On 2020-05-25 17:57, Jonathan S. Katz wrote:
I took a look over, it looks good. One question on the initdb.c diff:- if (strcmp(authmethodlocal, "scram-sha-256") == 0 || - strcmp(authmethodhost, "scram-sha-256") == 0) - { - conflines = replace_token(conflines, - "#password_encryption = md5", - "password_encryption = scram-sha-256"); - } - Would we reverse this, i.e. if someone chooses authmethodlocal to be "md5", we would then set "password_encryption = md5"?
Yeah, I was too enthusiastic about removing that. Here is a better patch. -- Peter Eisentraut http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
From fdf1fdd396073307e917a4eaccb58427926f2312 Mon Sep 17 00:00:00 2001 From: Peter Eisentraut <pe...@eisentraut.org> Date: Tue, 26 May 2020 10:08:22 +0200 Subject: [PATCH v2] Change default of password_encryption to scram-sha-256 Discussion: https://www.postgresql.org/message-id/flat/d5b0ad33-7d94-bdd1-caac-43a1c782cab2%402ndquadrant.com --- doc/src/sgml/config.sgml | 12 +++++++----- src/backend/commands/user.c | 2 +- src/backend/utils/misc/guc.c | 2 +- src/backend/utils/misc/postgresql.conf.sample | 2 +- src/bin/initdb/initdb.c | 14 ++++++++++---- 5 files changed, 20 insertions(+), 12 deletions(-) diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml index a2694e548a..9cbaff0c51 100644 --- a/doc/src/sgml/config.sgml +++ b/doc/src/sgml/config.sgml @@ -1013,11 +1013,13 @@ <title>Authentication</title> <listitem> <para> When a password is specified in <xref linkend="sql-createrole"/> or - <xref linkend="sql-alterrole"/>, this parameter determines the algorithm - to use to encrypt the password. The default value is <literal>md5</literal>, - which stores the password as an MD5 hash (<literal>on</literal> is also - accepted, as alias for <literal>md5</literal>). Setting this parameter to - <literal>scram-sha-256</literal> will encrypt the password with SCRAM-SHA-256. + <xref linkend="sql-alterrole"/>, this parameter determines the + algorithm to use to encrypt the password. Possible values are + <literal>scram-sha-256</literal>, which will encrypt the password with + SCRAM-SHA-256, and <literal>md5</literal>, which stores the password + as an MD5 hash. (<literal>on</literal> is also accepted, as an alias + for <literal>md5</literal>.) The default is + <literal>scram-sha-256</literal>. </para> <para> Note that older clients might lack support for the SCRAM authentication diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index 1ef00d6e89..9ce9a66921 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -43,7 +43,7 @@ Oid binary_upgrade_next_pg_authid_oid = InvalidOid; /* GUC parameter */ -int Password_encryption = PASSWORD_TYPE_MD5; +int Password_encryption = PASSWORD_TYPE_SCRAM_SHA_256; /* Hook to check passwords in CreateRole() and AlterRole() */ check_password_hook_type check_password_hook = NULL; diff --git a/src/backend/utils/misc/guc.c b/src/backend/utils/misc/guc.c index 2f3e0a70e0..390d5d9655 100644 --- a/src/backend/utils/misc/guc.c +++ b/src/backend/utils/misc/guc.c @@ -4735,7 +4735,7 @@ static struct config_enum ConfigureNamesEnum[] = "this parameter determines whether the password is to be encrypted.") }, &Password_encryption, - PASSWORD_TYPE_MD5, password_encryption_options, + PASSWORD_TYPE_SCRAM_SHA_256, password_encryption_options, NULL, NULL, NULL }, diff --git a/src/backend/utils/misc/postgresql.conf.sample b/src/backend/utils/misc/postgresql.conf.sample index 995b6ca155..120a75386c 100644 --- a/src/backend/utils/misc/postgresql.conf.sample +++ b/src/backend/utils/misc/postgresql.conf.sample @@ -88,7 +88,7 @@ # - Authentication - #authentication_timeout = 1min # 1s-600s -#password_encryption = md5 # md5 or scram-sha-256 +#password_encryption = scram-sha-256 # scram-sha-256 or md5 #db_user_namespace = off # GSSAPI using Kerberos diff --git a/src/bin/initdb/initdb.c b/src/bin/initdb/initdb.c index 67021a6dc1..b1f49abe36 100644 --- a/src/bin/initdb/initdb.c +++ b/src/bin/initdb/initdb.c @@ -1198,12 +1198,18 @@ setup_config(void) "#update_process_title = off"); #endif - if (strcmp(authmethodlocal, "scram-sha-256") == 0 || - strcmp(authmethodhost, "scram-sha-256") == 0) + /* + * Change password_encryption setting to md5 if md5 was chosen as an + * authentication method, unless scram-sha-256 was also chosen. + */ + if ((strcmp(authmethodlocal, "md5") == 0 && + strcmp(authmethodhost, "scram-sha-256") != 0) || + (strcmp(authmethodhost, "md5") == 0 && + strcmp(authmethodlocal, "scram-sha-256") != 0)) { conflines = replace_token(conflines, - "#password_encryption = md5", - "password_encryption = scram-sha-256"); + "#password_encryption = scram-sha-256", + "password_encryption = md5"); } /* -- 2.26.2
