Re: Regarding RM #2214 SCRAM Authentication for Change Password

public inbox for [email protected]  
help / color / mirror / Atom feed

From: Dave Page <[email protected]>
To: Akshay Joshi <[email protected]>
Cc: pgadmin-hackers <[email protected]>
Subject: Re: Regarding RM #2214 SCRAM Authentication for Change Password
Date: Tue, 3 Apr 2018 11:09:22 +0100
Message-ID: <CA+OCxoxQxR0vtn-=Yg7wXaWyMD6EFeeB0W-CSew4_q+-V9GKiA@mail.gmail.com> (raw)
In-Reply-To: <CANxoLDfAR+0_JiGiQq3GUZe9cB_4m68c2H0nuRqU9shR7NC47w@mail.gmail.com>
References: <CANxoLDfAR+0_JiGiQq3GUZe9cB_4m68c2H0nuRqU9shR7NC47w@mail.gmail.com>

Hi

On Mon, Apr 2, 2018 at 11:02 AM, Akshay Joshi <[email protected]
> wrote:

> Hi Hackers,
>
> As a part of RM #2214, we will have to support SCRAM authentication. User
> will be able to login, but the problem is with "Change Password" of
> database server won't work, as we are encrypting new password using md5 and
> set the new password using "*ALTER USER <user> WITH ENCRYPTED PASSWORD
> <pwd>*" query.
>
> If password_encryption = scram-sha-256 in postgresql.conf file then it
> will change the password with md5 encryption which is not correct and user
> won't be able to login using changed password. I have  tried previously
> (almost 12 months ago) and tried following again
>
> from passlib.hash import scram
>
> scram.default_rounds = 4096
> digest_info = scram.extract_digest_info(scram.encrypt(password), 'sha-256')
>
> salt = digest_info[0]
> rounds = digest_info[1]
> secret = digest_info[2]
>
> salted_password = hashlib.pbkdf2_hmac('sha256', secret, salt, rounds)
>
> but not able to encrypt the password for SCRAM.
>

Because you get a different hash than you'd get from libpq, or some other
problem?


>
> There is new method introduce in PostgreSQL 10 to encrypt the password:
>
> char *PQencryptPasswordConn(PGconn *conn, const char *passwd, const char *user, const char *algorithm);
>
> As we are using psycopg2, so the support for the above method should be
> available in psycopg2. *Ashesh* *Vashi* has already send the patch to
> support for preparing encrypted password and they are planning to merge his
> patch in version 2.8. Following is the link of his patch
> https://github.com/psycopg/psycopg2/pull/576
>
> So when the above patch will be merged and released by psycopg2, we will
> work on this feature again and modified the code. I'll update the RM
> accordingly.
>

I've pinged Daniele on the tracker to see if we can get clarity on when a
release might happen.

-- 
Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnake

EnterpriseDB UK: http://www.enterprisedb.com
The Enterprise PostgreSQL Company

view thread (2+ messages)

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected], [email protected]
  Subject: Re: Regarding RM #2214 SCRAM Authentication for Change Password
  In-Reply-To: <CA+OCxoxQxR0vtn-=Yg7wXaWyMD6EFeeB0W-CSew4_q+-V9GKiA@mail.gmail.com>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox