public inbox for [email protected]
help / color / mirror / Atom feedAutomatic upgrade of passwords from md5 to scram-sha256
6+ messages / 5 participants
[nested] [flat]
* Automatic upgrade of passwords from md5 to scram-sha256
@ 2025-01-12 22:28 Peter J. Holzer <[email protected]>
2025-01-12 22:59 ` Re: Automatic upgrade of passwords from md5 to scram-sha256 Tom Lane <[email protected]>
0 siblings, 1 reply; 6+ messages in thread
From: Peter J. Holzer @ 2025-01-12 22:28 UTC (permalink / raw)
To: pgsql-general
I have a PostgreSQL instance where the majority of the passwords is
still stored as MD5 hashes. I'm not particularly worried because they
are all randomly generated and should be reasonably secure against brute
force attacks even with a weak hash, and they're not that valuable
anyway, but it would still be nice if I could upgrade them to
SCRAM-SHA256.
The web framework Django will automatically and transparently rehash any
password with the currently preferred algorithm if it isn't stored that
way already.
Can PostgreSQL do that, too? (I haven't found anything)
If not, would this feature be of general interest?
Looking through chapter 53 of manual I think it would have to
implemented like this:
If the password for the user is stored as an MD5 hash, the server
replies to the startup message with an AuthenticationCleartextPassword
respnse to force the client to send the password in the clear
(obviously you only want to do that if the connection is TLS-encrypted
or otherwise safe from eavesdropping).
The client sends an PasswordMessage with the cleartext password.
The server first checks the password against the stored MD5 hash and
(assuming it's correct) then computes and stores the SCRAM-SHA256 hash, just as if the
user had issued an "alter user password" command. Finally it replies
with an AuthenticationOk message as normal.
The next time the client connects, the server will find and and use the
SCRAM-SHA256 hash.
This feature should only be enabled by a GUC.
Additional question: Do current clients (especially the ODBC client)
even support AuthenticationCleartextPassword by default?
hp
--
_ | Peter J. Holzer | Story must make more sense than reality.
|_|_) | |
| | | [email protected] | -- Charles Stross, "Creative writing
__/ | http://www.hjp.at/ | challenge!"
Attachments:
[application/pgp-signature] signature.asc (833B, 2-signature.asc)
download
^ permalink raw reply [nested|flat] 6+ messages in thread
* Re: Automatic upgrade of passwords from md5 to scram-sha256
2025-01-12 22:28 Automatic upgrade of passwords from md5 to scram-sha256 Peter J. Holzer <[email protected]>
@ 2025-01-12 22:59 ` Tom Lane <[email protected]>
2025-01-12 23:37 ` Re: Automatic upgrade of passwords from md5 to scram-sha256 Bruce Momjian <[email protected]>
2025-01-13 00:15 ` Re: Automatic upgrade of passwords from md5 to scram-sha256 Isaac Morland <[email protected]>
2025-01-13 00:17 ` Re: Automatic upgrade of passwords from md5 to scram-sha256 Peter J. Holzer <[email protected]>
2025-01-13 17:11 ` Re: Automatic upgrade of passwords from md5 to scram-sha256 Joe Conway <[email protected]>
0 siblings, 4 replies; 6+ messages in thread
From: Tom Lane @ 2025-01-12 22:59 UTC (permalink / raw)
To: Peter J. Holzer <[email protected]>; +Cc: pgsql-general
"Peter J. Holzer" <[email protected]> writes:
> The web framework Django will automatically and transparently rehash any
> password with the currently preferred algorithm if it isn't stored that
> way already.
Really? That implies that the framework has access to the original
cleartext password, which is a security fail already.
> Can PostgreSQL do that, too? (I haven't found anything)
No. The server has only the hashed password, it can't reconstruct
the original.
> If the password for the user is stored as an MD5 hash, the server
> replies to the startup message with an AuthenticationCleartextPassword
> respnse to force the client to send the password in the clear
> (obviously you only want to do that if the connection is TLS-encrypted
> or otherwise safe from eavesdropping).
I think this idea is a nonstarter, TLS or not. We're generally moving
in the direction of never letting the server see cleartext passwords.
It's already possible to configure libpq to refuse such requests
(see require_auth parameter), although that hasn't been made the
default.
regards, tom lane
^ permalink raw reply [nested|flat] 6+ messages in thread
* Re: Automatic upgrade of passwords from md5 to scram-sha256
2025-01-12 22:28 Automatic upgrade of passwords from md5 to scram-sha256 Peter J. Holzer <[email protected]>
2025-01-12 22:59 ` Re: Automatic upgrade of passwords from md5 to scram-sha256 Tom Lane <[email protected]>
@ 2025-01-12 23:37 ` Bruce Momjian <[email protected]>
3 siblings, 0 replies; 6+ messages in thread
From: Bruce Momjian @ 2025-01-12 23:37 UTC (permalink / raw)
To: Tom Lane <[email protected]>; +Cc: Peter J. Holzer <[email protected]>; pgsql-general
On Sun, Jan 12, 2025 at 05:59:20PM -0500, Tom Lane wrote:
> > If the password for the user is stored as an MD5 hash, the server
> > replies to the startup message with an AuthenticationCleartextPassword
> > respnse to force the client to send the password in the clear
> > (obviously you only want to do that if the connection is TLS-encrypted
> > or otherwise safe from eavesdropping).
>
> I think this idea is a nonstarter, TLS or not. We're generally moving
> in the direction of never letting the server see cleartext passwords.
> It's already possible to configure libpq to refuse such requests
> (see require_auth parameter), although that hasn't been made the
> default.
Agreed. I think weakening the MD5 handshake to switch to a more secure
hash algorithm is unwise.
--
Bruce Momjian <[email protected]> https://momjian.us
EDB https://enterprisedb.com
Do not let urgent matters crowd out time for investment in the future.
^ permalink raw reply [nested|flat] 6+ messages in thread
* Re: Automatic upgrade of passwords from md5 to scram-sha256
2025-01-12 22:28 Automatic upgrade of passwords from md5 to scram-sha256 Peter J. Holzer <[email protected]>
2025-01-12 22:59 ` Re: Automatic upgrade of passwords from md5 to scram-sha256 Tom Lane <[email protected]>
@ 2025-01-13 00:15 ` Isaac Morland <[email protected]>
3 siblings, 0 replies; 6+ messages in thread
From: Isaac Morland @ 2025-01-13 00:15 UTC (permalink / raw)
To: Tom Lane <[email protected]>; +Cc: Peter J. Holzer <[email protected]>; pgsql-general
On Sun, 12 Jan 2025 at 17:59, Tom Lane <[email protected]> wrote:
> "Peter J. Holzer" <[email protected]> writes:
> > The web framework Django will automatically and transparently rehash any
> > password with the currently preferred algorithm if it isn't stored that
> > way already.
>
> Really? That implies that the framework has access to the original
> cleartext password, which is a security fail already.
It happens upon user login. If the user's password is hashed with an old
algorithm, it is re-hashed during login when the Django application running
on the Web server has the password sent by the user:
https://docs.djangoproject.com/en/5.1/topics/auth/passwords/#password-upgrading
But of course this only works if the old method in use involves sending the
password to the server.
^ permalink raw reply [nested|flat] 6+ messages in thread
* Re: Automatic upgrade of passwords from md5 to scram-sha256
2025-01-12 22:28 Automatic upgrade of passwords from md5 to scram-sha256 Peter J. Holzer <[email protected]>
2025-01-12 22:59 ` Re: Automatic upgrade of passwords from md5 to scram-sha256 Tom Lane <[email protected]>
@ 2025-01-13 00:17 ` Peter J. Holzer <[email protected]>
3 siblings, 0 replies; 6+ messages in thread
From: Peter J. Holzer @ 2025-01-13 00:17 UTC (permalink / raw)
To: [email protected]
On 2025-01-12 17:59:20 -0500, Tom Lane wrote:
> "Peter J. Holzer" <[email protected]> writes:
> > The web framework Django will automatically and transparently rehash any
> > password with the currently preferred algorithm if it isn't stored that
> > way already.
>
> Really? That implies that the framework has access to the original
> cleartext password, which is a security fail already.
It's a server-side web framework, and it doesn't require JavaScript in
the browser. So the only way it can authenticate the user is by
receiving username and password in a POST request (except for HTTP Basic
or Digest authentication which are both worse, IMHO).
SCRAM could be implemented in an authentication module, it just needs a
SCRAM implementation in JavaScript which can be included in the login
page. Somebody has probably already implemented this, but it's not in
the core distribution.
Anyway, Django is just the inspiration for the idea.
> > Can PostgreSQL do that, too? (I haven't found anything)
>
> No. The server has only the hashed password, it can't reconstruct
> the original.
But it could get the original during login.
> > If the password for the user is stored as an MD5 hash, the server
> > replies to the startup message with an AuthenticationCleartextPassword
> > respnse to force the client to send the password in the clear
> > (obviously you only want to do that if the connection is TLS-encrypted
> > or otherwise safe from eavesdropping).
>
> I think this idea is a nonstarter, TLS or not. We're generally moving
> in the direction of never letting the server see cleartext passwords.
A way to transparently upgrade from MD5 to SCRAM would IMHO be useful
for that. Requesting the clear text password once is IMHO preferable to
being stuck with MD5 until the users decide (or can be forced) to change
their passwords (oh, and if you send an "alter user password" command
the server will also see the clear text password unless the client can
and does) compute the hash).
PostgreSQL's MD5 hash is, as far as I can see, password equivalent. You
don't actually need the original password, only the stored MD5
hash for a successful login:
concat('md5', md5(concat(md5(concat(password, username)), random-salt)))
md5(concat(password, username)) is stored in the pg_shadow table.
That's not good.
> It's already possible to configure libpq to refuse such requests
> (see require_auth parameter), although that hasn't been made the
> default.
If it's not the default there's a decent chance that the users haven't
changed it.
hp
--
_ | Peter J. Holzer | Story must make more sense than reality.
|_|_) | |
| | | [email protected] | -- Charles Stross, "Creative writing
__/ | http://www.hjp.at/ | challenge!"
Attachments:
[application/pgp-signature] signature.asc (833B, 2-signature.asc)
download
^ permalink raw reply [nested|flat] 6+ messages in thread
* Re: Automatic upgrade of passwords from md5 to scram-sha256
2025-01-12 22:28 Automatic upgrade of passwords from md5 to scram-sha256 Peter J. Holzer <[email protected]>
2025-01-12 22:59 ` Re: Automatic upgrade of passwords from md5 to scram-sha256 Tom Lane <[email protected]>
@ 2025-01-13 17:11 ` Joe Conway <[email protected]>
3 siblings, 0 replies; 6+ messages in thread
From: Joe Conway @ 2025-01-13 17:11 UTC (permalink / raw)
To: Tom Lane <[email protected]>; Peter J. Holzer <[email protected]>; +Cc: pgsql-general
On 1/12/25 17:59, Tom Lane wrote:
> "Peter J. Holzer" <[email protected]> writes:
>> The web framework Django will automatically and transparently rehash any
>> password with the currently preferred algorithm if it isn't stored that
>> way already.
>
> Really? That implies that the framework has access to the original
> cleartext password, which is a security fail already.
>
>> Can PostgreSQL do that, too? (I haven't found anything)
>
> No. The server has only the hashed password, it can't reconstruct
> the original.
>
>> If the password for the user is stored as an MD5 hash, the server
>> replies to the startup message with an AuthenticationCleartextPassword
>> respnse to force the client to send the password in the clear
>> (obviously you only want to do that if the connection is TLS-encrypted
>> or otherwise safe from eavesdropping).
>
> I think this idea is a nonstarter, TLS or not. We're generally moving
> in the direction of never letting the server see cleartext passwords.
> It's already possible to configure libpq to refuse such requests
> (see require_auth parameter), although that hasn't been made the
> default.
<hand-wavy-thought>
Given PQchangePassword[1] in pg17, I wonder if the next step could be to
have libpq somehow know/detect that an algorithm change is needed and
execute that (or some equivalent) from the client side? And presumably
we could ask pgjdbc to implement something similar.
</hand-wavy-thought>
Joe
[1]
https://www.postgresql.org/docs/17/libpq-misc.html#LIBPQ-PQCHANGEPASSWORD
--
Joe Conway
PostgreSQL Contributors Team
RDS Open Source Databases
Amazon Web Services: https://aws.amazon.com
^ permalink raw reply [nested|flat] 6+ messages in thread
end of thread, other threads:[~2025-01-13 17:11 UTC | newest]
Thread overview: 6+ messages (download: mbox mbox.gz follow: Atom feed)
-- links below jump to the message on this page --
2025-01-12 22:28 Automatic upgrade of passwords from md5 to scram-sha256 Peter J. Holzer <[email protected]>
2025-01-12 22:59 ` Tom Lane <[email protected]>
2025-01-12 23:37 ` Bruce Momjian <[email protected]>
2025-01-13 00:15 ` Isaac Morland <[email protected]>
2025-01-13 00:17 ` Peter J. Holzer <[email protected]>
2025-01-13 17:11 ` Joe Conway <[email protected]>
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox