Change default of password_encryption to scram-sha-256
Also, the legacy values on/true/yes/1 for password_encryption that mapped to md5 are removed. The only valid values are now scram-sha-256 and md5. Reviewed-by: Jonathan S. Katz <jkatz@postgresql.org> Discussion: https://www.postgresql.org/message-id/flat/d5b0ad33-7d94-bdd1-caac-43a1c782cab2%402ndquadrant.com
This commit is contained in:
parent
5a4ada71a8
commit
c7eab0e97e
|
@ -1013,11 +1013,11 @@ include_dir 'conf.d'
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>
|
<para>
|
||||||
When a password is specified in <xref linkend="sql-createrole"/> or
|
When a password is specified in <xref linkend="sql-createrole"/> or
|
||||||
<xref linkend="sql-alterrole"/>, this parameter determines the algorithm
|
<xref linkend="sql-alterrole"/>, this parameter determines the
|
||||||
to use to encrypt the password. The default value is <literal>md5</literal>,
|
algorithm to use to encrypt the password. Possible values are
|
||||||
which stores the password as an MD5 hash (<literal>on</literal> is also
|
<literal>scram-sha-256</literal>, which will encrypt the password with
|
||||||
accepted, as alias for <literal>md5</literal>). Setting this parameter to
|
SCRAM-SHA-256, and <literal>md5</literal>, which stores the password
|
||||||
<literal>scram-sha-256</literal> will encrypt the password with SCRAM-SHA-256.
|
as an MD5 hash. The default is <literal>scram-sha-256</literal>.
|
||||||
</para>
|
</para>
|
||||||
<para>
|
<para>
|
||||||
Note that older clients might lack support for the SCRAM authentication
|
Note that older clients might lack support for the SCRAM authentication
|
||||||
|
|
|
@ -43,7 +43,7 @@ Oid binary_upgrade_next_pg_authid_oid = InvalidOid;
|
||||||
|
|
||||||
|
|
||||||
/* GUC parameter */
|
/* GUC parameter */
|
||||||
int Password_encryption = PASSWORD_TYPE_MD5;
|
int Password_encryption = PASSWORD_TYPE_SCRAM_SHA_256;
|
||||||
|
|
||||||
/* Hook to check passwords in CreateRole() and AlterRole() */
|
/* Hook to check passwords in CreateRole() and AlterRole() */
|
||||||
check_password_hook_type check_password_hook = NULL;
|
check_password_hook_type check_password_hook = NULL;
|
||||||
|
|
|
@ -463,18 +463,9 @@ static const struct config_enum_entry plan_cache_mode_options[] = {
|
||||||
{NULL, 0, false}
|
{NULL, 0, false}
|
||||||
};
|
};
|
||||||
|
|
||||||
/*
|
|
||||||
* password_encryption used to be a boolean, so accept all the likely
|
|
||||||
* variants of "on", too. "off" used to store passwords in plaintext,
|
|
||||||
* but we don't support that anymore.
|
|
||||||
*/
|
|
||||||
static const struct config_enum_entry password_encryption_options[] = {
|
static const struct config_enum_entry password_encryption_options[] = {
|
||||||
{"md5", PASSWORD_TYPE_MD5, false},
|
{"md5", PASSWORD_TYPE_MD5, false},
|
||||||
{"scram-sha-256", PASSWORD_TYPE_SCRAM_SHA_256, false},
|
{"scram-sha-256", PASSWORD_TYPE_SCRAM_SHA_256, false},
|
||||||
{"on", PASSWORD_TYPE_MD5, true},
|
|
||||||
{"true", PASSWORD_TYPE_MD5, true},
|
|
||||||
{"yes", PASSWORD_TYPE_MD5, true},
|
|
||||||
{"1", PASSWORD_TYPE_MD5, true},
|
|
||||||
{NULL, 0, false}
|
{NULL, 0, false}
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -4733,7 +4724,7 @@ static struct config_enum ConfigureNamesEnum[] =
|
||||||
NULL
|
NULL
|
||||||
},
|
},
|
||||||
&Password_encryption,
|
&Password_encryption,
|
||||||
PASSWORD_TYPE_MD5, password_encryption_options,
|
PASSWORD_TYPE_SCRAM_SHA_256, password_encryption_options,
|
||||||
NULL, NULL, NULL
|
NULL, NULL, NULL
|
||||||
},
|
},
|
||||||
|
|
||||||
|
|
|
@ -88,7 +88,7 @@
|
||||||
# - Authentication -
|
# - Authentication -
|
||||||
|
|
||||||
#authentication_timeout = 1min # 1s-600s
|
#authentication_timeout = 1min # 1s-600s
|
||||||
#password_encryption = md5 # md5 or scram-sha-256
|
#password_encryption = scram-sha-256 # scram-sha-256 or md5
|
||||||
#db_user_namespace = off
|
#db_user_namespace = off
|
||||||
|
|
||||||
# GSSAPI using Kerberos
|
# GSSAPI using Kerberos
|
||||||
|
|
|
@ -1204,12 +1204,18 @@ setup_config(void)
|
||||||
"#update_process_title = off");
|
"#update_process_title = off");
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
if (strcmp(authmethodlocal, "scram-sha-256") == 0 ||
|
/*
|
||||||
strcmp(authmethodhost, "scram-sha-256") == 0)
|
* Change password_encryption setting to md5 if md5 was chosen as an
|
||||||
|
* authentication method, unless scram-sha-256 was also chosen.
|
||||||
|
*/
|
||||||
|
if ((strcmp(authmethodlocal, "md5") == 0 &&
|
||||||
|
strcmp(authmethodhost, "scram-sha-256") != 0) ||
|
||||||
|
(strcmp(authmethodhost, "md5") == 0 &&
|
||||||
|
strcmp(authmethodlocal, "scram-sha-256") != 0))
|
||||||
{
|
{
|
||||||
conflines = replace_token(conflines,
|
conflines = replace_token(conflines,
|
||||||
"#password_encryption = md5",
|
"#password_encryption = scram-sha-256",
|
||||||
"password_encryption = scram-sha-256");
|
"password_encryption = md5");
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
|
@ -2373,12 +2379,7 @@ check_need_password(const char *authmethodlocal, const char *authmethodhost)
|
||||||
strcmp(authmethodhost, "scram-sha-256") == 0) &&
|
strcmp(authmethodhost, "scram-sha-256") == 0) &&
|
||||||
!(pwprompt || pwfilename))
|
!(pwprompt || pwfilename))
|
||||||
{
|
{
|
||||||
pg_log_error("must specify a password for the superuser to enable %s authentication",
|
pg_log_error("must specify a password for the superuser to enable password authentication");
|
||||||
(strcmp(authmethodlocal, "md5") == 0 ||
|
|
||||||
strcmp(authmethodlocal, "password") == 0 ||
|
|
||||||
strcmp(authmethodlocal, "scram-sha-256") == 0)
|
|
||||||
? authmethodlocal
|
|
||||||
: authmethodhost);
|
|
||||||
exit(1);
|
exit(1);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -5,13 +5,14 @@
|
||||||
SET password_encryption = 'novalue'; -- error
|
SET password_encryption = 'novalue'; -- error
|
||||||
ERROR: invalid value for parameter "password_encryption": "novalue"
|
ERROR: invalid value for parameter "password_encryption": "novalue"
|
||||||
HINT: Available values: md5, scram-sha-256.
|
HINT: Available values: md5, scram-sha-256.
|
||||||
SET password_encryption = true; -- ok
|
SET password_encryption = true; -- error
|
||||||
|
ERROR: invalid value for parameter "password_encryption": "true"
|
||||||
|
HINT: Available values: md5, scram-sha-256.
|
||||||
SET password_encryption = 'md5'; -- ok
|
SET password_encryption = 'md5'; -- ok
|
||||||
SET password_encryption = 'scram-sha-256'; -- ok
|
SET password_encryption = 'scram-sha-256'; -- ok
|
||||||
-- consistency of password entries
|
-- consistency of password entries
|
||||||
SET password_encryption = 'md5';
|
SET password_encryption = 'md5';
|
||||||
CREATE ROLE regress_passwd1 PASSWORD 'role_pwd1';
|
CREATE ROLE regress_passwd1 PASSWORD 'role_pwd1';
|
||||||
SET password_encryption = 'on';
|
|
||||||
CREATE ROLE regress_passwd2 PASSWORD 'role_pwd2';
|
CREATE ROLE regress_passwd2 PASSWORD 'role_pwd2';
|
||||||
SET password_encryption = 'scram-sha-256';
|
SET password_encryption = 'scram-sha-256';
|
||||||
CREATE ROLE regress_passwd3 PASSWORD 'role_pwd3';
|
CREATE ROLE regress_passwd3 PASSWORD 'role_pwd3';
|
||||||
|
|
|
@ -4,14 +4,13 @@
|
||||||
|
|
||||||
-- Tests for GUC password_encryption
|
-- Tests for GUC password_encryption
|
||||||
SET password_encryption = 'novalue'; -- error
|
SET password_encryption = 'novalue'; -- error
|
||||||
SET password_encryption = true; -- ok
|
SET password_encryption = true; -- error
|
||||||
SET password_encryption = 'md5'; -- ok
|
SET password_encryption = 'md5'; -- ok
|
||||||
SET password_encryption = 'scram-sha-256'; -- ok
|
SET password_encryption = 'scram-sha-256'; -- ok
|
||||||
|
|
||||||
-- consistency of password entries
|
-- consistency of password entries
|
||||||
SET password_encryption = 'md5';
|
SET password_encryption = 'md5';
|
||||||
CREATE ROLE regress_passwd1 PASSWORD 'role_pwd1';
|
CREATE ROLE regress_passwd1 PASSWORD 'role_pwd1';
|
||||||
SET password_encryption = 'on';
|
|
||||||
CREATE ROLE regress_passwd2 PASSWORD 'role_pwd2';
|
CREATE ROLE regress_passwd2 PASSWORD 'role_pwd2';
|
||||||
SET password_encryption = 'scram-sha-256';
|
SET password_encryption = 'scram-sha-256';
|
||||||
CREATE ROLE regress_passwd3 PASSWORD 'role_pwd3';
|
CREATE ROLE regress_passwd3 PASSWORD 'role_pwd3';
|
||||||
|
|
Loading…
Reference in New Issue