Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Change PostgreSQL authentication method to scram-sha-256

Description

Since (https://jdbc.postgresql.org/documentation/changelog.html#version_42.2.0) JDBC 42.2.0 and PostgreSQL 10 we can use SCRAM-SHA-256 authentication method.

As we can see in https://www.postgresql.org/docs/current/auth-password.html this method is:

This is the most secure of the currently provided methods, but it is not supported by older client libraries.

Until now, in a instance based on 6.2 (or default branch) with SCRAM-SHA-256 no problems were detected.

Maybe in future, with more feedback from community we can change installation guides to use this method and provide more security in a custom install for new users.

For reference, to change an existing instance you need:

1) modify your postgresql.conf:
password_encryption = scram-sha-256

2) change pg_hba.conf auth method from md5 to scram-sha-256
TYPE DATABASE USER ADDRESS METHOD
host all all 1.2.3.4/32 scram-sha-256

3) Reload your database to apply new configurations
select pg_reload_conf();

4) Change users password:
alter user postgres with password 'add_new_password';

NOTE: to get a list with all users that passwords should be changed use:
SELECT rolname FROM pg_authid WHERE rolcanlogin;

Environment

None

Activity

Show:

Murilo Habermann Torquato May 16, 2019 at 12:59 PM

,

afaik there's nothing related to scram-sha-256 that we can use for that.

Talking with some friends they pointed me to an old project called Jasypt (but as you said it's just an file encrypt tool)

just for reference: my friend sent me this link http://mbcoder.com/spring-boot-how-to-encrypt-properties-in-application-properties/

Carlos Ruiz May 9, 2019 at 11:36 AM

Thanks ,

I changed the wiki page:
https://wiki.idempiere.org/en/Install_Prerequisites#Configure_pg_hba.conf
to add the corresponding comments about this suggestion.

I don't know if is possible with this new method, but something would be very good to have is a better way to save the postgresql password encrypted by default in idempiereEnv.properties - at this moment the default is save it unencrypted, and I think it can be saved encrypted, but again, if encrypted with the weak default algorithm is still very unsafe, would be better to save it with a stronger encryption way. Maybe this scram-sha-256 allows something like that?

Regards,

Carlos Ruiz

Fixed

Details

Assignee

Reporter

Components

Priority

Created April 30, 2019 at 9:12 PM
Updated July 1, 2019 at 7:54 PM
Resolved May 9, 2019 at 11:36 AM