Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Change the default from md5 to scram-sha-256 in pg_hba.conf #582

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Change the default from md5 to scram-sha-256 in pg_hba.conf #582

wants to merge 1 commit into from

Conversation

bdunne
Copy link

@bdunne bdunne commented Jul 30, 2024

No description provided.

@kbrock
Copy link

kbrock commented Jul 30, 2024

Looks like this has been supported since postgres 10 and is the standard as of postgres 14

# postgresql.conf
password_encryption = scram-sha-256

Someone just needs to set the password after changing that setting and all systems go. (even if pg_hba.conf is still set to md5

To see if you need to upgrade:

SELECT
    rolname, rolpassword ~ '^SCRAM-SHA-256\$' AS has_upgraded
FROM pg_authid
WHERE rolcanlogin;

/via https://www.crunchydata.com/blog/how-to-upgrade-postgresql-passwords-to-scram

@hhorak
Copy link
Member

hhorak commented Sep 4, 2024

We are not able to follow the steps to convert all passwords as the article above describes, because that's what only the users of the postgresql image can do.

What we can do is making the default algorithm configurable and changing the default -- that should not affect new deployments because the pg_hba.conf file is created only when creating the database, but we can still surprise users that might use older clients.

Anyway, the change is inevitable at some point, so we should start somewhere (changing the default only in RHEL10/c10s might be the least painful way).

@fila43 WDYT?

@kbrock
Copy link

kbrock commented Sep 4, 2024

@hhorak I think we are close to the same page.

This migration is definitely on our radar since many companies are requiring the migration to scram.

It is really too bad that there is not a way to upgrade the passwords automatically without risking writing the plain text passwords to disk.

So what I heard you say:

  • Set the postgres.conf default to scram-sha-256.
    • Only needed for postgres 10-13.
    • Can remove in postgres 14 since that is the default.
  • Add a parameter for POSTGRES_AUTH_METHOD, defaulting it to md5.
  • Use the parameter in pg_hba.conf.
  • Change the default value in RHEL10/c10s to scram-sha-256.

Questions:

  • Is this parameter exposed to end users and accessible via something like podman -e POSTGRES_AUTH_METHOD scram-sha-256?

Cheers to Brno. When we worked for RH, we enjoyed our great team members over there.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
Containers
Status: No status
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@bdunne @kbrock @hhorak