public inbox for [email protected]
help / color / mirror / Atom feedFrom: Akshay Joshi <[email protected]>
To: pgadmin-hackers <[email protected]>
Subject: Regarding RM #2214 SCRAM Authentication for Change Password
Date: Mon, 2 Apr 2018 15:32:57 +0530
Message-ID: <CANxoLDfAR+0_JiGiQq3GUZe9cB_4m68c2H0nuRqU9shR7NC47w@mail.gmail.com> (raw)
Hi Hackers,
As a part of RM #2214, we will have to support SCRAM authentication. User
will be able to login, but the problem is with "Change Password" of
database server won't work, as we are encrypting new password using md5 and
set the new password using "*ALTER USER <user> WITH ENCRYPTED PASSWORD
<pwd>*" query.
If password_encryption = scram-sha-256 in postgresql.conf file then it will
change the password with md5 encryption which is not correct and user won't
be able to login using changed password. I have tried previously (almost
12 months ago) and tried following again
from passlib.hash import scram
scram.default_rounds = 4096
digest_info = scram.extract_digest_info(scram.encrypt(password), 'sha-256')
salt = digest_info[0]
rounds = digest_info[1]
secret = digest_info[2]
salted_password = hashlib.pbkdf2_hmac('sha256', secret, salt, rounds)
but not able to encrypt the password for SCRAM.
There is new method introduce in PostgreSQL 10 to encrypt the password:
char *PQencryptPasswordConn(PGconn *conn, const char *passwd, const
char *user, const char *algorithm);
As we are using psycopg2, so the support for the above method should be
available in psycopg2. *Ashesh* *Vashi* has already send the patch to
support for preparing encrypted password and they are planning to merge his
patch in version 2.8. Following is the link of his patch
https://github.com/psycopg/psycopg2/pull/576
So when the above patch will be merged and released by psycopg2, we will
work on this feature again and modified the code. I'll update the RM
accordingly.
Suggestion/ Comments?
--
*Akshay Joshi*
*Sr. Software Architect *
*Phone: +91 20-3058-9517Mobile: +91 976-788-8246*
view thread (2+ messages) latest in thread
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected]
Subject: Re: Regarding RM #2214 SCRAM Authentication for Change Password
In-Reply-To: <CANxoLDfAR+0_JiGiQq3GUZe9cB_4m68c2H0nuRqU9shR7NC47w@mail.gmail.com>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox