Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA384:256) (Exim 4.89) (envelope-from ) id 1f2wIs-0004Ai-ML for pgadmin-hackers@arkaria.postgresql.org; Mon, 02 Apr 2018 10:03:06 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.89) (envelope-from ) id 1f2wIr-0005pt-05 for pgadmin-hackers@arkaria.postgresql.org; Mon, 02 Apr 2018 10:03:05 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA384:256) (Exim 4.89) (envelope-from ) id 1f2wIq-0005pj-Lr for pgadmin-hackers@lists.postgresql.org; Mon, 02 Apr 2018 10:03:04 +0000 Received: from mail-qt0-x241.google.com ([2607:f8b0:400d:c0d::241]) by magus.postgresql.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.89) (envelope-from ) id 1f2wIm-0003yt-7l for pgadmin-hackers@postgresql.org; Mon, 02 Apr 2018 10:03:03 +0000 Received: by mail-qt0-x241.google.com with SMTP id d3so11654432qth.8 for ; Mon, 02 Apr 2018 03:02:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=enterprisedb-com.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to; bh=dN7rX8zYT22l8TAtEzdgT/7VdXeDBKoExUKYxAwGXpc=; b=IBoZtuxaWVHREFLLXiCEo1p/optgrnsn21jyswcSIklQ25tDEpzdRM1lspesowg20y ejx9llcvULeprhMUlz14aq5AqtfDiiYjU7LkWsH56pJ5njFTn9yAYfSI8jIVUrhTZoeQ r1afusT1gDafoF6FPv+wTGqaJhWTH+W96JJ27hvZhRIB8Z6TbiVANDeDDFW2X1LsQqNv Ik40P+W4xZDzM/i/DRDSB49dkfM1ZiOHSPm1peui3+K1WCAKbSX8P6K+bN+KYyo4yPT7 Vn0OZhHt/I0QM6I0AOkHsbpuMWC03/yf7S9JaqR21vN1KMlRPkt5Qbt0tgfmq5xHuzj0 +oJg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=dN7rX8zYT22l8TAtEzdgT/7VdXeDBKoExUKYxAwGXpc=; b=K1OPCreLq8/+GBtMitm+2MCcR2ggzZn+MHD1H7O/6Bnxa7SZEEXsO5bb6WgYzn6LXM FFv2FiTuVTY72N5JjeZ//CnCuogWDLr2qxLiqAoH6OmvcFab6SQZB3LwJz0/zW3X7BBB U13yAz8E5bT/FskhhjJtlBGrWfTBHHd887WGGV3BMXpr7CkEQNxiO9DYgkvbMzKQvI2e 0K1h/GOy4q7+vijzSjg60xpl6MgzPHUGm/QSUveQVyJWqBYTfuuuIYtDOjWb2gU2aJI8 f2zZDP19l7kf8jLKAvwonnfkPUghlW+RBR6TvEWDqVzKgGNaA4n9rcoyrZbF/nUGvTlx 1SgA== X-Gm-Message-State: ALQs6tBMwFARC5dZOCmBhbuEVpo3dGyYXdTN3PJ7meaww41SXtdeWoTZ ExbugLfJdoKtTMR7JW2mhd/Wl0S3zhNWid+Kk71M/U9k X-Google-Smtp-Source: AIpwx49sZQEdYWdsYh1D0Zi3hBAEAcL8nXJWbpIuzJgr4s+ciwbjO0gPV5DzjBZxO2IHY6cRgFuQqsj6TdmAu31uGoE= X-Received: by 10.237.47.165 with SMTP id m34mr13513495qtd.178.1522663377543; Mon, 02 Apr 2018 03:02:57 -0700 (PDT) MIME-Version: 1.0 Received: by 10.12.182.1 with HTTP; Mon, 2 Apr 2018 03:02:57 -0700 (PDT) From: Akshay Joshi Date: Mon, 2 Apr 2018 15:32:57 +0530 Message-ID: Subject: Regarding RM #2214 SCRAM Authentication for Change Password To: pgadmin-hackers Content-Type: multipart/alternative; boundary="94eb2c125224bb839c0568dab1da" List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Precedence: bulk --94eb2c125224bb839c0568dab1da Content-Type: text/plain; charset="UTF-8" Hi Hackers, As a part of RM #2214, we will have to support SCRAM authentication. User will be able to login, but the problem is with "Change Password" of database server won't work, as we are encrypting new password using md5 and set the new password using "*ALTER USER WITH ENCRYPTED PASSWORD *" query. If password_encryption = scram-sha-256 in postgresql.conf file then it will change the password with md5 encryption which is not correct and user won't be able to login using changed password. I have tried previously (almost 12 months ago) and tried following again from passlib.hash import scram scram.default_rounds = 4096 digest_info = scram.extract_digest_info(scram.encrypt(password), 'sha-256') salt = digest_info[0] rounds = digest_info[1] secret = digest_info[2] salted_password = hashlib.pbkdf2_hmac('sha256', secret, salt, rounds) but not able to encrypt the password for SCRAM. There is new method introduce in PostgreSQL 10 to encrypt the password: char *PQencryptPasswordConn(PGconn *conn, const char *passwd, const char *user, const char *algorithm); As we are using psycopg2, so the support for the above method should be available in psycopg2. *Ashesh* *Vashi* has already send the patch to support for preparing encrypted password and they are planning to merge his patch in version 2.8. Following is the link of his patch https://github.com/psycopg/psycopg2/pull/576 So when the above patch will be merged and released by psycopg2, we will work on this feature again and modified the code. I'll update the RM accordingly. Suggestion/ Comments? -- *Akshay Joshi* *Sr. Software Architect * *Phone: +91 20-3058-9517Mobile: +91 976-788-8246* --94eb2c125224bb839c0568dab1da Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi Hackers,=C2=A0

As a part of RM #2214= , we will have to support SCRAM authentication. User will be able to login, but the p= roblem is with "Change Password" of database server won't wor= k, as we are encrypting new password using md5 and set the new password usi= ng "ALTER USER <user> WITH ENCRYPTED PASSWORD <pwd>" que= ry.

If password_encryption =3D scram-sha-256 in postgresql.conf file then it w= ill change the password with md5 encryption which is not correct and user w= on't be able to login using changed password. I have=C2=A0 tried previously (almo= st 12 months ago) and tried following again
from passlib=
.hash import scram

scra=
m.default_rounds =3D 4096
=
digest_info =3D scram.extract_digest_info(scram.encrypt(password), 'sha-256')

salt =3D digest_info[0]
rounds =3D digest_info[1]
secret =3D digest_info[2]

salted_password =3D hashlib.pbkdf2_hmac('sha256', secret, salt=
, rounds)
but not able to= encrypt the password for SCRAM.=C2=A0

There is ne= w method introduce in PostgreSQL 10 to encrypt the password:
char *PQencryptPasswordConn(PGconn *conn, const char *passwd, const char *user, const char *algor=
ithm);
As we are using psycopg2, so the support for the above met= hod should be available in psycopg2. Ashesh Vashi has already send the patch to= support for preparing encrypted password and they are planning to merge hi= s patch in version 2.8. Following is the link of his patch=C2=A0

So when the above patch will be m= erged and released by psycopg2, we will work on this feature again and modi= fied the code. I'll update the RM accordingly.=C2=A0

Suggestion/ Comments?=C2=A0 =C2=A0=C2=A0

--
=
= Akshay Joshi
<= b>Sr. Software Architect
<= /div>

=

Phone: +91 20-3058-9517Mobile: +91 976-788-8246
--94eb2c125224bb839c0568dab1da--