Re: [pgadmin-hackers] [GENERAL] pgAdmin4 needs information of v10 SCRAM authentication

On Mon, Apr 24, 2017 at 3:04 PM, Akshay Joshi
<akshay.joshi@enterprisedb.com> wrote:
>    I have gone through this, but still facing issue to encrypt/change the database server password. In pgAdmin4 we
have"Change Password" feature where user will enter the old and new password for the database server, now we will have
toencrypt it (in Python) as per SCRAM standards and set it to the database. 

By using SET password_encryption = 'scram-sha-256' and sending the raw
password you would be able to hash the password correctly. Or you
could just mimic scram_build_password() (routine in Postgres code to
generate that correctly).

>   The example you have given in https://www.postgresql.org/message-id/76ac7e67-4e3a-f4df-e087-fbac90151907@iki.fi I
havebelow questions: 
> To encode the password you already have entry from pg_authid table which won't be possible for non superuser to
accessthat table. How we can get that value from pg_authid table or do we have any other solution to this. 

I don't understand this question, any user can update this field using
CREATE/ALTER ROLE, and the client has no need to know this value for
the exchange.

> For constructing  the whole client-final-message, we need to calculate  ClientSignature and ClientProof, which depend
onthe nonces, and is  therefore different on every authentication exchange. How to calculate ClientSignature and
ClientProof?
>   Can you please guide me here, how can we achieve that in python.

You will need a C equivalent of what is proposed in fe-auth-scram.c in
the Postgres code to build the messages that are exchanged from the
server, see particularly calculate_client_proof() which describes step
by step the calculation of the client proof when building the last
message for the client. I didn't check in details, but the routines
are the same as in the message above. The format of the hashed
password has changed a bit since commit 68e61ee though.
--
Michael