public inbox for [email protected]
help / color / mirror / Atom feedFrom: Adrian Klaver <[email protected]>
To: Bharani SV-forum <[email protected]>
To: Greg Sabino Mullane <[email protected]>
To: Ron Johnson <[email protected]>
Cc: pgsql-general <[email protected]>
Subject: Re: Help in vetting Switch from "MD5" to "scram-sha-256" - during DB Upgrade from EC2- PGS - Community Edn ver 13.X to 15.X
Date: Thu, 6 Feb 2025 19:16:45 -0800
Message-ID: <[email protected]> (raw)
In-Reply-To: <[email protected]>
References: <[email protected]>
<CANzqJaC1Uk4H=55vV_jbFYMuD1f9Bb_4Y9WKvkZA3bt92bEUnw@mail.gmail.com>
<[email protected]>
<[email protected]>
<CAKAnmmKZdhnhdNRd3OgDyEco9OPkT=qA_TeWMFMRvUM9pXauKg@mail.gmail.com>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
On 2/6/25 18:03, Bharani SV-forum wrote:
> Adrian
> TQ for your valuable input's.
>
> *Additional Qsn*
>
> Assume DB ver = 15.X
>
> By default encryption = scram-sha-256, Assume pg_hba.conf is quoted the
> usage as MD5 for the
> dbuserid "test_usr_1"
>
> *e.g .)*
> *
> *
> hostssl all test_usr_1 10.20.30.40 md5
>
> i.e .)
> Assume if the respective db userid (e.g test_usr_1) is quoted for usage
> md5, in pg_hba.conf, No Need to Change, the respective *Role/Userid
> password mandatorily.* DB System will allow to use existing password
> with the old MD5 passwords still work, as long as the authentication
> method in pg_hba.conf is set to md5
Yes.
It gives you time to switch the passwords to scram-sha-256 encryption
after you do the migration. In other words you can have both md5 and
scram-sha-256 passwords in use without changing the pg_hba.conf lines.
Once the transition to scram-sha-256 is done then you can change the
lines to scram-sha-256 and that will prevent use of m5 passwords going
forward.
>
> e.g.) hostssl all LOGS_USER_1 10.9.0.0/21 md5
>
> Is their, any security problem due to usage of md5 in the pg_hba.conf
> file with underlying db =15.X ?
You are currently using it, have there been any issues?
If not then moving to Postgres 15 won't change that.
>
> I am Aware ,
> (a) *MD5 hash algorithm is nowadays no longer considered secure against
> determined attacks.*
> *(a) MD5 method cannot be used with the db_user_namespace feature.
> *
>
>
>
--
Adrian Klaver
[email protected]
view thread (61+ messages) latest in thread
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected], [email protected], [email protected]
Subject: Re: Help in vetting Switch from "MD5" to "scram-sha-256" - during DB Upgrade from EC2- PGS - Community Edn ver 13.X to 15.X
In-Reply-To: <[email protected]>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox