Re: Automatic upgrade of passwords from md5 to scram-sha256

public inbox for [email protected]  
help / color / mirror / Atom feed

From: Ron Johnson <[email protected]>
To: [email protected]
Subject: Re: Automatic upgrade of passwords from md5 to scram-sha256
Date: Mon, 13 Jan 2025 20:09:41 -0500
Message-ID: <CANzqJaCuKWr+S8gR3WDFESnep=ogwcqhihSVD5w3BuvXk3GYSw@mail.gmail.com> (raw)
In-Reply-To: <[email protected]>
References: <[email protected]>
	<[email protected]>
	<CANzqJaDxwg_zS3LKZPq1Yj_sJV-T_qWT=mCF-ptEOcDHUJ+nzQ@mail.gmail.com>
	<[email protected]>

On Mon, Jan 13, 2025 at 3:41 PM Peter J. Holzer <[email protected]> wrote:

> On 2025-01-13 12:19:06 -0500, Ron Johnson wrote:
> > On Sun, Jan 12, 2025 at 5:59 PM Tom Lane <[email protected]> wrote:
> >  [snip]
> >
> >     I think this idea is a nonstarter, TLS or not.  We're generally
> moving
> >     in the direction of never letting the server see cleartext passwords.
> >     It's already possible to configure libpq to refuse such requests
> >     (see require_auth parameter), although that hasn't been made the
> >     default.
> >
> >
> > ALTER ROLE xxx WITH PASSWORD accepts hashed values, so a client with the
> > SCRAM-SHA algorithm could:
> > 1. remember the password that was just used to log in,
> > 2. generate the new hash,
> > 3. send that as an ALTER ROLE statement.
>
> Modifying the client to re-set the password is actually something I
> thought about. There are some technical unknowns (e.g. is
> PQencryptPasswordConn accessible through ODBC?) and some organisational
> difficulties (e.g. can we get the customers to upgrade to the newest
> version?), but I guess in our case it would be doable. But in general
> changing every to client to upgrade the password doesn't seem feasible.
> Unless maybe you are proposing that libpq should do that? That might
> work, but it probably also shouldn't do it by default.
>

That seems to me to be the fastest way to get the feature out to users.
(JDBC would also need it.)

Then clients like psql, pgAdmin, etc would need to add those calls.

-- 
Death to <Redacted>, and butter sauce.
Don't boil me, I'm still alive.
<Redacted> lobster!

view thread (3+ messages)

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected], [email protected]
  Subject: Re: Automatic upgrade of passwords from md5 to scram-sha256
  In-Reply-To: <CANzqJaCuKWr+S8gR3WDFESnep=ogwcqhihSVD5w3BuvXk3GYSw@mail.gmail.com>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox