Обсуждение: How To Change Password Hash Algorithm From MD5 to SHA-256

I am trying to get Postgres to use SHA as the password hash algorithm instead of MD5. This is a security requirement. I
amrunning PostgreSQL 8.4 on a Red Hat Linux platform. I have installed pgcrypto and ran pgcrypto.sql. I also created a
functionSHA-256. The function looks like: 

CREATE OR REPLACE FUNCTION sha256(bytea) returns text AS $$
      SELECT encode(digest($1, 'sha256'), 'hex')
    $$ LANGUAGE SQL STRICT IMMUTABLE;

I then created a new user. Then I queried pg_shadow and the encrypted password still has md5 at the beginning of the
hash.How do I get postgres to use SHA-256? 

Any help would be greatly appreciated.


Ericka Romain

On Thu, Jun 7, 2012 at 8:12 AM, ROMAIN, ERICKA W CTR DISA PEO-MA
<ericka.romain.ctr@disa.mil> wrote:
> I am trying to get Postgres to use SHA as the password hash algorithm instead of MD5. This is a security requirement.
Iam running PostgreSQL 8.4 on a Red Hat Linux platform. I have installed pgcrypto and ran pgcrypto.sql. I also created
afunction SHA-256. The function looks like: 
>
> CREATE OR REPLACE FUNCTION sha256(bytea) returns text AS $$
>      SELECT encode(digest($1, 'sha256'), 'hex')
>    $$ LANGUAGE SQL STRICT IMMUTABLE;
>
> I then created a new user. Then I queried pg_shadow and the encrypted password still has md5 at the beginning of the
hash.How do I get postgres to use SHA-256? 

Well, the function you created has nothing to do with how Postgres
handles password authentication. A whole bunch of places in the code
are hardcoded to assume that password hashing and authentication are
done with MD5, and you'd have to change them all to support SHA-256
password hashing instead. Also, all clients connecting to your server
would have to be using your modified version of libpq to authenticate
to your modified server.

Josh