database/postgres
1
0
Fork 0
mirror of https://github.com/postgres/postgres.git synced 2025-07-30 11:03:19 +03:00
Code Activity

Rename "scram" to "scram-sha-256" in pg_hba.conf and password_encryption.

Browse Source 
Per discussion, plain "scram" is confusing because we actually implement
SCRAM-SHA-256 rather than the original SCRAM that uses SHA-1 as the hash
algorithm. If we add support for SCRAM-SHA-512 or some other mechanism in
the SCRAM family in the future, that would become even more confusing.

Most of the internal files and functions still use just "scram" as a
shorthand for SCRMA-SHA-256, but I did change PASSWORD_TYPE_SCRAM to
PASSWORD_TYPE_SCRAM_SHA_256, as that could potentially be used by 3rd
party extensions that hook into the password-check hook.

Michael Paquier did this in an earlier version of the SCRAM patch set
already, but I didn't include that in the version that was committed.

Discussion: https://www.postgresql.org/message-id/fde71ff1-5858-90c8-99a9-1c2427e7bafb@iki.fi
This commit is contained in:
Heikki Linnakangas
2017-04-18 14:50:50 +03:00
parent 123aaffb5b
commit c727f120ff
15 changed files with 60 additions and 59 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
doc/src/sgml/client-auth.sgml
View File

@ -412,7 +412,7 @@ hostnossl <replaceable>database</replaceable> <replaceable>user</replaceable>
</varlistentry>
<varlistentry>
<term><literal>scram</></term>
<term><literal>scram-sha-256</></term>
<listitem>
<para>
Perform SCRAM-SHA-256 authentication to verify the user's
@ -683,7 +683,7 @@ host postgres all 192.168.93.0/24 ident
# "postgres" if the user's password is correctly supplied.
#
# TYPE DATABASE USER ADDRESS METHOD
host postgres all 192.168.12.10/32 scram
host postgres all 192.168.12.10/32 scram-sha-256
# Allow any user from hosts in the example.com domain to connect to
# any database if the user's password is correctly supplied.
@ -694,7 +694,7 @@ host postgres all 192.168.12.10/32 scram
#
# TYPE DATABASE USER ADDRESS METHOD
host all mike .example.com md5
host all all .example.com scram
host all all .example.com scram-sha-256
# In the absence of preceding "host" lines, these two lines will
# reject all connections from 192.168.54.1 (since that entry will be
@ -922,7 +922,7 @@ omicron bryanh guest1
</indexterm>
<para>
The password-based authentication methods are <literal>scram</>,
The password-based authentication methods are <literal>scram-sha-256</>,
<literal>md5</>, and <literal>password</>. These methods operate
similarly except for the way that the password is sent across the
connection.
@ -939,8 +939,9 @@ omicron bryanh guest1
<para>
<literal>scram</> performs SCRAM-SHA-256 authentication, as described
in <ulink url="https://tools.ietf.org/html/rfc5802">RFC5802</ulink>. It
<literal>scram-sha-256</> performs SCRAM-SHA-256 authentication, as
described in
<ulink url="https://tools.ietf.org/html/rfc5802">RFC5802</ulink>. It
is a challenge-response scheme, that prevents password sniffing on
untrusted connections. It is more secure than the <literal>md5</>
method, but might not be supported by older clients.
@ -953,7 +954,7 @@ omicron bryanh guest1
protection if an attacker manages to steal the password hash from the
server, and it cannot be used with the <xref
linkend="guc-db-user-namespace"> feature. For all other users,
<literal>md5</> works the same as <literal>scram</>.
<literal>md5</> works the same as <literal>scram-sha-256</>.
</para>
<para>

4
doc/src/sgml/config.sgml
View File

@ -1194,8 +1194,8 @@ include_dir 'conf.d'
stores the password as an MD5 hash. Setting this to <literal>plain</> stores
it in plaintext. <literal>on</> and <literal>off</> are also accepted, as
aliases for <literal>md5</> and <literal>plain</>, respectively. Setting
this parameter to <literal>scram</> will encrypt the password with
SCRAM-SHA-256.
this parameter to <literal>scram-sha-256</> will encrypt the password
with SCRAM-SHA-256.
</para>
</listitem>
</varlistentry>