bdunne
commented
3 months ago Open bdunne opened 3 months ago
bdunne
commented
3 months ago 
kbrock
commented
3 months ago Looks like this has been supported since postgres 10 and is the standard as of postgres 14
# postgresql.conf
password_encryption = scram-sha-256Someone just needs to set the password after changing that setting and all systems go. (even if pg_hba.conf is still set to md5
To see if you need to upgrade:
SELECT
rolname, rolpassword ~ '^SCRAM-SHA-256\$' AS has_upgraded
FROM pg_authid
WHERE rolcanlogin;/via https://www.crunchydata.com/blog/how-to-upgrade-postgresql-passwords-to-scram
hhorak
commented
2 months ago We are not able to follow the steps to convert all passwords as the article above describes, because that's what only the users of the postgresql image can do.
What we can do is making the default algorithm configurable and changing the default -- that should not affect new deployments because the pg_hba.conf file is created only when creating the database, but we can still surprise users that might use older clients.
Anyway, the change is inevitable at some point, so we should start somewhere (changing the default only in RHEL10/c10s might be the least painful way).
@fila43 WDYT?
kbrock
commented
2 months ago @hhorak I think we are close to the same page.
This migration is definitely on our radar since many companies are requiring the migration to scram.
It is really too bad that there is not a way to upgrade the passwords automatically without risking writing the plain text passwords to disk.
So what I heard you say:
scram-sha-256.
POSTGRES_AUTH_METHOD, defaulting it to md5.pg_hba.conf.scram-sha-256.Questions:
podman -e POSTGRES_AUTH_METHOD scram-sha-256?Cheers to Brno. When we worked for RH, we enjoyed our great team members over there.
github-actions[bot]
commented
1 week ago 🔴 Review - Missing review from a member (2 required)
🟢 CI - All checks have passed