mirror of
https://github.com/postgres/postgres.git
synced 2025-07-27 12:41:57 +03:00
Rename "scram" to "scram-sha-256" in pg_hba.conf and password_encryption.
Per discussion, plain "scram" is confusing because we actually implement SCRAM-SHA-256 rather than the original SCRAM that uses SHA-1 as the hash algorithm. If we add support for SCRAM-SHA-512 or some other mechanism in the SCRAM family in the future, that would become even more confusing. Most of the internal files and functions still use just "scram" as a shorthand for SCRMA-SHA-256, but I did change PASSWORD_TYPE_SCRAM to PASSWORD_TYPE_SCRAM_SHA_256, as that could potentially be used by 3rd party extensions that hook into the password-check hook. Michael Paquier did this in an earlier version of the SCRAM patch set already, but I didn't include that in the version that was committed. Discussion: https://www.postgresql.org/message-id/fde71ff1-5858-90c8-99a9-1c2427e7bafb@iki.fi
This commit is contained in:
@ -412,7 +412,7 @@ hostnossl <replaceable>database</replaceable> <replaceable>user</replaceable>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><literal>scram</></term>
|
||||
<term><literal>scram-sha-256</></term>
|
||||
<listitem>
|
||||
<para>
|
||||
Perform SCRAM-SHA-256 authentication to verify the user's
|
||||
@ -683,7 +683,7 @@ host postgres all 192.168.93.0/24 ident
|
||||
# "postgres" if the user's password is correctly supplied.
|
||||
#
|
||||
# TYPE DATABASE USER ADDRESS METHOD
|
||||
host postgres all 192.168.12.10/32 scram
|
||||
host postgres all 192.168.12.10/32 scram-sha-256
|
||||
|
||||
# Allow any user from hosts in the example.com domain to connect to
|
||||
# any database if the user's password is correctly supplied.
|
||||
@ -694,7 +694,7 @@ host postgres all 192.168.12.10/32 scram
|
||||
#
|
||||
# TYPE DATABASE USER ADDRESS METHOD
|
||||
host all mike .example.com md5
|
||||
host all all .example.com scram
|
||||
host all all .example.com scram-sha-256
|
||||
|
||||
# In the absence of preceding "host" lines, these two lines will
|
||||
# reject all connections from 192.168.54.1 (since that entry will be
|
||||
@ -922,7 +922,7 @@ omicron bryanh guest1
|
||||
</indexterm>
|
||||
|
||||
<para>
|
||||
The password-based authentication methods are <literal>scram</>,
|
||||
The password-based authentication methods are <literal>scram-sha-256</>,
|
||||
<literal>md5</>, and <literal>password</>. These methods operate
|
||||
similarly except for the way that the password is sent across the
|
||||
connection.
|
||||
@ -939,8 +939,9 @@ omicron bryanh guest1
|
||||
|
||||
|
||||
<para>
|
||||
<literal>scram</> performs SCRAM-SHA-256 authentication, as described
|
||||
in <ulink url="https://tools.ietf.org/html/rfc5802">RFC5802</ulink>. It
|
||||
<literal>scram-sha-256</> performs SCRAM-SHA-256 authentication, as
|
||||
described in
|
||||
<ulink url="https://tools.ietf.org/html/rfc5802">RFC5802</ulink>. It
|
||||
is a challenge-response scheme, that prevents password sniffing on
|
||||
untrusted connections. It is more secure than the <literal>md5</>
|
||||
method, but might not be supported by older clients.
|
||||
@ -953,7 +954,7 @@ omicron bryanh guest1
|
||||
protection if an attacker manages to steal the password hash from the
|
||||
server, and it cannot be used with the <xref
|
||||
linkend="guc-db-user-namespace"> feature. For all other users,
|
||||
<literal>md5</> works the same as <literal>scram</>.
|
||||
<literal>md5</> works the same as <literal>scram-sha-256</>.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
|
@ -1194,8 +1194,8 @@ include_dir 'conf.d'
|
||||
stores the password as an MD5 hash. Setting this to <literal>plain</> stores
|
||||
it in plaintext. <literal>on</> and <literal>off</> are also accepted, as
|
||||
aliases for <literal>md5</> and <literal>plain</>, respectively. Setting
|
||||
this parameter to <literal>scram</> will encrypt the password with
|
||||
SCRAM-SHA-256.
|
||||
this parameter to <literal>scram-sha-256</> will encrypt the password
|
||||
with SCRAM-SHA-256.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
Reference in New Issue
Block a user