scram-sha-256 authentication
The following documentation comment has been logged on the website: Page: https://www.postgresql.org/docs/11/auth-password.html Description: How do you encode a plain password to the corresponding SCRAM-SHA-256 encryption? Using online tools I obtain a result in a different format the in e.g. the "PostgreSQL Administration Cookbook", where the encrypted value starts with "SCRAM-SHA-256$4096:".
Re: scram-sha-256 authentication
On 1/4/21 12:04 PM, PG Doc comments form wrote: > The following documentation comment has been logged on the website: > > Page: https://www.postgresql.org/docs/11/auth-password.html > Description: > > How do you encode a plain password to the corresponding SCRAM-SHA-256 > encryption? Using online tools I obtain a result in a different format the > in e.g. the "PostgreSQL Administration Cookbook", where the encrypted value > starts with "SCRAM-SHA-256$4096:". It's better to ask these questions in one of the community support areas[1] as the form on the documentation page is intended for documentation suggestions/corrections. I will provide some guidance below :) I am not sure what your end goal is, but there are a few ways to create the hashed SCRAM verifier: - Using the \password flag in "psql" - Using one of the connection drivers that interfaces with libpq's PQencryptPasswordConn function[2] - Some driver's handle the password hashing independently If those are not acceptable, I also have a talk that goes through an example for how to create a SCRAM verifier and what the different parts mean[3] as well as an example of creating the verifier in Python[4]. In terms of how things start above, i.e. "SCRAM-SHA-256$4096:" that presents the hashing function to use and the number of iterations to use to hash the password (similar to PBKDF2). The full verifier has the following components with the following delimters: DIGEST$ITERATIONS:SALT$STORED_KEY:SERVER_KEY Hope this helps, Jonathan [1] https://www.postgresql.org/support/ [2] https://www.postgresql.org/docs/current/libpq-misc.html#LIBPQ-PQENCRYPTPASSWORDCONN [3] https://www2.slideshare.net/jkatz05/get-your-insecure-postgresql-passwords-to-scram [4] https://gist.github.com/jkatz/e0a1f52f66fa03b732945f6eb94d9c21 OpenPGP_signature Description: OpenPGP digital signature
Re: .pgdump file extension
On Sat, Jan 2, 2021 at 01:10:26PM +, PG Doc comments form wrote: > The following documentation comment has been logged on the website: > > Page: https://www.postgresql.org/docs/13/app-pgdump.html > Description: > > Please consider entering a suggested name extension for pg_dump files in > custom format. For example ".pgdump". Nobody would have any doubts that this > is a database backup copy. Over the past 20 years, I have seen many times > that .dump files were treated by various administrators as some minor > temporary files. The abbreviation "PG", on the other hand, is quite > recognizable as PostgreSQL. And such less competent administrators, things > related to PostgreSQL do not touch and the backups will be safe. This is an interesting idea, but perhaps pgdb.dump might be better. I agree db.dump isn't clear that it is related to Postgres. -- Bruce Momjian https://momjian.us EnterpriseDB https://enterprisedb.com The usefulness of a cup is in its emptiness, Bruce Lee
Re: Typo in manual
On Tue, Jan 5, 2021 at 06:32:11AM +, Tang, Haiying wrote: > Hi > > I think there's a typo in the manual so I tried to fix it. Also, I changed > some description for better reading. > Please take a check at my attached patch. Any comment is welcome. Agreed, applied to all branches, thanks. -- Bruce Momjian https://momjian.us EnterpriseDB https://enterprisedb.com The usefulness of a cup is in its emptiness, Bruce Lee
Re: scram-sha-256 authentication
On Tue, Jan 05, 2021 at 09:12:58AM -0500, Jonathan S. Katz wrote: > I am not sure what your end goal is, but there are a few ways to create > the hashed SCRAM verifier: > > - Using the \password flag in "psql" > - Using one of the connection drivers that interfaces with libpq's > PQencryptPasswordConn function[2] > - Some driver's handle the password hashing independently Another thing to be careful about is the value of password_encryption in postgresql.conf. The default has been changed to scram-sha-256 in c7eab0e, meaning that this change will be available in Postgres 14~. But if your environment is using the default configuration of 11, that may be set to "md5". -- Michael signature.asc Description: PGP signature
