe_psql('postgres', "SET password_encryption='md5'; CREATE ROLE md5_role LOGIN PASSWORD 'pass';");
$node->safe_psql('postgres', "SET password_encryption='plain'; CREATE ROLE plain_role LOGIN PASSWORD 'pass';");
$ENV{"PGPASSWORD"} = 'pass';
test_role($node, 'md5_role', 'password', 0);
test_role($node, 'plain_role', 'password', 0);
- # For "scram" method, user "plain_role" and "scram_role" should be able to
- # connect.
- reset_pg_hba($node, 'scram');
- test_role($node, 'scram_role', 'scram', 0);
- test_role($node, 'md5_role', 'scram', 2);
- test_role($node, 'plain_role', 'scram', 0);
+ # For "scram-sha-256" method, user "plain_role" and "scram_role" should
+ # be able to connect.
+ reset_pg_hba($node, 'scram-sha-256');
+ test_role($node, 'scram_role', 'scram-sha-256', 0);
+ test_role($node, 'md5_role', 'scram-sha-256', 2);
+ test_role($node, 'plain_role', 'scram-sha-256', 0);
# For "md5" method, all users should be able to connect (SCRAM
# authentication will be performed for the user with a scram verifier.)
# Create test roles.
$node->safe_psql('postgres',
-"SET password_encryption='scram';
+"SET password_encryption='scram-sha-256';
SET client_encoding='utf8';
CREATE ROLE saslpreptest1_role LOGIN PASSWORD 'IX';
CREATE ROLE saslpreptest4a_role LOGIN PASSWORD 'a';
");
# Require password from now on.
- reset_pg_hba($node, 'scram');
+ reset_pg_hba($node, 'scram-sha-256');
# Check that #1 and #5 are treated the same as just 'IX'
test_login($node, 'saslpreptest1_role', "I\xc2\xadX", 0);
-- Tests for GUC password_encryption
SET password_encryption = 'novalue'; -- error
ERROR: invalid value for parameter "password_encryption": "novalue"
-HINT: Available values: plain, md5, scram, off, on.
+HINT: Available values: plain, md5, scram-sha-256, off, on.
SET password_encryption = true; -- ok
SET password_encryption = 'md5'; -- ok
SET password_encryption = 'plain'; -- ok
-SET password_encryption = 'scram'; -- ok
+SET password_encryption = 'scram-sha-256'; -- ok
-- consistency of password entries
SET password_encryption = 'plain';
CREATE ROLE regress_passwd1 PASSWORD 'role_pwd1';
CREATE ROLE regress_passwd2 PASSWORD 'role_pwd2';
SET password_encryption = 'on';
CREATE ROLE regress_passwd3 PASSWORD 'role_pwd3';
-SET password_encryption = 'scram';
+SET password_encryption = 'scram-sha-256';
CREATE ROLE regress_passwd4 PASSWORD 'role_pwd4';
SET password_encryption = 'plain';
CREATE ROLE regress_passwd5 PASSWORD NULL;
SET password_encryption = 'md5';
ALTER ROLE regress_passwd3 ENCRYPTED PASSWORD 'foo'; -- encrypted with MD5
ALTER ROLE regress_passwd4 ENCRYPTED PASSWORD 'scram-sha-256:VLK4RMaQLCvNtQ==:4096:3ded2376f7aafa93b1bdbd71bcc18b7d6ee50ed018029cc583d152ef3fc7d430:a6dd36dfc94c181956a6ae95f05e01b1864f0a22a2657d1de4ba84d2a24dc438'; -- client-supplied SCRAM verifier, use as it is
-SET password_encryption = 'scram';
+SET password_encryption = 'scram-sha-256';
ALTER ROLE regress_passwd5 ENCRYPTED PASSWORD 'foo'; -- create SCRAM verifier
CREATE ROLE regress_passwd6 ENCRYPTED PASSWORD 'md53725413363ab045e20521bf36b8d8d7f'; -- encrypted with MD5, use as it is
SELECT rolname, regexp_replace(rolpassword, '(scram-sha-256):([a-zA-Z0-9+/]+==):(\d+):(\w+):(\w+)', '\1:<salt>:\3:<storedkey>:<serverkey>') as rolpassword_masked
SET password_encryption = true; -- ok
SET password_encryption = 'md5'; -- ok
SET password_encryption = 'plain'; -- ok
-SET password_encryption = 'scram'; -- ok
+SET password_encryption = 'scram-sha-256'; -- ok
-- consistency of password entries
SET password_encryption = 'plain';
CREATE ROLE regress_passwd2 PASSWORD 'role_pwd2';
SET password_encryption = 'on';
CREATE ROLE regress_passwd3 PASSWORD 'role_pwd3';
-SET password_encryption = 'scram';
+SET password_encryption = 'scram-sha-256';
CREATE ROLE regress_passwd4 PASSWORD 'role_pwd4';
SET password_encryption = 'plain';
CREATE ROLE regress_passwd5 PASSWORD NULL;
ALTER ROLE regress_passwd4 ENCRYPTED PASSWORD 'scram-sha-256:VLK4RMaQLCvNtQ==:4096:3ded2376f7aafa93b1bdbd71bcc18b7d6ee50ed018029cc583d152ef3fc7d430:a6dd36dfc94c181956a6ae95f05e01b1864f0a22a2657d1de4ba84d2a24dc438'; -- client-supplied SCRAM verifier, use as it is
-SET password_encryption = 'scram';
+SET password_encryption = 'scram-sha-256';
ALTER ROLE regress_passwd5 ENCRYPTED PASSWORD 'foo'; -- create SCRAM verifier
CREATE ROLE regress_passwd6 ENCRYPTED PASSWORD 'md53725413363ab045e20521bf36b8d8d7f'; -- encrypted with MD5, use as it is
projects / postgresql.git / commitdiff