Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1tXO5x-0062dA-KW for pgsql-general@arkaria.postgresql.org; Mon, 13 Jan 2025 17:19:22 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1tXO5w-00BkqB-5k for pgsql-general@arkaria.postgresql.org; Mon, 13 Jan 2025 17:19:20 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1tXO5v-00Bkq3-Py for pgsql-general@lists.postgresql.org; Mon, 13 Jan 2025 17:19:20 +0000 Received: from mail-oa1-x30.google.com ([2001:4860:4864:20::30]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.96) (envelope-from ) id 1tXO5v-000DXQ-0M for pgsql-general@postgresql.org; Mon, 13 Jan 2025 17:19:19 +0000 Received: by mail-oa1-x30.google.com with SMTP id 586e51a60fabf-29ff039dab2so2385016fac.3 for ; Mon, 13 Jan 2025 09:19:18 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1736788758; x=1737393558; darn=postgresql.org; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=Qrh8oYp/aLTxoef5dh28LHa54ed1214kYC9cSsrOtp0=; b=X+8ItANPFPxvaioxRGpfe4DWxkjiXs1185wJKdMWNtxu1kscVzrht1Zy/fL8gKLS/9 VofixpEpdIXQS5nBpfpZMvWHppLVuFD1AdxHbvJ7iAgJuJbKwX4oEaXlIMf9Kp+7wZV/ YMtBX3anVnf9YhBkNw6XybHnE1rmCpcDwDcpw7D4hfZSa5Jn6/HW116y63Mgetyvk1JB ozQSI9QoIi/4FhABnCDta/t6b4uirUQRr6BFiIKo3rkfzHUL3shen5fDsifw33ob9Ffg pKDySHMCgNzi0P+qiVyrrukd+QQZphFg5V4ixBzp8QHlqi2z3TlLJzNTf34/7AGuJNWj 5YHg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1736788758; x=1737393558; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=Qrh8oYp/aLTxoef5dh28LHa54ed1214kYC9cSsrOtp0=; b=E20BFKRvbAKSUY3fC/pLWlhyWKaDf+kGChdXYQZS17QOleoAcwLn9brjDB2BY9nq4w ywWj3XP5GGqt13XMG2ZyAekNyZk6nbTyiwAl9yxsJv9wR4RJpgjYm6a5VtyeU8wX9/vw O2SA2RirlxVv+a4SDDrsWH1Z4/JfhtJBaCQbc+HlAYEt+7roRl/tHwvecbGvUbMsDvw/ d9g+8O5cuOzQ+E657PV0u2hpMtNBhjjik6FPh0YxJR8yQfmfMNwq4sZcFHxtJGMTl6vL FuiszKJcE39uekSsox0Cx2N0lc0mGxGqIqcOr969LiwJW3jSM3YL58jmtNs7WJAlvTne ULiw== X-Gm-Message-State: AOJu0YxzbO+EcyRht5+Ffc2jQd4fqN/YbnOYnOlECm+xr+Rf4DT0sxp2 AF4Qy0jH1ft5aYL/Rc1AJRVMfTe7sAko8vgunWAtF/jusNSgUG3YJWpMOs9o8nomgl5lJTa/2U3 EPDYZ2O4Ys1IAtXNwvmxAxLCP9KshvQ== X-Gm-Gg: ASbGncuYcUPkk6BIEtZpgOLcc82rkjh9bsvGcuAsDY2fGbtRhUV1RJxfWJ3vxpvpvPK 7dX/uIxASLiZoI8hKgOpPZzxkHVtqpF34UVDy5XU= X-Google-Smtp-Source: AGHT+IEYttwLKXROKGWd15hARjz+bVYwY5SWKquq/ypky7fCbaTUIMQus3XOawO1xkdjxCGfLyMIp/CJ0PRbgXPvgKg= X-Received: by 2002:a05:6870:2dc5:b0:29e:311c:f51a with SMTP id 586e51a60fabf-2aa06080912mr11881569fac.0.1736788757740; Mon, 13 Jan 2025 09:19:17 -0800 (PST) MIME-Version: 1.0 References: <20250112222828.b36hpzm3ulfzlkws@hjp.at> <372571.1736722760@sss.pgh.pa.us> In-Reply-To: <372571.1736722760@sss.pgh.pa.us> From: Ron Johnson Date: Mon, 13 Jan 2025 12:19:06 -0500 X-Gm-Features: AbW1kvY3zs7fRP_gXdleb5w6Q0pBSICkYUChoBj2BuNG-OSf-gCEq8IydE-tS1E Message-ID: Subject: Re: Automatic upgrade of passwords from md5 to scram-sha256 To: pgsql-general Content-Type: multipart/alternative; boundary="000000000000f485aa062b99a404" List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --000000000000f485aa062b99a404 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Sun, Jan 12, 2025 at 5:59=E2=80=AFPM Tom Lane wrote: [snip] > I think this idea is a nonstarter, TLS or not. We're generally moving > in the direction of never letting the server see cleartext passwords. > It's already possible to configure libpq to refuse such requests > (see require_auth parameter), although that hasn't been made the > default. > ALTER ROLE xxx WITH PASSWORD accepts hashed values, so a client with the SCRAM-SHA algorithm could: 1. remember the password that was just used to log in, 2. generate the new hash, 3. send that as an ALTER ROLE statement. Anything which shows up in the logs would be no different than when someone types ALTER ROLE ... WITH PASSWORD from the psql prompt. --=20 Death to , and butter sauce. Don't boil me, I'm still alive. lobster! --000000000000f485aa062b99a404 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
On Sun, Jan 12, 2025 at = 5:59=E2=80=AFPM Tom Lane <tgl@sss.pgh.pa.us> wrote:
<= div>=C2=A0[snip]
I t= hink this idea is a nonstarter, TLS or not.=C2=A0 We're generally movin= g
in the direction of never letting the server see cleartext passwords.
It's already possible to configure libpq to refuse such requests
(see require_auth parameter), although that hasn't been made the
default.

ALTER ROLE= xxx WITH PASSWORD accepts hashed values, so a client with the SCRAM-SHA al= gorithm could:
1. remember the password that was just used to log= in,
2. generate the new hash,=C2=A0
3. send that as an= ALTER ROLE statement.

Anything which shows up in = the logs would be no different than when someone types ALTER ROLE ... WITH = PASSWORD from the psql prompt.

--
Death to <Redacted>, and butter sauce.
Don't bo= il me, I'm still alive.
<Redacted> lobster!
--000000000000f485aa062b99a404--