Commit c7eab0e9 authored by Peter Eisentraut's avatar Peter Eisentraut

Change default of password_encryption to scram-sha-256

Also, the legacy values on/true/yes/1 for password_encryption that
mapped to md5 are removed.  The only valid values are now
scram-sha-256 and md5.
Reviewed-by: default avatarJonathan S. Katz <jkatz@postgresql.org>
Discussion: https://www.postgresql.org/message-id/flat/d5b0ad33-7d94-bdd1-caac-43a1c782cab2%402ndquadrant.com
parent 5a4ada71
...@@ -1013,11 +1013,11 @@ include_dir 'conf.d' ...@@ -1013,11 +1013,11 @@ include_dir 'conf.d'
<listitem> <listitem>
<para> <para>
When a password is specified in <xref linkend="sql-createrole"/> or When a password is specified in <xref linkend="sql-createrole"/> or
<xref linkend="sql-alterrole"/>, this parameter determines the algorithm <xref linkend="sql-alterrole"/>, this parameter determines the
to use to encrypt the password. The default value is <literal>md5</literal>, algorithm to use to encrypt the password. Possible values are
which stores the password as an MD5 hash (<literal>on</literal> is also <literal>scram-sha-256</literal>, which will encrypt the password with
accepted, as alias for <literal>md5</literal>). Setting this parameter to SCRAM-SHA-256, and <literal>md5</literal>, which stores the password
<literal>scram-sha-256</literal> will encrypt the password with SCRAM-SHA-256. as an MD5 hash. The default is <literal>scram-sha-256</literal>.
</para> </para>
<para> <para>
Note that older clients might lack support for the SCRAM authentication Note that older clients might lack support for the SCRAM authentication
......
...@@ -43,7 +43,7 @@ Oid binary_upgrade_next_pg_authid_oid = InvalidOid; ...@@ -43,7 +43,7 @@ Oid binary_upgrade_next_pg_authid_oid = InvalidOid;
/* GUC parameter */ /* GUC parameter */
int Password_encryption = PASSWORD_TYPE_MD5; int Password_encryption = PASSWORD_TYPE_SCRAM_SHA_256;
/* Hook to check passwords in CreateRole() and AlterRole() */ /* Hook to check passwords in CreateRole() and AlterRole() */
check_password_hook_type check_password_hook = NULL; check_password_hook_type check_password_hook = NULL;
......
...@@ -463,18 +463,9 @@ static const struct config_enum_entry plan_cache_mode_options[] = { ...@@ -463,18 +463,9 @@ static const struct config_enum_entry plan_cache_mode_options[] = {
{NULL, 0, false} {NULL, 0, false}
}; };
/*
* password_encryption used to be a boolean, so accept all the likely
* variants of "on", too. "off" used to store passwords in plaintext,
* but we don't support that anymore.
*/
static const struct config_enum_entry password_encryption_options[] = { static const struct config_enum_entry password_encryption_options[] = {
{"md5", PASSWORD_TYPE_MD5, false}, {"md5", PASSWORD_TYPE_MD5, false},
{"scram-sha-256", PASSWORD_TYPE_SCRAM_SHA_256, false}, {"scram-sha-256", PASSWORD_TYPE_SCRAM_SHA_256, false},
{"on", PASSWORD_TYPE_MD5, true},
{"true", PASSWORD_TYPE_MD5, true},
{"yes", PASSWORD_TYPE_MD5, true},
{"1", PASSWORD_TYPE_MD5, true},
{NULL, 0, false} {NULL, 0, false}
}; };
...@@ -4733,7 +4724,7 @@ static struct config_enum ConfigureNamesEnum[] = ...@@ -4733,7 +4724,7 @@ static struct config_enum ConfigureNamesEnum[] =
NULL NULL
}, },
&Password_encryption, &Password_encryption,
PASSWORD_TYPE_MD5, password_encryption_options, PASSWORD_TYPE_SCRAM_SHA_256, password_encryption_options,
NULL, NULL, NULL NULL, NULL, NULL
}, },
......
...@@ -88,7 +88,7 @@ ...@@ -88,7 +88,7 @@
# - Authentication - # - Authentication -
#authentication_timeout = 1min # 1s-600s #authentication_timeout = 1min # 1s-600s
#password_encryption = md5 # md5 or scram-sha-256 #password_encryption = scram-sha-256 # scram-sha-256 or md5
#db_user_namespace = off #db_user_namespace = off
# GSSAPI using Kerberos # GSSAPI using Kerberos
......
...@@ -1204,12 +1204,18 @@ setup_config(void) ...@@ -1204,12 +1204,18 @@ setup_config(void)
"#update_process_title = off"); "#update_process_title = off");
#endif #endif
if (strcmp(authmethodlocal, "scram-sha-256") == 0 || /*
strcmp(authmethodhost, "scram-sha-256") == 0) * Change password_encryption setting to md5 if md5 was chosen as an
* authentication method, unless scram-sha-256 was also chosen.
*/
if ((strcmp(authmethodlocal, "md5") == 0 &&
strcmp(authmethodhost, "scram-sha-256") != 0) ||
(strcmp(authmethodhost, "md5") == 0 &&
strcmp(authmethodlocal, "scram-sha-256") != 0))
{ {
conflines = replace_token(conflines, conflines = replace_token(conflines,
"#password_encryption = md5", "#password_encryption = scram-sha-256",
"password_encryption = scram-sha-256"); "password_encryption = md5");
} }
/* /*
...@@ -2373,12 +2379,7 @@ check_need_password(const char *authmethodlocal, const char *authmethodhost) ...@@ -2373,12 +2379,7 @@ check_need_password(const char *authmethodlocal, const char *authmethodhost)
strcmp(authmethodhost, "scram-sha-256") == 0) && strcmp(authmethodhost, "scram-sha-256") == 0) &&
!(pwprompt || pwfilename)) !(pwprompt || pwfilename))
{ {
pg_log_error("must specify a password for the superuser to enable %s authentication", pg_log_error("must specify a password for the superuser to enable password authentication");
(strcmp(authmethodlocal, "md5") == 0 ||
strcmp(authmethodlocal, "password") == 0 ||
strcmp(authmethodlocal, "scram-sha-256") == 0)
? authmethodlocal
: authmethodhost);
exit(1); exit(1);
} }
} }
......
...@@ -5,13 +5,14 @@ ...@@ -5,13 +5,14 @@
SET password_encryption = 'novalue'; -- error SET password_encryption = 'novalue'; -- error
ERROR: invalid value for parameter "password_encryption": "novalue" ERROR: invalid value for parameter "password_encryption": "novalue"
HINT: Available values: md5, scram-sha-256. HINT: Available values: md5, scram-sha-256.
SET password_encryption = true; -- ok SET password_encryption = true; -- error
ERROR: invalid value for parameter "password_encryption": "true"
HINT: Available values: md5, scram-sha-256.
SET password_encryption = 'md5'; -- ok SET password_encryption = 'md5'; -- ok
SET password_encryption = 'scram-sha-256'; -- ok SET password_encryption = 'scram-sha-256'; -- ok
-- consistency of password entries -- consistency of password entries
SET password_encryption = 'md5'; SET password_encryption = 'md5';
CREATE ROLE regress_passwd1 PASSWORD 'role_pwd1'; CREATE ROLE regress_passwd1 PASSWORD 'role_pwd1';
SET password_encryption = 'on';
CREATE ROLE regress_passwd2 PASSWORD 'role_pwd2'; CREATE ROLE regress_passwd2 PASSWORD 'role_pwd2';
SET password_encryption = 'scram-sha-256'; SET password_encryption = 'scram-sha-256';
CREATE ROLE regress_passwd3 PASSWORD 'role_pwd3'; CREATE ROLE regress_passwd3 PASSWORD 'role_pwd3';
......
...@@ -4,14 +4,13 @@ ...@@ -4,14 +4,13 @@
-- Tests for GUC password_encryption -- Tests for GUC password_encryption
SET password_encryption = 'novalue'; -- error SET password_encryption = 'novalue'; -- error
SET password_encryption = true; -- ok SET password_encryption = true; -- error
SET password_encryption = 'md5'; -- ok SET password_encryption = 'md5'; -- ok
SET password_encryption = 'scram-sha-256'; -- ok SET password_encryption = 'scram-sha-256'; -- ok
-- consistency of password entries -- consistency of password entries
SET password_encryption = 'md5'; SET password_encryption = 'md5';
CREATE ROLE regress_passwd1 PASSWORD 'role_pwd1'; CREATE ROLE regress_passwd1 PASSWORD 'role_pwd1';
SET password_encryption = 'on';
CREATE ROLE regress_passwd2 PASSWORD 'role_pwd2'; CREATE ROLE regress_passwd2 PASSWORD 'role_pwd2';
SET password_encryption = 'scram-sha-256'; SET password_encryption = 'scram-sha-256';
CREATE ROLE regress_passwd3 PASSWORD 'role_pwd3'; CREATE ROLE regress_passwd3 PASSWORD 'role_pwd3';
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment