Regarding RM #2214 SCRAM Authentication for Change Password

public inbox for [email protected]  
help / color / mirror / Atom feed

Regarding RM #2214 SCRAM Authentication for Change Password
2+ messages / 2 participants
[nested] [flat]

* Regarding RM #2214 SCRAM Authentication for Change Password
@ 2018-04-02 10:02 Akshay Joshi <[email protected]>
  2018-04-03 10:09 ` Re: Regarding RM #2214 SCRAM Authentication for Change Password Dave Page <[email protected]>
  0 siblings, 1 reply; 2+ messages in thread

From: Akshay Joshi @ 2018-04-02 10:02 UTC (permalink / raw)
  To: pgadmin-hackers

Hi Hackers,

As a part of RM #2214, we will have to support SCRAM authentication. User
will be able to login, but the problem is with "Change Password" of
database server won't work, as we are encrypting new password using md5 and
set the new password using "*ALTER USER <user> WITH ENCRYPTED PASSWORD
<pwd>*" query.

If password_encryption = scram-sha-256 in postgresql.conf file then it will
change the password with md5 encryption which is not correct and user won't
be able to login using changed password. I have  tried previously (almost
12 months ago) and tried following again

from passlib.hash import scram

scram.default_rounds = 4096
digest_info = scram.extract_digest_info(scram.encrypt(password), 'sha-256')

salt = digest_info[0]
rounds = digest_info[1]
secret = digest_info[2]

salted_password = hashlib.pbkdf2_hmac('sha256', secret, salt, rounds)

but not able to encrypt the password for SCRAM.

There is new method introduce in PostgreSQL 10 to encrypt the password:

char *PQencryptPasswordConn(PGconn *conn, const char *passwd, const
char *user, const char *algorithm);

As we are using psycopg2, so the support for the above method should be
available in psycopg2. *Ashesh* *Vashi* has already send the patch to
support for preparing encrypted password and they are planning to merge his
patch in version 2.8. Following is the link of his patch
https://github.com/psycopg/psycopg2/pull/576

So when the above patch will be merged and released by psycopg2, we will
work on this feature again and modified the code. I'll update the RM
accordingly.

Suggestion/ Comments?

-- 
*Akshay Joshi*

*Sr. Software Architect *

*Phone: +91 20-3058-9517Mobile: +91 976-788-8246*

^ permalink  raw  reply  [nested|flat] 2+ messages in thread

* Re: Regarding RM #2214 SCRAM Authentication for Change Password
  2018-04-02 10:02 Regarding RM #2214 SCRAM Authentication for Change Password Akshay Joshi <[email protected]>
@ 2018-04-03 10:09 ` Dave Page <[email protected]>
  0 siblings, 0 replies; 2+ messages in thread

From: Dave Page @ 2018-04-03 10:09 UTC (permalink / raw)
  To: Akshay Joshi <[email protected]>; +Cc: pgadmin-hackers

Hi

On Mon, Apr 2, 2018 at 11:02 AM, Akshay Joshi <[email protected]
> wrote:

> Hi Hackers,
>
> As a part of RM #2214, we will have to support SCRAM authentication. User
> will be able to login, but the problem is with "Change Password" of
> database server won't work, as we are encrypting new password using md5 and
> set the new password using "*ALTER USER <user> WITH ENCRYPTED PASSWORD
> <pwd>*" query.
>
> If password_encryption = scram-sha-256 in postgresql.conf file then it
> will change the password with md5 encryption which is not correct and user
> won't be able to login using changed password. I have  tried previously
> (almost 12 months ago) and tried following again
>
> from passlib.hash import scram
>
> scram.default_rounds = 4096
> digest_info = scram.extract_digest_info(scram.encrypt(password), 'sha-256')
>
> salt = digest_info[0]
> rounds = digest_info[1]
> secret = digest_info[2]
>
> salted_password = hashlib.pbkdf2_hmac('sha256', secret, salt, rounds)
>
> but not able to encrypt the password for SCRAM.
>

Because you get a different hash than you'd get from libpq, or some other
problem?


>
> There is new method introduce in PostgreSQL 10 to encrypt the password:
>
> char *PQencryptPasswordConn(PGconn *conn, const char *passwd, const char *user, const char *algorithm);
>
> As we are using psycopg2, so the support for the above method should be
> available in psycopg2. *Ashesh* *Vashi* has already send the patch to
> support for preparing encrypted password and they are planning to merge his
> patch in version 2.8. Following is the link of his patch
> https://github.com/psycopg/psycopg2/pull/576
>
> So when the above patch will be merged and released by psycopg2, we will
> work on this feature again and modified the code. I'll update the RM
> accordingly.
>

I've pinged Daniele on the tracker to see if we can get clarity on when a
release might happen.

-- 
Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnake

EnterpriseDB UK: http://www.enterprisedb.com
The Enterprise PostgreSQL Company


^ permalink  raw  reply  [nested|flat] 2+ messages in thread

end of thread, other threads:[~2018-04-03 10:09 UTC | newest]

Thread overview: 2+ messages (download: mbox mbox.gz follow: Atom feed)
-- links below jump to the message on this page --
2018-04-02 10:02 Regarding RM #2214 SCRAM Authentication for Change Password Akshay Joshi <[email protected]>
2018-04-03 10:09 ` Dave Page <[email protected]>

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox