Skip to content

Commit c7eab0e

Browse files
peterepetere
committed
Change default of password_encryption to scram-sha-256
Also, the legacy values on/true/yes/1 for password_encryption that mapped to md5 are removed. The only valid values are now scram-sha-256 and md5. Reviewed-by: Jonathan S. Katz <jkatz@postgresql.org> Discussion: https://www.postgresql.org/message-id/flat/d5b0ad33-7d94-bdd1-caac-43a1c782cab2%402ndquadrant.com
1 parent 5a4ada7 commit c7eab0e

File tree

7 files changed

+23
-31
lines changed

7 files changed

+23
-31
lines changed

doc/src/sgml/config.sgml

+5-5
Original file line numberDiff line numberDiff line change
@@ -1013,11 +1013,11 @@ include_dir 'conf.d'
10131013
<listitem>
10141014
<para>
10151015
When a password is specified in <xref linkend="sql-createrole"/> or
1016-
<xref linkend="sql-alterrole"/>, this parameter determines the algorithm
1017-
to use to encrypt the password. The default value is <literal>md5</literal>,
1018-
which stores the password as an MD5 hash (<literal>on</literal> is also
1019-
accepted, as alias for <literal>md5</literal>). Setting this parameter to
1020-
<literal>scram-sha-256</literal> will encrypt the password with SCRAM-SHA-256.
1016+
<xref linkend="sql-alterrole"/>, this parameter determines the
1017+
algorithm to use to encrypt the password. Possible values are
1018+
<literal>scram-sha-256</literal>, which will encrypt the password with
1019+
SCRAM-SHA-256, and <literal>md5</literal>, which stores the password
1020+
as an MD5 hash. The default is <literal>scram-sha-256</literal>.
10211021
</para>
10221022
<para>
10231023
Note that older clients might lack support for the SCRAM authentication

src/backend/commands/user.c

+1-1
Original file line numberDiff line numberDiff line change
@@ -43,7 +43,7 @@ Oid binary_upgrade_next_pg_authid_oid = InvalidOid;
4343

4444

4545
/* GUC parameter */
46-
int Password_encryption = PASSWORD_TYPE_MD5;
46+
int Password_encryption = PASSWORD_TYPE_SCRAM_SHA_256;
4747

4848
/* Hook to check passwords in CreateRole() and AlterRole() */
4949
check_password_hook_type check_password_hook = NULL;

src/backend/utils/misc/guc.c

+1-10
Original file line numberDiff line numberDiff line change
@@ -463,18 +463,9 @@ static const struct config_enum_entry plan_cache_mode_options[] = {
463463
{NULL, 0, false}
464464
};
465465

466-
/*
467-
* password_encryption used to be a boolean, so accept all the likely
468-
* variants of "on", too. "off" used to store passwords in plaintext,
469-
* but we don't support that anymore.
470-
*/
471466
static const struct config_enum_entry password_encryption_options[] = {
472467
{"md5", PASSWORD_TYPE_MD5, false},
473468
{"scram-sha-256", PASSWORD_TYPE_SCRAM_SHA_256, false},
474-
{"on", PASSWORD_TYPE_MD5, true},
475-
{"true", PASSWORD_TYPE_MD5, true},
476-
{"yes", PASSWORD_TYPE_MD5, true},
477-
{"1", PASSWORD_TYPE_MD5, true},
478469
{NULL, 0, false}
479470
};
480471

@@ -4733,7 +4724,7 @@ static struct config_enum ConfigureNamesEnum[] =
47334724
NULL
47344725
},
47354726
&Password_encryption,
4736-
PASSWORD_TYPE_MD5, password_encryption_options,
4727+
PASSWORD_TYPE_SCRAM_SHA_256, password_encryption_options,
47374728
NULL, NULL, NULL
47384729
},
47394730

src/backend/utils/misc/postgresql.conf.sample

+1-1
Original file line numberDiff line numberDiff line change
@@ -88,7 +88,7 @@
8888
# - Authentication -
8989

9090
#authentication_timeout = 1min # 1s-600s
91-
#password_encryption = md5 # md5 or scram-sha-256
91+
#password_encryption = scram-sha-256 # scram-sha-256 or md5
9292
#db_user_namespace = off
9393

9494
# GSSAPI using Kerberos

src/bin/initdb/initdb.c

+11-10
Original file line numberDiff line numberDiff line change
@@ -1204,12 +1204,18 @@ setup_config(void)
12041204
"#update_process_title = off");
12051205
#endif
12061206

1207-
if (strcmp(authmethodlocal, "scram-sha-256") == 0 ||
1208-
strcmp(authmethodhost, "scram-sha-256") == 0)
1207+
/*
1208+
* Change password_encryption setting to md5 if md5 was chosen as an
1209+
* authentication method, unless scram-sha-256 was also chosen.
1210+
*/
1211+
if ((strcmp(authmethodlocal, "md5") == 0 &&
1212+
strcmp(authmethodhost, "scram-sha-256") != 0) ||
1213+
(strcmp(authmethodhost, "md5") == 0 &&
1214+
strcmp(authmethodlocal, "scram-sha-256") != 0))
12091215
{
12101216
conflines = replace_token(conflines,
1211-
"#password_encryption = md5",
1212-
"password_encryption = scram-sha-256");
1217+
"#password_encryption = scram-sha-256",
1218+
"password_encryption = md5");
12131219
}
12141220

12151221
/*
@@ -2373,12 +2379,7 @@ check_need_password(const char *authmethodlocal, const char *authmethodhost)
23732379
strcmp(authmethodhost, "scram-sha-256") == 0) &&
23742380
!(pwprompt || pwfilename))
23752381
{
2376-
pg_log_error("must specify a password for the superuser to enable %s authentication",
2377-
(strcmp(authmethodlocal, "md5") == 0 ||
2378-
strcmp(authmethodlocal, "password") == 0 ||
2379-
strcmp(authmethodlocal, "scram-sha-256") == 0)
2380-
? authmethodlocal
2381-
: authmethodhost);
2382+
pg_log_error("must specify a password for the superuser to enable password authentication");
23822383
exit(1);
23832384
}
23842385
}

src/test/regress/expected/password.out

+3-2
Original file line numberDiff line numberDiff line change
@@ -5,13 +5,14 @@
55
SET password_encryption = 'novalue'; -- error
66
ERROR: invalid value for parameter "password_encryption": "novalue"
77
HINT: Available values: md5, scram-sha-256.
8-
SET password_encryption = true; -- ok
8+
SET password_encryption = true; -- error
9+
ERROR: invalid value for parameter "password_encryption": "true"
10+
HINT: Available values: md5, scram-sha-256.
911
SET password_encryption = 'md5'; -- ok
1012
SET password_encryption = 'scram-sha-256'; -- ok
1113
-- consistency of password entries
1214
SET password_encryption = 'md5';
1315
CREATE ROLE regress_passwd1 PASSWORD 'role_pwd1';
14-
SET password_encryption = 'on';
1516
CREATE ROLE regress_passwd2 PASSWORD 'role_pwd2';
1617
SET password_encryption = 'scram-sha-256';
1718
CREATE ROLE regress_passwd3 PASSWORD 'role_pwd3';

src/test/regress/sql/password.sql

+1-2
Original file line numberDiff line numberDiff line change
@@ -4,14 +4,13 @@
44

55
-- Tests for GUC password_encryption
66
SET password_encryption = 'novalue'; -- error
7-
SET password_encryption = true; -- ok
7+
SET password_encryption = true; -- error
88
SET password_encryption = 'md5'; -- ok
99
SET password_encryption = 'scram-sha-256'; -- ok
1010

1111
-- consistency of password entries
1212
SET password_encryption = 'md5';
1313
CREATE ROLE regress_passwd1 PASSWORD 'role_pwd1';
14-
SET password_encryption = 'on';
1514
CREATE ROLE regress_passwd2 PASSWORD 'role_pwd2';
1615
SET password_encryption = 'scram-sha-256';
1716
CREATE ROLE regress_passwd3 PASSWORD 'role_pwd3';

0 commit comments

Comments
 (0)