Re: initdb recommendations
Heikki Linnakangas <hlinnaka@iki.fi>
From: Heikki Linnakangas <hlinnaka@iki.fi>
To: Stephen Frost <sfrost@snowman.net>,
"Jonathan S. Katz" <jkatz@postgresql.org>
Cc: Magnus Hagander <magnus@hagander.net>, Joe Conway <mail@joeconway.com>,
Tom Lane <tgl@sss.pgh.pa.us>,
Peter Eisentraut <peter.eisentraut@2ndquadrant.com>,
pgsql-hackers <pgsql-hackers@postgresql.org>, Noah Misch <noah@leadboat.com>
Date: 2019-05-24T13:49:30Z
Lists: pgsql-hackers, pgsql-docs
On 24/05/2019 16:01, Stephen Frost wrote: > What I was really getting at though was the ability to have multiple > authenticator tokens active concurrently (eg: md5 AND SCRAM), with an > ability to use either one (idk, md5_or_scram auth method?), and then > automatically set both on password change until everything is using > SCRAM and then remove all MD5 stuff. Umm, that's what "md5" already does. Per documentation (https://www.postgresql.org/docs/current/auth-password.html): > To ease transition from the md5 method to the newer SCRAM method, if > md5 is specified as a method in pg_hba.conf but the user's password on > the server is encrypted for SCRAM (see below), then SCRAM-based > authentication will automatically be chosen instead. The migration path is: 1. Use "md5" in pg_hba.conf, and put password_encryption='scram-sha-256' in postgresql.conf. 2. Wait until all users have reset their passwords, so that all users have a SCRAM-SHA-256 verifier. 3. Replace "md5" with "scram-sha-256" in pg_hba.conf. Step 3 is kind of optional; once all users have a SCRAM verifier instead of an MD5 hash, they will all use SCRAM even without changing pg_hba.conf. It just prevents MD5 authentication in case a user forces a new MD5 hash into the system e.g. by changing password_encryption, or by setting an MD5 password explicitly with ALTER USER. - Heikki
Commits
-
initdb: Change authentication defaults
- 09f08930f0f6 13.0 landed