Chef Ideas

We believe that the best way to build software is to do it in close collaboration with the people who use it. We invite you to submit your ideas using the form below. Please be sure to include the problem for which you are solving and the benefits of implementing the idea.

We do our best to implement as many Ideas as we can. Our Product team will evaluate all submitted ideas in a timely manner and will disposition each into one of the following categories: will integrate into the product roadmap, further research is needed, unlikely to implement.

Thanks for collaborating with us!

Support SCRAM-SHA-256 password encryption for PostgreSQL

PostgreSQL 14 was recently released (2021-09-30), and set password_encryption='scram-sha-256' as the default password_encryption configuration value in postgresql.conf (changed from password_encryption='md5').

What it does: (source)

When a password is specified in CREATE ROLE or ALTER ROLE, this parameter determines the algorithm to use to encrypt the password. Possible values are scram-sha-256, which will encrypt the password with SCRAM-SHA-256, and md5, which stores the password as an MD5 hash. The default is scram-sha-256.
Note that older clients might lack support for the SCRAM authentication mechanism, and hence not work with passwords encrypted with SCRAM-SHA-256.

Further reference:

Any new users created or passwords changed with this parameter set to scram-sha-256 will require updated client library/driver support for password authentication.

This parameter was initially available in PostgreSQL 10, but scram-sha-256 has not been the default value until PostgreSQL 14. This change affects any downstream products using PostgreSQL as the underlying database, as well as the various client libraries and/or drivers supporting PostgreSQL connectivity, including libpq, ruby-pg, and epgsql.

Most upstream client libraries/drivers were updated to support SCRAM-SHA-256 for user authentication after the release of PostgreSQL 10, but many forked or pinned client libraries have not carried forward the necessary changes.

While resetting this parameter to md5 will work as a workaround, this will become a particular issue where the customer operates an external database cluster, and/or customers wanting to eliminate use of MD5 password hashing for security or compliance reasons (e.g., FIPS).

Note: This is separate, but related to the pg_hba.conf auth-method specification, which specifies the (minimum) authentication method to use when a connection matches that record. It permits continued use of existing MD5 password hashes from legacy client libraries/drivers, assuming the password is stored in MD5 format on the server, however, newer libraries/drivers will be needed if the password is updated and stored in in SCRAM format.

Per the link above:

To ease transition from the md5 method to the newer SCRAM method, if md5 is specified as a method in pg_hba.conf but the user's password on the server is encrypted for SCRAM, then SCRAM-based authentication will automatically be chosen instead.
  • Aaron Pavely
  • Oct 5 2021
  • New
  • Attach files