Re: PostgreSQL 10 SCRAM-SHA-256 ruby-pg encryption support
232 views
Skip to first unread message
Lars Kanis
Jan 2, 2018, 9:26:18 AM1/2/18
to aleks...@ledovskis.lv, Michael Granger, rub...@googlegroups.com
Hi Aleksandrs,
SCRAM authentication can only be used, if you use PostgreSQL-10 server and client library (libpq) and ruby-pg must be linked to a libpq version of PostgreSQL-10.There are two parts of use:
(1) Setting a password of a user and
(2) Verification of a password of a user.
(1) will use SCRAM when the password is given in cleartext and password_encryption method is set to SCRAM. Alternatively the password can be encrypted on the client side, which is done by psql and createuser tool, but this is not yet supported in ruby-pg.(1) Setting a password of a user and
(2) Verification of a password of a user.
(2) is entirely implemented by libpq, so when a user was created with SCRAM password, it will be used automatically. This is transparent for ruby-pg.
--
2018-01-02 13:25 GMT+01:00 <aleks...@ledovskis.lv>:
Hello,
I saw that Heikki Linnakangas have updated "List of drivers" wiki page[0] to state that ruby-pg driver supports[1] SCRAM-SHA-256 authentication.
From what I have seen in libpq-docs[2] is that old PQencryptPassword[3] function call is MD5 only.
Can you confirm that SCRAM-SHA-256 authentication is not yet supported in ruby-pg?
[0] - https://wiki.postgresql.org/wiki/List_of_drivers
[1] - https://wiki.postgresql.org/index.php?title=List_of_drivers&diff=prev&oldid=30827
[2] - https://www.postgresql.org/docs/10/static/libpq-misc.html
[3] - https://github.com/ged/ruby-pg/blob/master/ext/pg_connection.c#L445
--
Thanks,
Aleksandrs Ļedovskis
aleks...@ledovskis.lv
Jan 2, 2018, 3:34:03 PM1/2/18
to rub...@googlegroups.com
Hello,
I have just re-tested my own setup and indeed it works!
Previously, while have ensured client & server PG v10 compatibility + pg_hba configs, I have forgot to ALTER roles so that hashing algo (rolpassword) reflects `password_encryption` configuration option.
Now when `select * from pg_authid;` returns rolpasswords prefixed with 'SCRAM-SHA-256$' connections from ruby-pg do succeed.
On Tue, Jan 02, 2018 at 03:26:16PM +0100, Lars Kanis wrote:
> Hi Aleksandrs,
>
> SCRAM authentication can only be used, if you use PostgreSQL-10 server and
> client library (libpq) and ruby-pg must be linked to a libpq version of
> PostgreSQL-10.
>
> There are two parts of use:
> (1) Setting a password of a user and
> (2) Verification of a password of a user.
>
> (1) will use SCRAM when the password is given in cleartext and
> password_encryption
> <https://www.postgresql.org/docs/10/static/runtime-config-connection.html#GUC-PASSWORD-ENCRYPTION>
--
Best,
Aleksandrs Ļedovskis
I have just re-tested my own setup and indeed it works!
Previously, while have ensured client & server PG v10 compatibility + pg_hba configs, I have forgot to ALTER roles so that hashing algo (rolpassword) reflects `password_encryption` configuration option.
Now when `select * from pg_authid;` returns rolpasswords prefixed with 'SCRAM-SHA-256$' connections from ruby-pg do succeed.
On Tue, Jan 02, 2018 at 03:26:16PM +0100, Lars Kanis wrote:
> Hi Aleksandrs,
>
> SCRAM authentication can only be used, if you use PostgreSQL-10 server and
> client library (libpq) and ruby-pg must be linked to a libpq version of
> PostgreSQL-10.
>
> There are two parts of use:
> (1) Setting a password of a user and
> (2) Verification of a password of a user.
>
> (1) will use SCRAM when the password is given in cleartext and
> password_encryption
Best,
Aleksandrs Ļedovskis
Reply all
Reply to author
Forward
0 new messages