Re: initdb recommendations

Heikki Linnakangas <hlinnaka@iki.fi>

From: Heikki Linnakangas <hlinnaka@iki.fi>
To: Stephen Frost <sfrost@snowman.net>, "Jonathan S. Katz" <jkatz@postgresql.org>
Cc: Magnus Hagander <magnus@hagander.net>, Joe Conway <mail@joeconway.com>, Tom Lane <tgl@sss.pgh.pa.us>, Peter Eisentraut <peter.eisentraut@2ndquadrant.com>, pgsql-hackers <pgsql-hackers@postgresql.org>, Noah Misch <noah@leadboat.com>
Date: 2019-05-24T13:49:30Z
Lists: pgsql-hackers, pgsql-docs
On 24/05/2019 16:01, Stephen Frost wrote:
> What I was really getting at though was the ability to have multiple
> authenticator tokens active concurrently (eg: md5 AND SCRAM), with an
> ability to use either one (idk, md5_or_scram auth method?), and then
> automatically set both on password change until everything is using
> SCRAM and then remove all MD5 stuff.

Umm, that's what "md5" already does. Per documentation 
(https://www.postgresql.org/docs/current/auth-password.html):

 > To ease transition from the md5 method to the newer SCRAM method, if
 > md5 is specified as a method in pg_hba.conf but the user's password on
 > the server is encrypted for SCRAM (see below), then SCRAM-based
 > authentication will automatically be chosen instead.

The migration path is:

1. Use "md5" in pg_hba.conf, and put password_encryption='scram-sha-256' 
in postgresql.conf.

2. Wait until all users have reset their passwords, so that all users 
have a SCRAM-SHA-256 verifier.

3. Replace "md5" with "scram-sha-256" in pg_hba.conf.

Step 3 is kind of optional; once all users have a SCRAM verifier instead 
of an MD5 hash, they will all use SCRAM even without changing 
pg_hba.conf. It just prevents MD5 authentication in case a user forces a 
new MD5 hash into the system e.g. by changing password_encryption, or by 
setting an MD5 password explicitly with ALTER USER.

- Heikki



Commits

  1. initdb: Change authentication defaults