Re: Possible to store invalid SCRAM-SHA-256 Passwords
Michael Paquier <michael@paquier.xyz>
From: Michael Paquier <michael@paquier.xyz>
To: "Jonathan S. Katz" <jkatz@postgresql.org>
Cc: Tom Lane <tgl@sss.pgh.pa.us>, pgsql-bugs@lists.postgresql.org, Stephen Frost <sfrost@snowman.net>
Date: 2019-04-23T23:12:16Z
Lists: pgsql-bugs
On Tue, Apr 23, 2019 at 10:19:30AM -0400, Jonathan S. Katz wrote: > - If you have an invalid SCRAM-SHA-256 password (e.g. > SCRAM-SHA-256$1234), you would have been unable to log in anyway, so in > all likelihood you would either have had an admin reset your password, > or you gave up. > - If you had a md5 hash with bogus characters in it, it'd be the above > as well > > So likely it's been resolved in some way: the user has been issued a new > password or has given up on PostgreSQL > > With that said, we could do something like: > > "To determine if this release affects an of your users ability to log in > using either the SCRAM-SHA-256 on MD5 password based methods, you can > run the following query: s/an of/any of/. > We advise that you reset the passwords for these users. Sounds fine to me, thanks. I am not sure if we would want to have something in the release notes, on a wiki page with the release notes including a link to it, or just no direct mention in the release notes. In the past, say for the issue with the incorrect VM page references, we have been a wiki page with queries and such for diagnostics. > +1 for fixing so its consistent (at least from a behavior standpoint). > > I confirmed that it's in 9.5 & 9.4 as well. Thanks for confirming, I am going to patch 9.4~9.6 with that. -- Michael
Commits
-
Fix detection of passwords hashed with MD5
- a82c06f4001d 9.4.22 landed
- 20dbc84bd002 9.5.17 landed
- af298f00a1e8 9.6.13 landed
-
Fix detection of passwords hashed with MD5 or SCRAM-SHA-256
- 15fe91e70ec6 10.8 landed
- 7f56d43663dd 11.3 landed
- ccae190b916f 12.0 landed