Re: password_encryption default

Mon, 25 May 2020 02:46:30 -0700 

On 2020-05-22 23:23, Jonathan S. Katz wrote:

Yeah.  But there's still something to Jonathan's argument, because 9.6
will go EOL in November 2021, which is pretty close to when v14 will
reach public release (assuming we can hold to the typical schedule).
If we do it in v13, there'll be a full year where still-supported
versions of PG can't do SCRAM, implying that clients would likely
fail to connect to an up-to-date server.


^ that's what I meant.


Here is a proposed patch for PG14 then.

--
Peter Eisentraut              http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services

From ab80089dbaf5d75dac51aa968f8658b4516020d8 Mon Sep 17 00:00:00 2001
From: Peter Eisentraut <pe...@eisentraut.org>
Date: Mon, 25 May 2020 11:22:32 +0200
Subject: [PATCH] Change default of password_encryption to scram-sha-256

Discussion: 
https://www.postgresql.org/message-id/flat/d5b0ad33-7d94-bdd1-caac-43a1c782cab2%402ndquadrant.com
---
 doc/src/sgml/config.sgml                      | 12 +++++++-----
 src/backend/commands/user.c                   |  2 +-
 src/backend/utils/misc/guc.c                  |  2 +-
 src/backend/utils/misc/postgresql.conf.sample |  2 +-
 src/bin/initdb/initdb.c                       |  8 --------
 5 files changed, 10 insertions(+), 16 deletions(-)

diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml
index a2694e548a..9cbaff0c51 100644
--- a/doc/src/sgml/config.sgml
+++ b/doc/src/sgml/config.sgml
@@ -1013,11 +1013,13 @@ <title>Authentication</title>
       <listitem>
        <para>
         When a password is specified in <xref linkend="sql-createrole"/> or
-        <xref linkend="sql-alterrole"/>, this parameter determines the 
algorithm
-        to use to encrypt the password. The default value is 
<literal>md5</literal>,
-        which stores the password as an MD5 hash (<literal>on</literal> is also
-        accepted, as alias for <literal>md5</literal>). Setting this parameter 
to
-        <literal>scram-sha-256</literal> will encrypt the password with 
SCRAM-SHA-256.
+        <xref linkend="sql-alterrole"/>, this parameter determines the
+        algorithm to use to encrypt the password.  Possible values are
+        <literal>scram-sha-256</literal>, which will encrypt the password with
+        SCRAM-SHA-256, and <literal>md5</literal>, which stores the password
+        as an MD5 hash.  (<literal>on</literal> is also accepted, as an alias
+        for <literal>md5</literal>.)  The default is
+        <literal>scram-sha-256</literal>.
        </para>
        <para>
         Note that older clients might lack support for the SCRAM authentication
diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c
index 1ef00d6e89..9ce9a66921 100644
--- a/src/backend/commands/user.c
+++ b/src/backend/commands/user.c
@@ -43,7 +43,7 @@ Oid                   binary_upgrade_next_pg_authid_oid = 
InvalidOid;
 
 
 /* GUC parameter */
-int                    Password_encryption = PASSWORD_TYPE_MD5;
+int                    Password_encryption = PASSWORD_TYPE_SCRAM_SHA_256;
 
 /* Hook to check passwords in CreateRole() and AlterRole() */
 check_password_hook_type check_password_hook = NULL;
diff --git a/src/backend/utils/misc/guc.c b/src/backend/utils/misc/guc.c
index 2f3e0a70e0..390d5d9655 100644
--- a/src/backend/utils/misc/guc.c
+++ b/src/backend/utils/misc/guc.c
@@ -4735,7 +4735,7 @@ static struct config_enum ConfigureNamesEnum[] =
                                                 "this parameter determines 
whether the password is to be encrypted.")
                },
                &Password_encryption,
-               PASSWORD_TYPE_MD5, password_encryption_options,
+               PASSWORD_TYPE_SCRAM_SHA_256, password_encryption_options,
                NULL, NULL, NULL
        },
 
diff --git a/src/backend/utils/misc/postgresql.conf.sample 
b/src/backend/utils/misc/postgresql.conf.sample
index 995b6ca155..120a75386c 100644
--- a/src/backend/utils/misc/postgresql.conf.sample
+++ b/src/backend/utils/misc/postgresql.conf.sample
@@ -88,7 +88,7 @@
 # - Authentication -
 
 #authentication_timeout = 1min         # 1s-600s
-#password_encryption = md5             # md5 or scram-sha-256
+#password_encryption = scram-sha-256   # scram-sha-256 or md5
 #db_user_namespace = off
 
 # GSSAPI using Kerberos
diff --git a/src/bin/initdb/initdb.c b/src/bin/initdb/initdb.c
index 67021a6dc1..234635fe2c 100644
--- a/src/bin/initdb/initdb.c
+++ b/src/bin/initdb/initdb.c
@@ -1198,14 +1198,6 @@ setup_config(void)
                                                          
"#update_process_title = off");
 #endif
 
-       if (strcmp(authmethodlocal, "scram-sha-256") == 0 ||
-               strcmp(authmethodhost, "scram-sha-256") == 0)
-       {
-               conflines = replace_token(conflines,
-                                                                 
"#password_encryption = md5",
-                                                                 
"password_encryption = scram-sha-256");
-       }
-
        /*
         * If group access has been enabled for the cluster then it makes sense 
to
         * ensure that the log files also allow group access.  Otherwise a 
backup
-- 
2.26.2



























					Reply via email to