Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1jeM2W-0008Ib-Tx for pgsql-pkg-yum@arkaria.postgresql.org; Thu, 28 May 2020 17:09:56 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.92) (envelope-from ) id 1jeM2U-0004ln-6J for pgsql-pkg-yum@arkaria.postgresql.org; Thu, 28 May 2020 17:09:54 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1jeM2U-0004lg-11 for pgsql-pkg-yum@lists.postgresql.org; Thu, 28 May 2020 17:09:54 +0000 Received: from tamriel.snowman.net ([96.255.250.162]) by magus.postgresql.org with esmtp (Exim 4.92) (envelope-from ) id 1jeM2R-0003w6-AH for pgsql-pkg-yum@postgresql.org; Thu, 28 May 2020 17:09:53 +0000 Received: by tamriel.snowman.net (Postfix, from userid 1000) id A3A7D5F79E; Thu, 28 May 2020 13:09:50 -0400 (EDT) Date: Thu, 28 May 2020 13:09:50 -0400 From: Stephen Frost To: Christoph Berg , Peter Eisentraut , Devrim =?iso-8859-1?B?R/xuZPx6?= , Craig Ringer , pgsql-pkg-yum Subject: Re: Can we stop defaulting to 'md5'? Message-ID: <20200528170950.GB6680@tamriel.snowman.net> References: <20200520163509.GG3418@tamriel.snowman.net> <20200520153337.GE3418@tamriel.snowman.net> <20200528163856.GB107313@msg.df7cb.de> <20200528164404.GA6680@tamriel.snowman.net> <20200528165205.GC107313@msg.df7cb.de> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="neYutvxvOLaeuPCA" Content-Disposition: inline In-Reply-To: <20200528165205.GC107313@msg.df7cb.de> User-Agent: Mutt/1.5.24 (2015-08-30) List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Precedence: bulk --neYutvxvOLaeuPCA Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Greetings, * Christoph Berg (myon@debian.org) wrote: > Re: Stephen Frost > > > Why do I have to decide *in pg_hba.conf* which hash algorithm is used? > >=20 > > Where else would you decide..? >=20 > Connections could just use whatever hash is used for the username in > pg_authid. There's no reason to expose that detail in pg_hba.conf. ok, so, that's currently what the 'md5' setting does. The scram-sha-256 setting is intended to be used to force scram-sha-256 connections and to not allow md5 or other ones. > > > Why can't that just be "password"? > >=20 > > What would that mean? >=20 > The above. So.. it'd be an alias for md5, basically. I don't think that's actually a great answer overall as people will want an option that disallows non-scram password hash usage. > > > Getting this mess fixed would be good for security because then people > > > will likely start using scram. > >=20 > > That's certainly true, though I hope we can convince people to use SCRAM > > even given the modest effort required. >=20 > It's not modest. Or else this thread wouldn't have 20 mails. This is about the default, not about convincing an individual person or organization. > > The point here though, really, is that *new* installations of PG have > > very little reason to not use SCRAM. The question on upgrades is > > different, but that can be addressed with pg_upgradecluster, I would > > think, without much trouble. >=20 > In pg_createcluster, if I move pg_hba.conf and password_encryption to > scram, and I restore a dump from an older PG major, can people > continue to connect using their passwords? From what I got above, the > answer is "no". That really depends on what exactly is in the dump file. If the contents of the dump file include md5 hashes then those roles wouldn't be able to log in. If the contents have SCRAM-based hashes, then sure. Is that a huge issue? Not in my view- it'd be pretty clear quite quickly that they couldn't log in, and why, and that'd be easy to fix- they could manually adjust the pg_hba.conf, if they want to, or update those passwords to be scram. > Should I only set password_encryption to scram and keep advertising > md5 as the sane default for pg_hba.conf? That would allow the above scenario to work, though I don't feel the "what if they restore a pg_dumpall to perform an upgrade, and don't use pg_upgradecluster" to be a terribly interesting case to stress about making everything work perfectly- they'll very likely already be having to adjust their pg_hba.conf for other reasons, as well as their postgresql.conf for various settings. Restoring a pg_dumpall dump (which is what you're talking about here really, of course) has never done anything for config files. Thanks, Stephen --neYutvxvOLaeuPCA Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJez/BeAAoJEO1sijiDR2RVd6cQAIvfCP4YdV7GM2E8UpiOa9hV sGS8CUpFBst8rWOxtrYjByRHLWENyU69PrNIVO06E/2CwjHMpzPCtbM3mCXtErBX MQggw30+UeAHSDCeWA+rXvdh0/ncygoy0IhQ4NOCcQ+/GdhdaHTckaBlJ22qHJGV nlFcViPGcCu2V9/cDev3hvFaxmto5J2hrZN2GHmKgLEAZ3Suz5fVMHn6Gn1NjKB9 NnHy0bbG3ZpxXEuFTkSSQP9W/f5yjtBjlWw49rAq0GMSe1msCmOj9MvgVrUKHzkp Grl+epjimdE0QRKJjMAcotZNNIyII5ExvdBxAT+ps7H0GUkqOWMyWO0uR9nluVOT Xd9Rh3R899uLasPBE75P9GbjLFfQcExH8jalB4p1tShDpXWvJSZDpXN0UptUN3Vr BTNWssAgWLyH+FEjAGtpBdag7e1soCn6n33hXdadjCYMvSz4oBXf0Binr9bQpMae HS0dtyiR1a4CVUe4z3c3C/V94akRl9nKdcBIJmZ4DPOVTBOKAYO6CzodILrSAr9i piYvJIzbReiRIPoDFkVfqza53lrUZdPf8tpiKChKwsvy829M7g1MkybdXSV4oRVx j3LiRdpwF3qLGexpmuXVQ5zQk1oj/99ayYEMaFui3MgT6sXOfnSJ02vWDba/p4Za IUUOB7fQAPeMjmcpR0dn =uBnp -----END PGP SIGNATURE----- --neYutvxvOLaeuPCA--