Postgresql从MD5密码验证改为SCRAM-SHA-256
生活随笔
收集整理的這篇文章主要介紹了
Postgresql从MD5密码验证改为SCRAM-SHA-256
小編覺得挺不錯的,現(xiàn)在分享給大家,幫大家做個參考.
隨著密碼學(xué)技術(shù)的發(fā)展,MD5哈希算法構(gòu)造的密碼越來越不安全,所以,PG順應(yīng)發(fā)展,從10版本開始支持了SCRAM-SHA-256加密算法,因為使用的新的哈希算法。使得在暴力破解的時候花費的代價更加昂貴。那么,接下來,在PG中看一下如何從MD5切換到SCRAM-SHA-256。
首先,太老的的驅(qū)動不支持SCRAM-SHA-256,都會報錯,如JDBC,會報The authentication type 10 is not supported。那么就需要升級驅(qū)動。
接下來就是數(shù)據(jù)庫服務(wù)端修改配置:
#修改postgresql.conf參數(shù)文件 password_encryption = scram-sha-256 #重新載入配置文件 pg_ctl reload -D $PGDATA 或 SELECT pg_reload_conf(); #查看參數(shù)配置是否修改成功 SHOW password_encryption; #重置用戶密碼 \password user_name #修改pg_hba.conf驗證方法,然后reload即可 如: host all all 0.0.0.0/0 md5 改為 host all all 0.0.0.0/0 scram-sha-256實例:
#通過\password user_name修改了hank用戶密碼 postgres=# select rolname,rolpassword from pg_authid where rolname in('hank','zabbix');rolname | rolpassword ---------+---------------------------------------------------------------------------------------------------------------------------------------zabbix | md5435f13d666b53dd9b4b829e237213fd8hank | SCRAM-SHA-256$4096:yqNGsct76W5ZjPvMxxjzRw==$NmR4QIuHRlhu+I/HP1TQ4OC6stmtgN6Oc7oZa76tKxQ=:kNOwGMU+tSbJ2QQiD1Hb/rCKX7/coQEdkeUjD9+pEhE=#pg_hba.conf沒有修改,但是同樣可以通過密碼登陸,這是pg的一個兼容性特性,即使沒寫SCRAM-SHA-256,可以自動識別密碼為SCRAM-SHA-256加密的,然后驗證通過,而且使用老的MD5加密的用戶也可以正常登陸 host all all 0.0.0.0/0 md5psql -h ******* -p 1921 -U hank Password for user hank: psql (12.6) Type "help" for help. hank=> #如果修改pg_hba.conf為scram-sha-256,即使zabbix用戶寫對密碼,也無法正常登陸,如下,只有通過scram-sha-256加密的hank用戶可正常登陸,也可以查看視圖pg_hba_file_rules host all all 0.0.0.0/0 scram-sha-256psql -h xxxxx -p 1921 -U zabbix Password for user zabbix: psql: error: FATAL: password authentication failed for user "zabbix"psql -h xxxxxx -p 1921 -U hank Password for user hank: psql (12.6) Type "help" for help.hank=> #修改密碼后,可正常登陸 postgres=# \password zabbix Enter new password: Enter it again: postgres=# select rolname,rolpassword from pg_authid where rolname in('hank','zabbix');rolname | rolpassword ---------+---------------------------------------------------------------------------------------------------------------------------------------hank | SCRAM-SHA-256$4096:yqNGsct76W5ZjPvMxxjzRw==$NmR4QIuHRlhu+I/HP1TQ4OC6stmtgN6Oc7oZa76tKxQ=:kNOwGMU+tSbJ2QQiD1Hb/rCKX7/coQEdkeUjD9+pEhE=zabbix | SCRAM-SHA-256$4096:Q2LODw88k0a3G9cr36Crvw==$EhBkOVbaNIxpqZADeYGCQE6LIam/k+aqmdQqBuxJM28=:Xw+ySsSGidAdvfQ/98LL38NnK1wsT96sivwtJZ144vU= (2 rows)psql -h xxxxxxxx -p 1921 -U zabbix Password for user zabbix: psql (12.6) Type "help" for help.zabbix=>總結(jié)
以上是生活随笔為你收集整理的Postgresql从MD5密码验证改为SCRAM-SHA-256的全部內(nèi)容,希望文章能夠幫你解決所遇到的問題。
