Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA384:256) (Exim 4.89) (envelope-from ) id 1f3Isc-0005GA-Tq for pgadmin-hackers@arkaria.postgresql.org; Tue, 03 Apr 2018 10:09:31 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.89) (envelope-from ) id 1f3Isb-0000ff-KW for pgadmin-hackers@arkaria.postgresql.org; Tue, 03 Apr 2018 10:09:29 +0000 Received: from makus.postgresql.org ([2001:4800:1501:1::229]) by malur.postgresql.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA384:256) (Exim 4.89) (envelope-from ) id 1f3Isb-0000fO-Bg for pgadmin-hackers@lists.postgresql.org; Tue, 03 Apr 2018 10:09:29 +0000 Received: from mail-wm0-x243.google.com ([2a00:1450:400c:c09::243]) by makus.postgresql.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.89) (envelope-from ) id 1f3IsX-00034p-Ok for pgadmin-hackers@postgresql.org; Tue, 03 Apr 2018 10:09:28 +0000 Received: by mail-wm0-x243.google.com with SMTP id f125so33884370wme.4 for ; Tue, 03 Apr 2018 03:09:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pgadmin-org.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=jJyWEeZvUBM6q99F48Lz6z1Kk8bEWPvUdK0n0H7VThE=; b=CtLAsfFi0zud4XA2K3lij6+QenCrQhbDsrJYgXVZoG9ZHY8BFI5IubZp3+hqtA7u7M c7sRsdBk9+g9ematUjXcTvixnDvYVIF1JOPRrz2LUE/yu9h60SEP2yz/9SEnI0hSEaWz wAmilzEHGkngl9cbqao5RexDBA6Uprm8li3r0Ws/HBt5QTCF2MqWTFPL+BlltvdEhg5o PJvaMHbY9aanng6WFwc1M7XsgJwdg6WMqUuXAexV0647cxcjVtGq8E6LZpEnSfxJ5o3W /CgZCoonjrETKg7tkStIzbjTvIAk04kMeuEMigu0osXJ9Q9P3G8z8qw26MpZLfmPtw+Q EGZg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=jJyWEeZvUBM6q99F48Lz6z1Kk8bEWPvUdK0n0H7VThE=; b=cx2vsyRmiM4MrBTVtpnA0H0ycYD8S1mYau/SjoulzQJ/r4vOJe5rBOeB8lW+GBGfnl Jr6ZqUenLlRrDVD0DT0KXLoLAdjc0Z6mco7r9zR8Jo4yQ33CZhBhgFhEfIunxUpmaRpD 3OfqnoSXke944Xi3yOO3pZI7WHTKjAvwLWtlbeQGraunPH2WGI6b2nwmsezev+dWy+Vn OvlxZ0l5LRpRxpN4HOJJT02y9mrYOFxlHVYl7hUzmoB+Xz/VTdNFM10fqtN39a4g2BCo 0jYCsT07h5UUWUatRsvAzCdZLLlUNGhm43kMgCJcpSKV5Atxe6IMhFKCqSbetzVCs7hS Zu2Q== X-Gm-Message-State: AElRT7FmwL9DDrRdr1L25B/tHjA5+e69Tg8VJQdI7ss4BzcF490wsrI1 Sergy6AaUVWKNaTGzagI9T6QM5Qi6/GBUuQiWZCgog== X-Google-Smtp-Source: AIpwx4/vULr1hJbL+33H5+d9VDMc+bARG0oM+Ql46w3HjQzhRVdiIjnw/JcJLZ62QSNLMMvyAXRFtbWZLZ66+Bh359I= X-Received: by 10.28.91.65 with SMTP id p62mr4087999wmb.140.1522750163153; Tue, 03 Apr 2018 03:09:23 -0700 (PDT) MIME-Version: 1.0 Received: by 10.28.69.220 with HTTP; Tue, 3 Apr 2018 03:09:22 -0700 (PDT) In-Reply-To: References: From: Dave Page Date: Tue, 3 Apr 2018 11:09:22 +0100 Message-ID: Subject: Re: Regarding RM #2214 SCRAM Authentication for Change Password To: Akshay Joshi Cc: pgadmin-hackers Content-Type: multipart/alternative; boundary="001a1144161a8e8bee0568eee66a" List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Precedence: bulk --001a1144161a8e8bee0568eee66a Content-Type: text/plain; charset="UTF-8" Hi On Mon, Apr 2, 2018 at 11:02 AM, Akshay Joshi wrote: > Hi Hackers, > > As a part of RM #2214, we will have to support SCRAM authentication. User > will be able to login, but the problem is with "Change Password" of > database server won't work, as we are encrypting new password using md5 and > set the new password using "*ALTER USER WITH ENCRYPTED PASSWORD > *" query. > > If password_encryption = scram-sha-256 in postgresql.conf file then it > will change the password with md5 encryption which is not correct and user > won't be able to login using changed password. I have tried previously > (almost 12 months ago) and tried following again > > from passlib.hash import scram > > scram.default_rounds = 4096 > digest_info = scram.extract_digest_info(scram.encrypt(password), 'sha-256') > > salt = digest_info[0] > rounds = digest_info[1] > secret = digest_info[2] > > salted_password = hashlib.pbkdf2_hmac('sha256', secret, salt, rounds) > > but not able to encrypt the password for SCRAM. > Because you get a different hash than you'd get from libpq, or some other problem? > > There is new method introduce in PostgreSQL 10 to encrypt the password: > > char *PQencryptPasswordConn(PGconn *conn, const char *passwd, const char *user, const char *algorithm); > > As we are using psycopg2, so the support for the above method should be > available in psycopg2. *Ashesh* *Vashi* has already send the patch to > support for preparing encrypted password and they are planning to merge his > patch in version 2.8. Following is the link of his patch > https://github.com/psycopg/psycopg2/pull/576 > > So when the above patch will be merged and released by psycopg2, we will > work on this feature again and modified the code. I'll update the RM > accordingly. > I've pinged Daniele on the tracker to see if we can get clarity on when a release might happen. -- Dave Page Blog: http://pgsnake.blogspot.com Twitter: @pgsnake EnterpriseDB UK: http://www.enterprisedb.com The Enterprise PostgreSQL Company --001a1144161a8e8bee0568eee66a Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi

On Mon, Apr 2, 2018 at 11:02 AM, Akshay Joshi <akshay.joshi@= enterprisedb.com> wrote:
Hi Hackers,=C2=A0

As a part of RM #2214, = we will have to support SCRAM authentication. User will be able to login, but the problem is with &qu= ot;Change Password" of database server won't work, as we are encry= pting new password using md5 and set the new password using "ALTER = USER <user> WITH ENCRYPTED PASSWORD <pwd>" query.

If pa= ssword_encryption =3D scram-sha-256 in postgresql.conf file then it will chang= e the password with md5 encryption which is not correct and user won't = be able to login using cha= nged password. I have=C2=A0 tried previously (almost 12 months ago) and tri= ed following again
from passlib.hash import scram

scram.default_rounds =3D 4096
digest_info =3D scram.extract_digest_info=
(scram.encrypt(password), 'sha-256')

sal=
t =3D digest_info[0]
round=
s =3D digest_info[1]
secre=
t =3D digest_info[2]

s=
alted_password =3D hashlib=
.pbkdf2_hmac('sha256', secret, =
salt, rounds)
but not abl= e to encrypt the password for SCRAM.=C2=A0
Because you get a different hash than you'd get from libpq,= or some other problem?
=C2=A0

There is new method introduce in PostgreSQL 10 to encrypt the= password:
char *PQencr=
yptPasswordConn(PGconn *conn, const char *passwd, =
const char *user, const char *algorithm);
As we are using psycopg2, so the support = for the above method should be available in psycopg2. Ashesh Vashi has already send the patch to support for pr= eparing encrypted password and they are planning to merge his patch in vers= ion 2.8. Following is the link of his patch=C2=A0

So when the above patch will be merged and released by ps= ycopg2, we will work on this feature again and modified the code. I'll = update the RM accordingly.=C2=A0

I've pinged Daniele on the tracker to see if we can get clarity= on when a release might happen.

--
Dave Page
Blog:= http://pgsnake.b= logspot.com
Twitter: @pgsnake

EnterpriseDB UK: http://www.enterprisedb.com=
The Enterprise PostgreSQL Company
--001a1144161a8e8bee0568eee66a--