Skip site navigation (1) Skip section navigation (2)

Re: How To Change Password Hash Algorithm From MD5 to SHA-256

From: Josh Kupershmidt <schmiddy(at)gmail(dot)com>
To: "ROMAIN, ERICKA W CTR DISA PEO-MA" <ericka(dot)romain(dot)ctr(at)disa(dot)mil>
Cc: pgsql-admin(at)postgresql(dot)org
Subject: Re: How To Change Password Hash Algorithm From MD5 to SHA-256
Date: 2012-06-08 19:06:23
Message-ID: CAK3UJRF9yE=qrHMp3A4dkwjRdbZ+Gwq1_aB=eTfERrnWYOmb6w@mail.gmail.com (view raw or flat)
Thread:
Lists: pgsql-admin
On Thu, Jun 7, 2012 at 8:12 AM, ROMAIN, ERICKA W CTR DISA PEO-MA
<ericka(dot)romain(dot)ctr(at)disa(dot)mil> wrote:
> I am trying to get Postgres to use SHA as the password hash algorithm instead of MD5. This is a security requirement. I am running PostgreSQL 8.4 on a Red Hat Linux platform. I have installed pgcrypto and ran pgcrypto.sql. I also created a function SHA-256. The function looks like:
>
> CREATE OR REPLACE FUNCTION sha256(bytea) returns text AS $$
>      SELECT encode(digest($1, 'sha256'), 'hex')
>    $$ LANGUAGE SQL STRICT IMMUTABLE;
>
> I then created a new user. Then I queried pg_shadow and the encrypted password still has md5 at the beginning of the hash. How do I get postgres to use SHA-256?

Well, the function you created has nothing to do with how Postgres
handles password authentication. A whole bunch of places in the code
are hardcoded to assume that password hashing and authentication are
done with MD5, and you'd have to change them all to support SHA-256
password hashing instead. Also, all clients connecting to your server
would have to be using your modified version of libpq to authenticate
to your modified server.

Josh

In response to

pgsql-admin by date

Next:From: René Romero BenavidesDate: 2012-06-08 19:13:21
Subject: Re: Creating a Read Only profile in 8.4
Previous:From: Kevin GrittnerDate: 2012-06-08 18:20:11
Subject: Re: Question about PITR backup

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group