Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commitc7eab0e

Browse files
committed
Change default of password_encryption to scram-sha-256
Also, the legacy values on/true/yes/1 for password_encryption thatmapped to md5 are removed. The only valid values are nowscram-sha-256 and md5.Reviewed-by: Jonathan S. Katz <jkatz@postgresql.org>Discussion:https://www.postgresql.org/message-id/flat/d5b0ad33-7d94-bdd1-caac-43a1c782cab2%402ndquadrant.com
1 parent5a4ada7 commitc7eab0e

File tree

7 files changed

+23
-31
lines changed

7 files changed

+23
-31
lines changed

‎doc/src/sgml/config.sgml

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1013,11 +1013,11 @@ include_dir 'conf.d'
10131013
<listitem>
10141014
<para>
10151015
When a password is specified in <xref linkend="sql-createrole"/> or
1016-
<xref linkend="sql-alterrole"/>, this parameter determines the algorithm
1017-
to use to encrypt the password.The default value is <literal>md5</literal>,
1018-
which stores the password as an MD5 hash (<literal>on</literal> is also
1019-
accepted, as alias for<literal>md5</literal>). Setting this parameter to
1020-
<literal>scram-sha-256</literal> will encrypt the password with SCRAM-SHA-256.
1016+
<xref linkend="sql-alterrole"/>, this parameter determines the
1017+
algorithmto use to encrypt the password. Possible values are
1018+
<literal>scram-sha-256</literal>, which will encrypt the password with
1019+
SCRAM-SHA-256, and<literal>md5</literal>, which stores the password
1020+
as an MD5 hash. The default is<literal>scram-sha-256</literal>.
10211021
</para>
10221022
<para>
10231023
Note that older clients might lack support for the SCRAM authentication

‎src/backend/commands/user.c

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -43,7 +43,7 @@ Oidbinary_upgrade_next_pg_authid_oid = InvalidOid;
4343

4444

4545
/* GUC parameter */
46-
intPassword_encryption=PASSWORD_TYPE_MD5;
46+
intPassword_encryption=PASSWORD_TYPE_SCRAM_SHA_256;
4747

4848
/* Hook to check passwords in CreateRole() and AlterRole() */
4949
check_password_hook_typecheck_password_hook=NULL;

‎src/backend/utils/misc/guc.c

Lines changed: 1 addition & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -463,18 +463,9 @@ static const struct config_enum_entry plan_cache_mode_options[] = {
463463
{NULL,0, false}
464464
};
465465

466-
/*
467-
* password_encryption used to be a boolean, so accept all the likely
468-
* variants of "on", too. "off" used to store passwords in plaintext,
469-
* but we don't support that anymore.
470-
*/
471466
staticconststructconfig_enum_entrypassword_encryption_options[]= {
472467
{"md5",PASSWORD_TYPE_MD5, false},
473468
{"scram-sha-256",PASSWORD_TYPE_SCRAM_SHA_256, false},
474-
{"on",PASSWORD_TYPE_MD5, true},
475-
{"true",PASSWORD_TYPE_MD5, true},
476-
{"yes",PASSWORD_TYPE_MD5, true},
477-
{"1",PASSWORD_TYPE_MD5, true},
478469
{NULL,0, false}
479470
};
480471

@@ -4733,7 +4724,7 @@ static struct config_enum ConfigureNamesEnum[] =
47334724
NULL
47344725
},
47354726
&Password_encryption,
4736-
PASSWORD_TYPE_MD5,password_encryption_options,
4727+
PASSWORD_TYPE_SCRAM_SHA_256,password_encryption_options,
47374728
NULL,NULL,NULL
47384729
},
47394730

‎src/backend/utils/misc/postgresql.conf.sample

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -88,7 +88,7 @@
8888
# - Authentication -
8989

9090
#authentication_timeout = 1min# 1s-600s
91-
#password_encryption =md5# md5 orscram-sha-256
91+
#password_encryption =scram-sha-256#scram-sha-256 or md5
9292
#db_user_namespace = off
9393

9494
# GSSAPI using Kerberos

‎src/bin/initdb/initdb.c

Lines changed: 11 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -1204,12 +1204,18 @@ setup_config(void)
12041204
"#update_process_title = off");
12051205
#endif
12061206

1207-
if (strcmp(authmethodlocal,"scram-sha-256")==0||
1208-
strcmp(authmethodhost,"scram-sha-256")==0)
1207+
/*
1208+
* Change password_encryption setting to md5 if md5 was chosen as an
1209+
* authentication method, unless scram-sha-256 was also chosen.
1210+
*/
1211+
if ((strcmp(authmethodlocal,"md5")==0&&
1212+
strcmp(authmethodhost,"scram-sha-256")!=0)||
1213+
(strcmp(authmethodhost,"md5")==0&&
1214+
strcmp(authmethodlocal,"scram-sha-256")!=0))
12091215
{
12101216
conflines=replace_token(conflines,
1211-
"#password_encryption =md5",
1212-
"password_encryption =scram-sha-256");
1217+
"#password_encryption =scram-sha-256",
1218+
"password_encryption =md5");
12131219
}
12141220

12151221
/*
@@ -2373,12 +2379,7 @@ check_need_password(const char *authmethodlocal, const char *authmethodhost)
23732379
strcmp(authmethodhost,"scram-sha-256")==0)&&
23742380
!(pwprompt||pwfilename))
23752381
{
2376-
pg_log_error("must specify a password for the superuser to enable %s authentication",
2377-
(strcmp(authmethodlocal,"md5")==0||
2378-
strcmp(authmethodlocal,"password")==0||
2379-
strcmp(authmethodlocal,"scram-sha-256")==0)
2380-
?authmethodlocal
2381-
:authmethodhost);
2382+
pg_log_error("must specify a password for the superuser to enable password authentication");
23822383
exit(1);
23832384
}
23842385
}

‎src/test/regress/expected/password.out

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -5,13 +5,14 @@
55
SET password_encryption = 'novalue'; -- error
66
ERROR: invalid value for parameter "password_encryption": "novalue"
77
HINT: Available values: md5, scram-sha-256.
8-
SET password_encryption = true; -- ok
8+
SET password_encryption = true; -- error
9+
ERROR: invalid value for parameter "password_encryption": "true"
10+
HINT: Available values: md5, scram-sha-256.
911
SET password_encryption = 'md5'; -- ok
1012
SET password_encryption = 'scram-sha-256'; -- ok
1113
-- consistency of password entries
1214
SET password_encryption = 'md5';
1315
CREATE ROLE regress_passwd1 PASSWORD 'role_pwd1';
14-
SET password_encryption = 'on';
1516
CREATE ROLE regress_passwd2 PASSWORD 'role_pwd2';
1617
SET password_encryption = 'scram-sha-256';
1718
CREATE ROLE regress_passwd3 PASSWORD 'role_pwd3';

‎src/test/regress/sql/password.sql

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -4,14 +4,13 @@
44

55
-- Tests for GUC password_encryption
66
SET password_encryption='novalue';-- error
7-
SET password_encryption= true;--ok
7+
SET password_encryption= true;--error
88
SET password_encryption='md5';-- ok
99
SET password_encryption='scram-sha-256';-- ok
1010

1111
-- consistency of password entries
1212
SET password_encryption='md5';
1313
CREATE ROLE regress_passwd1 PASSWORD'role_pwd1';
14-
SET password_encryption='on';
1514
CREATE ROLE regress_passwd2 PASSWORD'role_pwd2';
1615
SET password_encryption='scram-sha-256';
1716
CREATE ROLE regress_passwd3 PASSWORD'role_pwd3';

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp