Thread

  1. BUG #14661: authentication behavior(SCRAM-MD5)

    Anthony Sotolongo <asotolongo@gmail.com> — 2017-05-19T15:05:11Z

    The following bug has been logged on the website:
    
    Bug reference:      14661
    Logged by:          Anthony Sotolongo León
    Email address:      asotolongo@gmail.com
    PostgreSQL version: 10beta1
    Operating system:   Ubuntu 14.04
    Description:        
    
    I have a pg_hba.conf like this:
    
    host    all             usuario         0.0.0.0/0            scram-sha-256
    host    all             postgres        0.0.0.0/0            scram-sha-256
    
    and my user with md5 password encryption
    select usename,passwd from pg_shadow ;
    
    usename  |               passwd               
    ----------+------------
     postgres |      md50005a4b0ccaccbd18bcf64e90e242c90           
     usuario  |    md541f55d102ea5687e95fb361019a12da4        
    
    and when try to  login,  login error, and return error 
    
    2017-05-19 16:51:20.312 CEST [1418] FATAL:  la autentificación password
    falló para el usuario «postgres»
    2017-05-19 16:51:20.312 CEST [1418] DETALLE:  User "postgres" does not have
    a valid SCRAM verifier.
    	La conexión coincidió con la línea 83 de pg_hba.conf: «host    all         
       postgres        0.0.0.0/0            scram-sha-256»
    
    
    i think that is correct, but when i have the next configuracion: 
    pg_hba.conf 
    host    all             usuario         0.0.0.0/0            md5
    host    all             postgres        0.0.0.0/0            md5
    
    and my user with SCRAM encryption
    postgres=# select usename,passwd from pg_shadow ;
     usename  |                                                           
    passwd                                                             
    ----------+-------------------------------------------------------------------------------------------------------------------------------
     usuario  |
    SCRAM-SHA-256$4096:Fhqo2W7V4FlVQk7+$fkQJ02YBGMhePbhVnKOcHjON/VPUTDzT/pZboiwHofY=:XliKl0leu/kpN4ZGmNPnHKKWj76f7qN8lIjrY8jOVcA=
     postgres |
    SCRAM-SHA-256$4096:5DcjppjZNyrGb0Jo$iomUsf0Mo0RSSjkwzhwHwRphhVG5EKLRRMVp/eiENuI=:XFIOQcd1nA1IKclPrVSwFym9N5dLuYB43CfI3Lf5zGA=
    (2 filas)
    
    
    and when try to  login, login successfully
    is correct this behavior?
    
    Greettings
    
    
    
    
    
  2. Re: BUG #14661: authentication behavior(SCRAM-MD5)

    Heikki Linnakangas <hlinnaka@iki.fi> — 2017-05-19T15:47:13Z

    On 05/19/2017 06:05 PM, asotolongo@gmail.com wrote:
    > i think that is correct, but when i have the next configuracion:
    > pg_hba.conf
    > host    all             usuario         0.0.0.0/0            md5
    > host    all             postgres        0.0.0.0/0            md5
    >
    > and my user with SCRAM encryption
    > postgres=# select usename,passwd from pg_shadow ;
    >  usename  |
    > passwd
    > ----------+-------------------------------------------------------------------------------------------------------------------------------
    >  usuario  |
    > SCRAM-SHA-256$4096:Fhqo2W7V4FlVQk7+$fkQJ02YBGMhePbhVnKOcHjON/VPUTDzT/pZboiwHofY=:XliKl0leu/kpN4ZGmNPnHKKWj76f7qN8lIjrY8jOVcA=
    >  postgres |
    > SCRAM-SHA-256$4096:5DcjppjZNyrGb0Jo$iomUsf0Mo0RSSjkwzhwHwRphhVG5EKLRRMVp/eiENuI=:XFIOQcd1nA1IKclPrVSwFym9N5dLuYB43CfI3Lf5zGA=
    > (2 filas)
    >
    >
    > and when try to  login, login successfully
    > is correct this behavior?
    
    Yeah, "md5" in pg_hba.conf really means "md5 or scram-sha-256, depending 
    on what kind of password hash the user has".
    
    The documentation at 
    https://www.postgresql.org/docs/devel/static/auth-methods.html#auth-password 
    tries to explain it:
    
    > scram-sha-256 performs SCRAM-SHA-256 authentication, as described in
    > RFC5802. It is a challenge-response scheme, that prevents password
    > sniffing on untrusted connections. It is more secure than the md5
    > method, but might not be supported by older clients.
    >
    > md5 allows falling back to a less secure challenge-response mechanism
    > for those users with an MD5 hashed password. The fallback mechanism
    > also prevents password sniffing, but provides no protection if an
    > attacker manages to steal the password hash from the server, and it
    > cannot be used with the db_user_namespace feature. For all other
    > users, md5 works the same as scram-sha-256.
    
    
    - Heikki
    
    
    
    
  3. Re: BUG #14661: authentication behavior(SCRAM-MD5)

    Anthony Sotolongo <asotolongo@gmail.com> — 2017-05-19T15:51:06Z

    Thanks!!! :D
    
    
    On 19/05/17 11:47, Heikki Linnakangas wrote:
    > On 05/19/2017 06:05 PM, asotolongo@gmail.com wrote:
    >> i think that is correct, but when i have the next configuracion:
    >> pg_hba.conf
    >> host    all             usuario         0.0.0.0/0            md5
    >> host    all             postgres        0.0.0.0/0            md5
    >>
    >> and my user with SCRAM encryption
    >> postgres=# select usename,passwd from pg_shadow ;
    >>  usename  |
    >> passwd
    >> ----------+------------------------------------------------------------------------------------------------------------------------------- 
    >>
    >>  usuario  |
    >> SCRAM-SHA-256$4096:Fhqo2W7V4FlVQk7+$fkQJ02YBGMhePbhVnKOcHjON/VPUTDzT/pZboiwHofY=:XliKl0leu/kpN4ZGmNPnHKKWj76f7qN8lIjrY8jOVcA= 
    >>
    >>  postgres |
    >> SCRAM-SHA-256$4096:5DcjppjZNyrGb0Jo$iomUsf0Mo0RSSjkwzhwHwRphhVG5EKLRRMVp/eiENuI=:XFIOQcd1nA1IKclPrVSwFym9N5dLuYB43CfI3Lf5zGA= 
    >>
    >> (2 filas)
    >>
    >>
    >> and when try to  login, login successfully
    >> is correct this behavior?
    >
    > Yeah, "md5" in pg_hba.conf really means "md5 or scram-sha-256, 
    > depending on what kind of password hash the user has".
    >
    > The documentation at 
    > https://www.postgresql.org/docs/devel/static/auth-methods.html#auth-password 
    > tries to explain it:
    >
    >> scram-sha-256 performs SCRAM-SHA-256 authentication, as described in
    >> RFC5802. It is a challenge-response scheme, that prevents password
    >> sniffing on untrusted connections. It is more secure than the md5
    >> method, but might not be supported by older clients.
    >>
    >> md5 allows falling back to a less secure challenge-response mechanism
    >> for those users with an MD5 hashed password. The fallback mechanism
    >> also prevents password sniffing, but provides no protection if an
    >> attacker manages to steal the password hash from the server, and it
    >> cannot be used with the db_user_namespace feature. For all other
    >> users, md5 works the same as scram-sha-256.
    >
    >
    > - Heikki
    >