Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commitc727f12

Browse files
committed
Rename "scram" to "scram-sha-256" in pg_hba.conf and password_encryption.
Per discussion, plain "scram" is confusing because we actually implementSCRAM-SHA-256 rather than the original SCRAM that uses SHA-1 as the hashalgorithm. If we add support for SCRAM-SHA-512 or some other mechanism inthe SCRAM family in the future, that would become even more confusing.Most of the internal files and functions still use just "scram" as ashorthand for SCRMA-SHA-256, but I did change PASSWORD_TYPE_SCRAM toPASSWORD_TYPE_SCRAM_SHA_256, as that could potentially be used by 3rdparty extensions that hook into the password-check hook.Michael Paquier did this in an earlier version of the SCRAM patch setalready, but I didn't include that in the version that was committed.Discussion:https://www.postgresql.org/message-id/fde71ff1-5858-90c8-99a9-1c2427e7bafb@iki.fi
1 parent123aaff commitc727f12

File tree

15 files changed

+60
-59
lines changed

15 files changed

+60
-59
lines changed

‎doc/src/sgml/client-auth.sgml‎

Lines changed: 8 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -412,7 +412,7 @@ hostnossl <replaceable>database</replaceable> <replaceable>user</replaceable>
412412
</varlistentry>
413413

414414
<varlistentry>
415-
<term><literal>scram</></term>
415+
<term><literal>scram-sha-256</></term>
416416
<listitem>
417417
<para>
418418
Perform SCRAM-SHA-256 authentication to verify the user's
@@ -683,7 +683,7 @@ host postgres all 192.168.93.0/24 ident
683683
# "postgres" if the user's password is correctly supplied.
684684
#
685685
# TYPE DATABASE USER ADDRESS METHOD
686-
host postgres all 192.168.12.10/32 scram
686+
host postgres all 192.168.12.10/32 scram-sha-256
687687

688688
# Allow any user from hosts in the example.com domain to connect to
689689
# any database if the user's password is correctly supplied.
@@ -694,7 +694,7 @@ host postgres all 192.168.12.10/32 scram
694694
#
695695
# TYPE DATABASE USER ADDRESS METHOD
696696
host all mike .example.com md5
697-
host all all .example.com scram
697+
host all all .example.com scram-sha-256
698698

699699
# In the absence of preceding "host" lines, these two lines will
700700
# reject all connections from 192.168.54.1 (since that entry will be
@@ -922,7 +922,7 @@ omicron bryanh guest1
922922
</indexterm>
923923

924924
<para>
925-
The password-based authentication methods are <literal>scram</>,
925+
The password-based authentication methods are <literal>scram-sha-256</>,
926926
<literal>md5</>, and <literal>password</>. These methods operate
927927
similarly except for the way that the password is sent across the
928928
connection.
@@ -939,8 +939,9 @@ omicron bryanh guest1
939939

940940

941941
<para>
942-
<literal>scram</> performs SCRAM-SHA-256 authentication, as described
943-
in <ulink url="https://tools.ietf.org/html/rfc5802">RFC5802</ulink>. It
942+
<literal>scram-sha-256</> performs SCRAM-SHA-256 authentication, as
943+
described in
944+
<ulink url="https://tools.ietf.org/html/rfc5802">RFC5802</ulink>. It
944945
is a challenge-response scheme, that prevents password sniffing on
945946
untrusted connections. It is more secure than the <literal>md5</>
946947
method, but might not be supported by older clients.
@@ -953,7 +954,7 @@ omicron bryanh guest1
953954
protection if an attacker manages to steal the password hash from the
954955
server, and it cannot be used with the <xref
955956
linkend="guc-db-user-namespace"> feature. For all other users,
956-
<literal>md5</> works the same as <literal>scram</>.
957+
<literal>md5</> works the same as <literal>scram-sha-256</>.
957958
</para>
958959

959960
<para>

‎doc/src/sgml/config.sgml‎

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1194,8 +1194,8 @@ include_dir 'conf.d'
11941194
stores the password as an MD5 hash. Setting this to <literal>plain</> stores
11951195
it in plaintext. <literal>on</> and <literal>off</> are also accepted, as
11961196
aliases for <literal>md5</> and <literal>plain</>, respectively. Setting
1197-
this parameter to <literal>scram</> will encrypt the password with
1198-
SCRAM-SHA-256.
1197+
this parameter to <literal>scram-sha-256</> will encrypt the password
1198+
withSCRAM-SHA-256.
11991199
</para>
12001200
</listitem>
12011201
</varlistentry>

‎src/backend/commands/user.c‎

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -140,8 +140,8 @@ CreateRole(ParseState *pstate, CreateRoleStmt *stmt)
140140
dpassword=defel;
141141
if (strcmp(defel->defname,"encryptedPassword")==0)
142142
{
143-
if (Password_encryption==PASSWORD_TYPE_SCRAM)
144-
password_type=PASSWORD_TYPE_SCRAM;
143+
if (Password_encryption==PASSWORD_TYPE_SCRAM_SHA_256)
144+
password_type=PASSWORD_TYPE_SCRAM_SHA_256;
145145
else
146146
password_type=PASSWORD_TYPE_MD5;
147147
}
@@ -548,8 +548,8 @@ AlterRole(AlterRoleStmt *stmt)
548548
dpassword=defel;
549549
if (strcmp(defel->defname,"encryptedPassword")==0)
550550
{
551-
if (Password_encryption==PASSWORD_TYPE_SCRAM)
552-
password_type=PASSWORD_TYPE_SCRAM;
551+
if (Password_encryption==PASSWORD_TYPE_SCRAM_SHA_256)
552+
password_type=PASSWORD_TYPE_SCRAM_SHA_256;
553553
else
554554
password_type=PASSWORD_TYPE_MD5;
555555
}

‎src/backend/libpq/auth-scram.c‎

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -183,7 +183,7 @@ pg_be_scram_init(const char *username, const char *shadow_pass)
183183
{
184184
intpassword_type=get_password_type(shadow_pass);
185185

186-
if (password_type==PASSWORD_TYPE_SCRAM)
186+
if (password_type==PASSWORD_TYPE_SCRAM_SHA_256)
187187
{
188188
if (parse_scram_verifier(shadow_pass,&state->salt,&state->iterations,
189189
state->StoredKey,state->ServerKey))

‎src/backend/libpq/auth.c‎

Lines changed: 8 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -50,7 +50,7 @@ static char *recv_password_packet(Port *port);
5050

5151

5252
/*----------------------------------------------------------------
53-
* Password-based authentication methods (password, md5, and scram)
53+
* Password-based authentication methods (password, md5, and scram-sha-256)
5454
*----------------------------------------------------------------
5555
*/
5656
staticintCheckPasswordAuth(Port*port,char**logdetail);
@@ -757,10 +757,10 @@ CheckPWChallengeAuth(Port *port, char **logdetail)
757757
* If the user does not exist, or has no password, we still go through the
758758
* motions of authentication, to avoid revealing to the client that the
759759
* user didn't exist. If 'md5' is allowed, we choose whether to use 'md5'
760-
* or 'scram' authentication based on current password_encryption setting.
761-
* The idea is that most genuine users probably have a password of that
762-
* type, if we pretend that this user had a password of that type, too, it
763-
* "blends in" best.
760+
* or 'scram-sha-256' authentication based on current password_encryption
761+
*setting.The idea is that most genuine users probably have a password
762+
*of thattype, if we pretend that this user had a password of that type,
763+
*too, it"blends in" best.
764764
*
765765
* If the user had a password, but it was expired, we'll use the details
766766
* of the expired password for the authentication, but report it as
@@ -773,9 +773,9 @@ CheckPWChallengeAuth(Port *port, char **logdetail)
773773

774774
/*
775775
* If 'md5' authentication is allowed, decide whether to perform 'md5' or
776-
* 'scram' authentication based on the type of password the user has. If
777-
* it's an MD5 hash, we must do MD5 authentication, and if it's a SCRAM
778-
* verifier, we must do SCRAM authentication. If it's stored in
776+
* 'scram-sha-256' authentication based on the type of password the user
777+
*has. Ifit's an MD5 hash, we must do MD5 authentication, and if it's
778+
*a SCRAMverifier, we must do SCRAM authentication. If it's stored in
779779
* plaintext, we could do either one, so we opt for the more secure
780780
* mechanism, SCRAM.
781781
*

‎src/backend/libpq/crypt.c‎

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -101,7 +101,7 @@ get_password_type(const char *shadow_pass)
101101
if (strncmp(shadow_pass,"md5",3)==0&&strlen(shadow_pass)==MD5_PASSWD_LEN)
102102
returnPASSWORD_TYPE_MD5;
103103
if (strncmp(shadow_pass,"scram-sha-256:",strlen("scram-sha-256:"))==0)
104-
returnPASSWORD_TYPE_SCRAM;
104+
returnPASSWORD_TYPE_SCRAM_SHA_256;
105105
returnPASSWORD_TYPE_PLAINTEXT;
106106
}
107107

@@ -141,7 +141,7 @@ encrypt_password(PasswordType target_type, const char *role,
141141
elog(ERROR,"password encryption failed");
142142
returnencrypted_password;
143143

144-
casePASSWORD_TYPE_SCRAM:
144+
casePASSWORD_TYPE_SCRAM_SHA_256:
145145

146146
/*
147147
* cannot convert a SCRAM verifier to an MD5 hash, so fall
@@ -152,7 +152,7 @@ encrypt_password(PasswordType target_type, const char *role,
152152
}
153153
break;
154154

155-
casePASSWORD_TYPE_SCRAM:
155+
casePASSWORD_TYPE_SCRAM_SHA_256:
156156
switch (guessed_type)
157157
{
158158
casePASSWORD_TYPE_PLAINTEXT:
@@ -164,7 +164,7 @@ encrypt_password(PasswordType target_type, const char *role,
164164
* cannot convert an MD5 hash to a SCRAM verifier, so fall
165165
* through to save the MD5 hash instead.
166166
*/
167-
casePASSWORD_TYPE_SCRAM:
167+
casePASSWORD_TYPE_SCRAM_SHA_256:
168168
returnpstrdup(password);
169169
}
170170
break;
@@ -280,7 +280,7 @@ plain_crypt_verify(const char *role, const char *shadow_pass,
280280
*/
281281
switch (get_password_type(shadow_pass))
282282
{
283-
casePASSWORD_TYPE_SCRAM:
283+
casePASSWORD_TYPE_SCRAM_SHA_256:
284284
if (scram_verify_plain_password(role,
285285
client_pass,
286286
shadow_pass))

‎src/backend/libpq/hba.c‎

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -126,7 +126,7 @@ static const char *const UserAuthName[] =
126126
"ident",
127127
"password",
128128
"md5",
129-
"scram",
129+
"scram-sha256",
130130
"gss",
131131
"sspi",
132132
"pam",
@@ -1327,7 +1327,7 @@ parse_hba_line(TokenizedLine *tok_line, int elevel)
13271327
}
13281328
parsedline->auth_method=uaMD5;
13291329
}
1330-
elseif (strcmp(token->string, "scram")==0)
1330+
elseif (strcmp(token->string, "scram-sha-256")==0)
13311331
parsedline->auth_method=uaSCRAM;
13321332
elseif (strcmp(token->string, "pam")==0)
13331333
#ifdefUSE_PAM

‎src/backend/libpq/pg_hba.conf.sample‎

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -42,10 +42,10 @@
4242
# or "samenet" to match any address in any subnet that the server is
4343
# directly connected to.
4444
#
45-
# METHOD can be "trust", "reject", "md5", "password", "scram", "gss",
46-
# "sspi", "ident", "peer", "pam", "ldap", "radius" or "cert". Note that
47-
# "password" sends passwords in clear text; "md5" or "scram" are preferred
48-
# since they send encrypted passwords.
45+
# METHOD can be "trust", "reject", "md5", "password", "scram-sha-256",
46+
# "gss", "sspi", "ident", "peer", "pam", "ldap", "radius" or "cert".
47+
#Note that"password" sends passwords in clear text; "md5" or
48+
#"scram-sha-256" are preferredsince they send encrypted passwords.
4949
#
5050
# OPTIONS are a set of options for the authentication in the format
5151
# NAME=VALUE. The available options depend on the different

‎src/backend/utils/misc/guc.c‎

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -410,7 +410,7 @@ static const struct config_enum_entry force_parallel_mode_options[] = {
410410
staticconststructconfig_enum_entrypassword_encryption_options[]= {
411411
{"plain",PASSWORD_TYPE_PLAINTEXT, false},
412412
{"md5",PASSWORD_TYPE_MD5, false},
413-
{"scram",PASSWORD_TYPE_SCRAM, false},
413+
{"scram-sha-256",PASSWORD_TYPE_SCRAM_SHA_256, false},
414414
{"off",PASSWORD_TYPE_PLAINTEXT, false},
415415
{"on",PASSWORD_TYPE_MD5, false},
416416
{"true",PASSWORD_TYPE_MD5, true},

‎src/bin/initdb/initdb.c‎

Lines changed: 8 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -77,7 +77,7 @@
7777
externconstchar*select_default_timezone(constchar*share_path);
7878

7979
staticconstchar*constauth_methods_host[]= {
80-
"trust","reject","md5","password","scram","ident","radius",
80+
"trust","reject","scram-sha-256","md5","password","ident","radius",
8181
#ifdefENABLE_GSS
8282
"gss",
8383
#endif
@@ -99,7 +99,7 @@ static const char *const auth_methods_host[] = {
9999
NULL
100100
};
101101
staticconstchar*constauth_methods_local[]= {
102-
"trust","reject","md5","scram","password","peer","radius",
102+
"trust","reject","scram-sha-256","md5","password","peer","radius",
103103
#ifdefUSE_PAM
104104
"pam","pam ",
105105
#endif
@@ -1130,12 +1130,12 @@ setup_config(void)
11301130
"#update_process_title = off");
11311131
#endif
11321132

1133-
if (strcmp(authmethodlocal,"scram")==0||
1134-
strcmp(authmethodhost,"scram")==0)
1133+
if (strcmp(authmethodlocal,"scram-sha-256")==0||
1134+
strcmp(authmethodhost,"scram-sha-256")==0)
11351135
{
11361136
conflines=replace_token(conflines,
11371137
"#password_encryption = md5",
1138-
"password_encryption = scram");
1138+
"password_encryption = scram-sha-256");
11391139
}
11401140

11411141
snprintf(path,sizeof(path),"%s/postgresql.conf",pg_data);
@@ -2329,16 +2329,16 @@ check_need_password(const char *authmethodlocal, const char *authmethodhost)
23292329
{
23302330
if ((strcmp(authmethodlocal,"md5")==0||
23312331
strcmp(authmethodlocal,"password")==0||
2332-
strcmp(authmethodlocal,"scram")==0)&&
2332+
strcmp(authmethodlocal,"scram-sha-256")==0)&&
23332333
(strcmp(authmethodhost,"md5")==0||
23342334
strcmp(authmethodhost,"password")==0||
2335-
strcmp(authmethodhost,"scram")==0)&&
2335+
strcmp(authmethodhost,"scram-sha-256")==0)&&
23362336
!(pwprompt||pwfilename))
23372337
{
23382338
fprintf(stderr,_("%s: must specify a password for the superuser to enable %s authentication\n"),progname,
23392339
(strcmp(authmethodlocal,"md5")==0||
23402340
strcmp(authmethodlocal,"password")==0||
2341-
strcmp(authmethodlocal,"scram")==0)
2341+
strcmp(authmethodlocal,"scram-sha-256")==0)
23422342
?authmethodlocal
23432343
:authmethodhost);
23442344
exit(1);

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp