From ab80089dbaf5d75dac51aa968f8658b4516020d8 Mon Sep 17 00:00:00 2001 From: Peter Eisentraut Date: Mon, 25 May 2020 11:22:32 +0200 Subject: [PATCH] Change default of password_encryption to scram-sha-256 Discussion: https://www.postgresql.org/message-id/flat/d5b0ad33-7d94-bdd1-caac-43a1c782cab2%402ndquadrant.com --- doc/src/sgml/config.sgml | 12 +++++++----- src/backend/commands/user.c | 2 +- src/backend/utils/misc/guc.c | 2 +- src/backend/utils/misc/postgresql.conf.sample | 2 +- src/bin/initdb/initdb.c | 8 -------- 5 files changed, 10 insertions(+), 16 deletions(-) diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml index a2694e548a..9cbaff0c51 100644 --- a/doc/src/sgml/config.sgml +++ b/doc/src/sgml/config.sgml @@ -1013,11 +1013,13 @@ Authentication When a password is specified in or - , this parameter determines the algorithm - to use to encrypt the password. The default value is md5, - which stores the password as an MD5 hash (on is also - accepted, as alias for md5). Setting this parameter to - scram-sha-256 will encrypt the password with SCRAM-SHA-256. + , this parameter determines the + algorithm to use to encrypt the password. Possible values are + scram-sha-256, which will encrypt the password with + SCRAM-SHA-256, and md5, which stores the password + as an MD5 hash. (on is also accepted, as an alias + for md5.) The default is + scram-sha-256. Note that older clients might lack support for the SCRAM authentication diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c index 1ef00d6e89..9ce9a66921 100644 --- a/src/backend/commands/user.c +++ b/src/backend/commands/user.c @@ -43,7 +43,7 @@ Oid binary_upgrade_next_pg_authid_oid = InvalidOid; /* GUC parameter */ -int Password_encryption = PASSWORD_TYPE_MD5; +int Password_encryption = PASSWORD_TYPE_SCRAM_SHA_256; /* Hook to check passwords in CreateRole() and AlterRole() */ check_password_hook_type check_password_hook = NULL; diff --git a/src/backend/utils/misc/guc.c b/src/backend/utils/misc/guc.c index 2f3e0a70e0..390d5d9655 100644 --- a/src/backend/utils/misc/guc.c +++ b/src/backend/utils/misc/guc.c @@ -4735,7 +4735,7 @@ static struct config_enum ConfigureNamesEnum[] = "this parameter determines whether the password is to be encrypted.") }, &Password_encryption, - PASSWORD_TYPE_MD5, password_encryption_options, + PASSWORD_TYPE_SCRAM_SHA_256, password_encryption_options, NULL, NULL, NULL }, diff --git a/src/backend/utils/misc/postgresql.conf.sample b/src/backend/utils/misc/postgresql.conf.sample index 995b6ca155..120a75386c 100644 --- a/src/backend/utils/misc/postgresql.conf.sample +++ b/src/backend/utils/misc/postgresql.conf.sample @@ -88,7 +88,7 @@ # - Authentication - #authentication_timeout = 1min # 1s-600s -#password_encryption = md5 # md5 or scram-sha-256 +#password_encryption = scram-sha-256 # scram-sha-256 or md5 #db_user_namespace = off # GSSAPI using Kerberos diff --git a/src/bin/initdb/initdb.c b/src/bin/initdb/initdb.c index 67021a6dc1..234635fe2c 100644 --- a/src/bin/initdb/initdb.c +++ b/src/bin/initdb/initdb.c @@ -1198,14 +1198,6 @@ setup_config(void) "#update_process_title = off"); #endif - if (strcmp(authmethodlocal, "scram-sha-256") == 0 || - strcmp(authmethodhost, "scram-sha-256") == 0) - { - conflines = replace_token(conflines, - "#password_encryption = md5", - "password_encryption = scram-sha-256"); - } - /* * If group access has been enabled for the cluster then it makes sense to * ensure that the log files also allow group access. Otherwise a backup -- 2.26.2