Password authentication

Andrey Aksenov

Contents

Password authentication methods
Authentication methods and password hashing
Example

This topic describes password authentication methods. Such methods are used to verify a user’s password when connecting to a database.

To use password authentication, a user should have a password. Otherwise, password authentication fails for this user.

The available password authentication methods are described below.

The password authentication method requires the client to supply an unencrypted password for authentication. This method is vulnerable to password sniffing attacks. Given that a password is sent as plain text, it is recommended to use SSL-secured client connections.

The md5 authentication method performs MD5 or SCRAM-SHA-256 authentication to verify a user’s password. This method allows falling back to a less secure challenge-response mechanism for users with an MD5-hashed password. The fallback mechanism also prevents password sniffing but provides no protection if an attacker manages to steal the password hash from the server.

The md5 authentication method cannot be used when db_user_namespace is enabled.

The scram-sha-256 authentication method performs SCRAM-SHA-256 authentication as described in RFC 5802 to verify a user’s password. This is a challenge-response scheme that prevents password sniffing on untrusted connections. SCRAM-SHA-256 is more secure than MD5, but older client libraries might not support it.

The availability of the different password authentication methods depends on how a user’s password is hashed on the server. This is controlled by the password_hash_algorithm server configuration parameter.

The table below shows how Greengage DB chooses an authentication method depending on the password hashing algorithm used.

Authentication method Password hashing algorithms

Authentication method	Password hashing algorithms
password	The `password` authentication method can be used for any hashing algorithm supported by Greengage DB: `sha-256` `md5` `scram-sha-256` In all cases, a password is sent as plain text
md5	The `md5` authentication method can be used with the following hashing algorithms: `md5` — in this case, MD5 authentication is performed to verify a user’s password. `scram-sha-256` — in this case, SCRAM-SHA-256 authentication is performed to verify a user’s password.
scram-sha-256	The `scram-sha-256` authentication method can only be used with the `scram-sha-256` hashing algorithm. In this case, SCRAM-SHA-256 authentication is performed to verify a user’s password

password

The password authentication method can be used for any hashing algorithm supported by Greengage DB:

sha-256
md5
scram-sha-256

In all cases, a password is sent as plain text

md5

The md5 authentication method can be used with the following hashing algorithms:

md5 — in this case, MD5 authentication is performed to verify a user’s password.
scram-sha-256 — in this case, SCRAM-SHA-256 authentication is performed to verify a user’s password.

scram-sha-256

The scram-sha-256 authentication method can only be used with the scram-sha-256 hashing algorithm. In this case, SCRAM-SHA-256 authentication is performed to verify a user’s password

The configuration below, defined in the pg_hba.conf file, allows remote connections for the following users:

The dba user — depending on the used password hashing algorithm, MD5 or SCRAM-SHA-256 authentication is performed to verify their password.
Users from the sales_team group — SCRAM-SHA-256 authentication is performed to verify their passwords.

# connection-type  database  user         address          auth-method
host               all       dba          192.168.1.0/24   md5
host               sales     +sales_team  192.168.10.0/24  scram-sha-256

pg_hba.conf

MIT Kerberos KDC

Password authentication

Password authentication methods

password

md5

scram-sha-256

Authentication methods and password hashing

Example