Re: scram-sha-256 authentication

On 1/4/21 12:04 PM, PG Doc comments form wrote:
> The following documentation comment has been logged on the website:
>
> Page: https://www.postgresql.org/docs/11/auth-password.html
> Description:
>
> How do you encode a plain password to the corresponding SCRAM-SHA-256
> encryption? Using online tools I obtain a result in a different format the
> in e.g. the "PostgreSQL Administration Cookbook", where the encrypted value
> starts with "SCRAM-SHA-256$4096:".

It's better to ask these questions in one of the community support
areas[1] as the form on the documentation page is intended for
documentation suggestions/corrections. I will provide some guidance below :)

I am not sure what your end goal is, but there are a few ways to create
the hashed SCRAM verifier:

- Using the \password flag in "psql"
- Using one of the connection drivers that interfaces with libpq's
PQencryptPasswordConn function[2]
- Some driver's handle the password hashing independently

If those are not acceptable, I also have a talk that goes through an
example for how to create a SCRAM verifier and what the different parts
mean[3] as well as an example of creating the verifier in Python[4].

In terms of how things start above, i.e. "SCRAM-SHA-256$4096:" that
presents the hashing function to use and the number of iterations to use
to hash the password (similar to PBKDF2). The full verifier has the
following components with the following delimters:

DIGEST$ITERATIONS:SALT$STORED_KEY:SERVER_KEY

Hope this helps,

Jonathan

[1] https://www.postgresql.org/support/
[2]
https://www.postgresql.org/docs/current/libpq-misc.html#LIBPQ-PQENCRYPTPASSWORDCONN
[3]
https://www2.slideshare.net/jkatz05/get-your-insecure-postgresql-passwords-to-scram
[4] https://gist.github.com/jkatz/e0a1f52f66fa03b732945f6eb94d9c21