Open iSignal opened 4 years ago
This would be great. Is there any way to enable scram-sha-256 manually now?
Here are some additional advantages of using SCRAM-SHA-256 over MD5:
@sstubbs Yes, you can enable scram-sha-256 now. Documentation on enabling it is in draft PR #5391, which I'll publish after clarifying migration steps.
Jira Link: DB-2236 scram-sha-256 allows a challenge-response based authentication instead of md5 which simply seems to send over the MD5 of the password, afaik.
Client support for scram-sha-256 is described in https://wiki.postgresql.org/wiki/List_of_drivers#Drivers and scram-sha-256 mode of auth is described in https://info.crunchydata.com/blog/how-to-upgrade-postgresql-passwords-to-scram
This should be the default auth mode enabled when the
--ysql_enable_auth
flag is specified.[Steve]: I believe that the password_encryption is used regardless of whether authentication is enabled or not. It's just that when enabled, any existing passwords must be in the expected hashed format or they cannot be used.]
If we are concerned about client compatibility, we could make it default to scram-sha-256 falling back to md5.