Re: [BUGS] BUG #14661: authentication behavior(SCRAM-MD5)

Поиск
Список
Период
Сортировка
От Anthony Sotolongo
Тема Re: [BUGS] BUG #14661: authentication behavior(SCRAM-MD5)
Дата
Msg-id c696043e-74bb-ae96-5ff1-d96f7c58c181@gmail.com
обсуждение исходный текст
Ответ на Re: [BUGS] BUG #14661: authentication behavior(SCRAM-MD5)  (Heikki Linnakangas <hlinnaka@iki.fi>)
Список pgsql-bugs
Дерево обсуждения 
Thanks!!! :D


On 19/05/17 11:47, Heikki Linnakangas wrote:
> On 05/19/2017 06:05 PM, asotolongo@gmail.com wrote:
>> i think that is correct, but when i have the next configuracion:
>> pg_hba.conf
>> host    all             usuario         0.0.0.0/0            md5
>> host    all             postgres        0.0.0.0/0            md5
>>
>> and my user with SCRAM encryption
>> postgres=# select usename,passwd from pg_shadow ;
>>  usename  |
>> passwd
>>
----------+-------------------------------------------------------------------------------------------------------------------------------

>>
>>  usuario  |
>>
SCRAM-SHA-256$4096:Fhqo2W7V4FlVQk7+$fkQJ02YBGMhePbhVnKOcHjON/VPUTDzT/pZboiwHofY=:XliKl0leu/kpN4ZGmNPnHKKWj76f7qN8lIjrY8jOVcA=

>>
>>  postgres |
>>
SCRAM-SHA-256$4096:5DcjppjZNyrGb0Jo$iomUsf0Mo0RSSjkwzhwHwRphhVG5EKLRRMVp/eiENuI=:XFIOQcd1nA1IKclPrVSwFym9N5dLuYB43CfI3Lf5zGA=

>>
>> (2 filas)
>>
>>
>> and when try to  login, login successfully
>> is correct this behavior?
>
> Yeah, "md5" in pg_hba.conf really means "md5 or scram-sha-256, 
> depending on what kind of password hash the user has".
>
> The documentation at 
> https://www.postgresql.org/docs/devel/static/auth-methods.html#auth-password 
> tries to explain it:
>
>> scram-sha-256 performs SCRAM-SHA-256 authentication, as described in
>> RFC5802. It is a challenge-response scheme, that prevents password
>> sniffing on untrusted connections. It is more secure than the md5
>> method, but might not be supported by older clients.
>>
>> md5 allows falling back to a less secure challenge-response mechanism
>> for those users with an MD5 hashed password. The fallback mechanism
>> also prevents password sniffing, but provides no protection if an
>> attacker manages to steal the password hash from the server, and it
>> cannot be used with the db_user_namespace feature. For all other
>> users, md5 works the same as scram-sha-256.
>
>
> - Heikki
>



-- 
Sent via pgsql-bugs mailing list (pgsql-bugs@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-bugs

В списке pgsql-bugs по дате отправления: