From: | Heikki Linnakangas <hlinnaka(at)iki(dot)fi> |
---|---|
To: | asotolongo(at)gmail(dot)com, pgsql-bugs(at)postgresql(dot)org |
Subject: | Re: BUG #14661: authentication behavior(SCRAM-MD5) |
Date: | 2017-05-19 15:47:13 |
Message-ID: | e62ec9d1-ba21-830a-afa3-ad3c1cccd0eb@iki.fi |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-bugs |
On 05/19/2017 06:05 PM, asotolongo(at)gmail(dot)com wrote:
> i think that is correct, but when i have the next configuracion:
> pg_hba.conf
> host all usuario 0.0.0.0/0 md5
> host all postgres 0.0.0.0/0 md5
>
> and my user with SCRAM encryption
> postgres=# select usename,passwd from pg_shadow ;
> usename |
> passwd
> ----------+-------------------------------------------------------------------------------------------------------------------------------
> usuario |
> SCRAM-SHA-256$4096:Fhqo2W7V4FlVQk7+$fkQJ02YBGMhePbhVnKOcHjON/VPUTDzT/pZboiwHofY=:XliKl0leu/kpN4ZGmNPnHKKWj76f7qN8lIjrY8jOVcA=
> postgres |
> SCRAM-SHA-256$4096:5DcjppjZNyrGb0Jo$iomUsf0Mo0RSSjkwzhwHwRphhVG5EKLRRMVp/eiENuI=:XFIOQcd1nA1IKclPrVSwFym9N5dLuYB43CfI3Lf5zGA=
> (2 filas)
>
>
> and when try to login, login successfully
> is correct this behavior?
Yeah, "md5" in pg_hba.conf really means "md5 or scram-sha-256, depending
on what kind of password hash the user has".
The documentation at
https://www.postgresql.org/docs/devel/static/auth-methods.html#auth-password
tries to explain it:
> scram-sha-256 performs SCRAM-SHA-256 authentication, as described in
> RFC5802. It is a challenge-response scheme, that prevents password
> sniffing on untrusted connections. It is more secure than the md5
> method, but might not be supported by older clients.
>
> md5 allows falling back to a less secure challenge-response mechanism
> for those users with an MD5 hashed password. The fallback mechanism
> also prevents password sniffing, but provides no protection if an
> attacker manages to steal the password hash from the server, and it
> cannot be used with the db_user_namespace feature. For all other
> users, md5 works the same as scram-sha-256.
- Heikki
From | Date | Subject | |
---|---|---|---|
Next Message | Anthony Sotolongo | 2017-05-19 15:51:06 | Re: BUG #14661: authentication behavior(SCRAM-MD5) |
Previous Message | Jeff Janes | 2017-05-19 15:41:06 | Re: BUG #14635: Query is executed slower on hot standby slave database then on master database |