| From: | Dave Page <dpage(at)pgadmin(dot)org> |
|---|---|
| To: | Akshay Joshi <akshay(dot)joshi(at)enterprisedb(dot)com> |
| Cc: | pgadmin-hackers <pgadmin-hackers(at)postgresql(dot)org> |
| Subject: | Re: Regarding RM #2214 SCRAM Authentication for Change Password |
| Date: | 2018-04-03 10:09:22 |
| Message-ID: | CA+OCxoxQxR0vtn-=Yg7wXaWyMD6EFeeB0W-CSew4_q+-V9GKiA@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgadmin-hackers |
Hi
On Mon, Apr 2, 2018 at 11:02 AM, Akshay Joshi <akshay(dot)joshi(at)enterprisedb(dot)com
> wrote:
> Hi Hackers,
>
> As a part of RM #2214, we will have to support SCRAM authentication. User
> will be able to login, but the problem is with "Change Password" of
> database server won't work, as we are encrypting new password using md5 and
> set the new password using "*ALTER USER <user> WITH ENCRYPTED PASSWORD
> <pwd>*" query.
>
> If password_encryption = scram-sha-256 in postgresql.conf file then it
> will change the password with md5 encryption which is not correct and user
> won't be able to login using changed password. I have tried previously
> (almost 12 months ago) and tried following again
>
> from passlib.hash import scram
>
> scram.default_rounds = 4096
> digest_info = scram.extract_digest_info(scram.encrypt(password), 'sha-256')
>
> salt = digest_info[0]
> rounds = digest_info[1]
> secret = digest_info[2]
>
> salted_password = hashlib.pbkdf2_hmac('sha256', secret, salt, rounds)
>
> but not able to encrypt the password for SCRAM.
>
Because you get a different hash than you'd get from libpq, or some other
problem?
>
> There is new method introduce in PostgreSQL 10 to encrypt the password:
>
> char *PQencryptPasswordConn(PGconn *conn, const char *passwd, const char *user, const char *algorithm);
>
> As we are using psycopg2, so the support for the above method should be
> available in psycopg2. *Ashesh* *Vashi* has already send the patch to
> support for preparing encrypted password and they are planning to merge his
> patch in version 2.8. Following is the link of his patch
> https://github.com/psycopg/psycopg2/pull/576
>
> So when the above patch will be merged and released by psycopg2, we will
> work on this feature again and modified the code. I'll update the RM
> accordingly.
>
I've pinged Daniele on the tracker to see if we can get clarity on when a
release might happen.
--
Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnake
EnterpriseDB UK: http://www.enterprisedb.com
The Enterprise PostgreSQL Company
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Murtuza Zabuawala | 2018-04-03 11:27:21 | [pgAdmin4][RM#3235] Code refactoring in Query tool |
| Previous Message | Khushboo Vashi | 2018-04-03 09:47:28 | Re: [pgAdmin4][Patch]: RM #1978 - Add an option to allow user to disable alertifyjs and acitree animations |