scram-sha-256 authentication

On 1/4/21 12:04 PM, PG Doc comments form wrote:

The following documentation comment has been logged on the website:

Page: https://www.postgresql.org/docs/11/auth-password.html
Description:

How do you encode a plain password to the corresponding SCRAM-SHA-256
encryption? Using online tools I obtain a result in a different format the
in e.g. the "PostgreSQL Administration Cookbook", where the encrypted value
starts with "SCRAM-SHA-256$4096:".

It's better to ask these questions in one of the community support
areas[1]https://www.postgresql.org/support/ as the form on the documentation page is intended for
documentation suggestions/corrections. I will provide some guidance below :)

I am not sure what your end goal is, but there are a few ways to create
the hashed SCRAM verifier:

- Using the \password flag in "psql"
- Using one of the connection drivers that interfaces with libpq's
PQencryptPasswordConn function[2]https://www.postgresql.org/docs/current/libpq-misc.html#LIBPQ-PQENCRYPTPASSWORDCONN
- Some driver's handle the password hashing independently

If those are not acceptable, I also have a talk that goes through an
example for how to create a SCRAM verifier and what the different parts
mean[3]https://www2.slideshare.net/jkatz05/get-your-insecure-postgresql-passwords-to-scram as well as an example of creating the verifier in Python[4]https://gist.github.com/jkatz/e0a1f52f66fa03b732945f6eb94d9c21.

In terms of how things start above, i.e. "SCRAM-SHA-256$4096:" that
presents the hashing function to use and the number of iterations to use
to hash the password (similar to PBKDF2). The full verifier has the
following components with the following delimters:

DIGEST$ITERATIONS:SALT$STORED_KEY:SERVER_KEY

Hope this helps,

Jonathan

[1]: https://www.postgresql.org/support/
[2]: https://www.postgresql.org/docs/current/libpq-misc.html#LIBPQ-PQENCRYPTPASSWORDCONN
https://www.postgresql.org/docs/current/libpq-misc.html#LIBPQ-PQENCRYPTPASSWORDCONN
[3]: https://www2.slideshare.net/jkatz05/get-your-insecure-postgresql-passwords-to-scram
https://www2.slideshare.net/jkatz05/get-your-insecure-postgresql-passwords-to-scram
[4]: https://gist.github.com/jkatz/e0a1f52f66fa03b732945f6eb94d9c21

On Tue, Jan 05, 2021 at 09:12:58AM -0500, Jonathan S. Katz wrote:

I am not sure what your end goal is, but there are a few ways to create
the hashed SCRAM verifier:

- Using the \password flag in "psql"
- Using one of the connection drivers that interfaces with libpq's
PQencryptPasswordConn function[2]
- Some driver's handle the password hashing independently

Another thing to be careful about is the value of password_encryption
in postgresql.conf. The default has been changed to scram-sha-256 in
c7eab0e, meaning that this change will be available in Postgres 14~.
But if your environment is using the default configuration of 11, that
may be set to "md5".
--
Michael

Hi Jonathan and Michael,

Thank you for the quick reply, I will ask my questions in community support areas from now on, my apologies.

Your answers were very helpful. I will use psql’s \password command to set the users’ passwords for me instead of trying to generate and set the encoded password myself. I tried out this solution with success.

Best regards,
Sébastien