Re: Can we stop defaulting to 'md5'?

From: Stephen Frost <sfrost(at)snowman(dot)net>
To: Christoph Berg <myon(at)debian(dot)org>, Peter Eisentraut <peter(dot)eisentraut(at)2ndquadrant(dot)com>, Devrim Gündüz <devrim(at)gunduz(dot)org>, Craig Ringer <craig(at)2ndquadrant(dot)com>, pgsql-pkg-yum <pgsql-pkg-yum(at)postgresql(dot)org>
Subject: Re: Can we stop defaulting to 'md5'?
Date: 2020-05-28 17:09:50
Message-ID: 20200528170950.GB6680@tamriel.snowman.net
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-pkg-debian pgsql-pkg-yum

Greetings,

* Christoph Berg (myon(at)debian(dot)org) wrote:
> Re: Stephen Frost
> > > Why do I have to decide *in pg_hba.conf* which hash algorithm is used?
> >
> > Where else would you decide..?
>
> Connections could just use whatever hash is used for the username in
> pg_authid. There's no reason to expose that detail in pg_hba.conf.

ok, so, that's currently what the 'md5' setting does. The scram-sha-256
setting is intended to be used to force scram-sha-256 connections and to
not allow md5 or other ones.

> > > Why can't that just be "password"?
> >
> > What would that mean?
>
> The above.

So.. it'd be an alias for md5, basically. I don't think that's
actually a great answer overall as people will want an option that
disallows non-scram password hash usage.

> > > Getting this mess fixed would be good for security because then people
> > > will likely start using scram.
> >
> > That's certainly true, though I hope we can convince people to use SCRAM
> > even given the modest effort required.
>
> It's not modest. Or else this thread wouldn't have 20 mails.

This is about the default, not about convincing an individual person or
organization.

> > The point here though, really, is that *new* installations of PG have
> > very little reason to not use SCRAM. The question on upgrades is
> > different, but that can be addressed with pg_upgradecluster, I would
> > think, without much trouble.
>
> In pg_createcluster, if I move pg_hba.conf and password_encryption to
> scram, and I restore a dump from an older PG major, can people
> continue to connect using their passwords? From what I got above, the
> answer is "no".

That really depends on what exactly is in the dump file. If the
contents of the dump file include md5 hashes then those roles wouldn't
be able to log in. If the contents have SCRAM-based hashes, then sure.
Is that a huge issue? Not in my view- it'd be pretty clear quite
quickly that they couldn't log in, and why, and that'd be easy to fix-
they could manually adjust the pg_hba.conf, if they want to, or update
those passwords to be scram.

> Should I only set password_encryption to scram and keep advertising
> md5 as the sane default for pg_hba.conf?

That would allow the above scenario to work, though I don't feel the
"what if they restore a pg_dumpall to perform an upgrade, and don't use
pg_upgradecluster" to be a terribly interesting case to stress about
making everything work perfectly- they'll very likely already be having
to adjust their pg_hba.conf for other reasons, as well as their
postgresql.conf for various settings. Restoring a pg_dumpall dump
(which is what you're talking about here really, of course) has never
done anything for config files.

Thanks,

Stephen

In response to

Browse pgsql-pkg-debian by date

  From Date Subject
Next Message Peter Eisentraut 2020-05-28 20:05:40 Re: Can we stop defaulting to 'md5'?
Previous Message Christoph Berg 2020-05-28 16:52:05 Re: Can we stop defaulting to 'md5'?

Browse pgsql-pkg-yum by date

  From Date Subject
Next Message Peter Eisentraut 2020-05-28 20:05:40 Re: Can we stop defaulting to 'md5'?
Previous Message Christoph Berg 2020-05-28 16:52:05 Re: Can we stop defaulting to 'md5'?