diff options
Diffstat (limited to 'doc/src/sgml/html/auth-password.html')
| -rw-r--r-- | doc/src/sgml/html/auth-password.html | 80 |
1 files changed, 80 insertions, 0 deletions
diff --git a/doc/src/sgml/html/auth-password.html b/doc/src/sgml/html/auth-password.html new file mode 100644 index 0000000..f30a8bd --- /dev/null +++ b/doc/src/sgml/html/auth-password.html @@ -0,0 +1,80 @@ +<?xml version="1.0" encoding="UTF-8" standalone="no"?> +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>21.5. Password Authentication</title><link rel="stylesheet" type="text/css" href="stylesheet.css" /><link rev="made" href="pgsql-docs@lists.postgresql.org" /><meta name="generator" content="DocBook XSL Stylesheets Vsnapshot" /><link rel="prev" href="auth-trust.html" title="21.4. Trust Authentication" /><link rel="next" href="gssapi-auth.html" title="21.6. GSSAPI Authentication" /></head><body id="docContent" class="container-fluid col-10"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="5" align="center">21.5. Password Authentication</th></tr><tr><td width="10%" align="left"><a accesskey="p" href="auth-trust.html" title="21.4. Trust Authentication">Prev</a> </td><td width="10%" align="left"><a accesskey="u" href="client-authentication.html" title="Chapter 21. Client Authentication">Up</a></td><th width="60%" align="center">Chapter 21. Client Authentication</th><td width="10%" align="right"><a accesskey="h" href="index.html" title="PostgreSQL 15.5 Documentation">Home</a></td><td width="10%" align="right"> <a accesskey="n" href="gssapi-auth.html" title="21.6. GSSAPI Authentication">Next</a></td></tr></table><hr /></div><div class="sect1" id="AUTH-PASSWORD"><div class="titlepage"><div><div><h2 class="title" style="clear: both">21.5. Password Authentication</h2></div></div></div><a id="id-1.6.8.12.2" class="indexterm"></a><a id="id-1.6.8.12.3" class="indexterm"></a><a id="id-1.6.8.12.4" class="indexterm"></a><p> + There are several password-based authentication methods. These methods + operate similarly but differ in how the users' passwords are stored on the + server and how the password provided by a client is sent across the + connection. + </p><div class="variablelist"><dl class="variablelist"><dt><span class="term"><code class="literal">scram-sha-256</code></span></dt><dd><p> + The method <code class="literal">scram-sha-256</code> performs SCRAM-SHA-256 + authentication, as described in + <a class="ulink" href="https://tools.ietf.org/html/rfc7677" target="_top">RFC 7677</a>. It + is a challenge-response scheme that prevents password sniffing on + untrusted connections and supports storing passwords on the server in a + cryptographically hashed form that is thought to be secure. + </p><p> + This is the most secure of the currently provided methods, but it is + not supported by older client libraries. + </p></dd><dt><span class="term"><code class="literal">md5</code></span></dt><dd><p> + The method <code class="literal">md5</code> uses a custom less secure challenge-response + mechanism. It prevents password sniffing and avoids storing passwords + on the server in plain text but provides no protection if an attacker + manages to steal the password hash from the server. Also, the MD5 hash + algorithm is nowadays no longer considered secure against determined + attacks. + </p><p> + The <code class="literal">md5</code> method cannot be used with + the <a class="xref" href="runtime-config-connection.html#GUC-DB-USER-NAMESPACE">db_user_namespace</a> feature. + </p><p> + To ease transition from the <code class="literal">md5</code> method to the newer + SCRAM method, if <code class="literal">md5</code> is specified as a method + in <code class="filename">pg_hba.conf</code> but the user's password on the + server is encrypted for SCRAM (see below), then SCRAM-based + authentication will automatically be chosen instead. + </p></dd><dt><span class="term"><code class="literal">password</code></span></dt><dd><p> + The method <code class="literal">password</code> sends the password in clear-text and is + therefore vulnerable to password <span class="quote">“<span class="quote">sniffing</span>”</span> attacks. It should + always be avoided if possible. If the connection is protected by SSL + encryption then <code class="literal">password</code> can be used safely, though. + (Though SSL certificate authentication might be a better choice if one + is depending on using SSL). + </p></dd></dl></div><p> + <span class="productname">PostgreSQL</span> database passwords are + separate from operating system user passwords. The password for + each database user is stored in the <code class="literal">pg_authid</code> system + catalog. Passwords can be managed with the SQL commands + <a class="xref" href="sql-createrole.html" title="CREATE ROLE"><span class="refentrytitle">CREATE ROLE</span></a> and + <a class="xref" href="sql-alterrole.html" title="ALTER ROLE"><span class="refentrytitle">ALTER ROLE</span></a>, + e.g., <strong class="userinput"><code>CREATE ROLE foo WITH LOGIN PASSWORD 'secret'</code></strong>, + or the <span class="application">psql</span> + command <code class="literal">\password</code>. + If no password has been set up for a user, the stored password + is null and password authentication will always fail for that user. + </p><p> + The availability of the different password-based authentication methods + depends on how a user's password on the server is encrypted (or hashed, + more accurately). This is controlled by the configuration + parameter <a class="xref" href="runtime-config-connection.html#GUC-PASSWORD-ENCRYPTION">password_encryption</a> at the time the + password is set. If a password was encrypted using + the <code class="literal">scram-sha-256</code> setting, then it can be used for the + authentication methods <code class="literal">scram-sha-256</code> + and <code class="literal">password</code> (but password transmission will be in + plain text in the latter case). The authentication method + specification <code class="literal">md5</code> will automatically switch to using + the <code class="literal">scram-sha-256</code> method in this case, as explained + above, so it will also work. If a password was encrypted using + the <code class="literal">md5</code> setting, then it can be used only for + the <code class="literal">md5</code> and <code class="literal">password</code> authentication + method specifications (again, with the password transmitted in plain text + in the latter case). (Previous PostgreSQL releases supported storing the + password on the server in plain text. This is no longer possible.) To + check the currently stored password hashes, see the system + catalog <code class="literal">pg_authid</code>. + </p><p> + To upgrade an existing installation from <code class="literal">md5</code> + to <code class="literal">scram-sha-256</code>, after having ensured that all client + libraries in use are new enough to support SCRAM, + set <code class="literal">password_encryption = 'scram-sha-256'</code> + in <code class="filename">postgresql.conf</code>, make all users set new passwords, + and change the authentication method specifications + in <code class="filename">pg_hba.conf</code> to <code class="literal">scram-sha-256</code>. + </p></div><div class="navfooter"><hr /><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="auth-trust.html" title="21.4. Trust Authentication">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="client-authentication.html" title="Chapter 21. Client Authentication">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="gssapi-auth.html" title="21.6. GSSAPI Authentication">Next</a></td></tr><tr><td width="40%" align="left" valign="top">21.4. Trust Authentication </td><td width="20%" align="center"><a accesskey="h" href="index.html" title="PostgreSQL 15.5 Documentation">Home</a></td><td width="40%" align="right" valign="top"> 21.6. GSSAPI Authentication</td></tr></table></div></body></html>
\ No newline at end of file |