21.5. Password Authentication

21.5. Password Authentication
Prev	Up	Chapter 21. Client Authentication	Home	Next

+ There are several password-based authentication methods. These methods + operate similarly but differ in how the users' passwords are stored on the + server and how the password provided by a client is sent across the + connection. +

scram-sha-256

+ The method scram-sha-256 performs SCRAM-SHA-256 + authentication, as described in + RFC 7677. It + is a challenge-response scheme that prevents password sniffing on + untrusted connections and supports storing passwords on the server in a + cryptographically hashed form that is thought to be secure. +

+ This is the most secure of the currently provided methods, but it is + not supported by older client libraries. +

md5

+ The method md5 uses a custom less secure challenge-response + mechanism. It prevents password sniffing and avoids storing passwords + on the server in plain text but provides no protection if an attacker + manages to steal the password hash from the server. Also, the MD5 hash + algorithm is nowadays no longer considered secure against determined + attacks. +

+ The md5 method cannot be used with + the db_user_namespace feature. +

+ To ease transition from the md5 method to the newer + SCRAM method, if md5 is specified as a method + in pg_hba.conf but the user's password on the + server is encrypted for SCRAM (see below), then SCRAM-based + authentication will automatically be chosen instead. +

password

+ The method password sends the password in clear-text and is + therefore vulnerable to password “sniffing” attacks. It should + always be avoided if possible. If the connection is protected by SSL + encryption then password can be used safely, though. + (Though SSL certificate authentication might be a better choice if one + is depending on using SSL). +

+ PostgreSQL database passwords are + separate from operating system user passwords. The password for + each database user is stored in the pg_authid system + catalog. Passwords can be managed with the SQL commands + CREATE ROLE and + ALTER ROLE, + e.g., CREATE ROLE foo WITH LOGIN PASSWORD 'secret', + or the psql + command \password. + If no password has been set up for a user, the stored password + is null and password authentication will always fail for that user. +

+ The availability of the different password-based authentication methods + depends on how a user's password on the server is encrypted (or hashed, + more accurately). This is controlled by the configuration + parameter password_encryption at the time the + password is set. If a password was encrypted using + the scram-sha-256 setting, then it can be used for the + authentication methods scram-sha-256 + and password (but password transmission will be in + plain text in the latter case). The authentication method + specification md5 will automatically switch to using + the scram-sha-256 method in this case, as explained + above, so it will also work. If a password was encrypted using + the md5 setting, then it can be used only for + the md5 and password authentication + method specifications (again, with the password transmitted in plain text + in the latter case). (Previous PostgreSQL releases supported storing the + password on the server in plain text. This is no longer possible.) To + check the currently stored password hashes, see the system + catalog pg_authid. +

+ To upgrade an existing installation from md5 + to scram-sha-256, after having ensured that all client + libraries in use are new enough to support SCRAM, + set password_encryption = 'scram-sha-256' + in postgresql.conf, make all users set new passwords, + and change the authentication method specifications + in pg_hba.conf to scram-sha-256. +

Prev	Up	Next
21.4. Trust Authentication	Home	21.6. GSSAPI Authentication