On Mon, Apr 24, 2017 at 3:04 PM, Akshay Joshi <akshay.jo...@enterprisedb.com> wrote: > I have gone through this, but still facing issue to encrypt/change the > database server password. In pgAdmin4 we have "Change Password" feature where > user will enter the old and new password for the database server, now we will > have to encrypt it (in Python) as per SCRAM standards and set it to the > database.
By using SET password_encryption = 'scram-sha-256' and sending the raw password you would be able to hash the password correctly. Or you could just mimic scram_build_password() (routine in Postgres code to generate that correctly). > The example you have given in > https://www.postgresql.org/message-id/76ac7e67-4e3a-f4df-e087-fbac90151...@iki.fi > I have below questions: > To encode the password you already have entry from pg_authid table which > won't be possible for non superuser to access that table. How we can get that > value from pg_authid table or do we have any other solution to this. I don't understand this question, any user can update this field using CREATE/ALTER ROLE, and the client has no need to know this value for the exchange. > For constructing the whole client-final-message, we need to calculate > ClientSignature and ClientProof, which depend on the nonces, and is > therefore different on every authentication exchange. How to calculate > ClientSignature and ClientProof? > Can you please guide me here, how can we achieve that in python. You will need a C equivalent of what is proposed in fe-auth-scram.c in the Postgres code to build the messages that are exchanged from the server, see particularly calculate_client_proof() which describes step by step the calculation of the client proof when building the last message for the client. I didn't check in details, but the routines are the same as in the message above. The format of the hashed password has changed a bit since commit 68e61ee though. -- Michael -- Sent via pgsql-general mailing list (pgsql-general@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
