Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SCRAM-SHA-256 documentation #703

Open
roaldle opened this issue Apr 8, 2022 · 0 comments
Open

SCRAM-SHA-256 documentation #703

roaldle opened this issue Apr 8, 2022 · 0 comments
Labels
Documentation Improvements or additions to documentation

Comments

@roaldle
Copy link

roaldle commented Apr 8, 2022

Introduction

There is almost no information on the access method scram-sha-256. It took me some time to get it working and I would like to share what I did.

Problem

The users password is created by using the ALTER ROLE command with the help of the psql cli tool. In my case, I wanted to change the password to an already hashed value. This requires some extra escaping or you will end up with a different value.
The query below is changed after every $ character.

  root@dokken:/# psql --echo-queries -c "ALTER ROLE user1 WITH NOSUPERUSER INHERIT NOCREATEROLE NOCREATEDB LOGIN NOREPLICATION NOBYPASSRLS PASSWORD 'SCRAM-SHA-256$4096:27klCUc487uwvJVGKI5YNA==$6K2Y+S3YBlpfRNrLROoO2ulWmnrQoRlGI1GqpNRq0T0=:y4esBVjK/hMtxDB5aWN4ynS1SnQcT1TFTqV0J/snls4='"
  ALTER ROLE user1 WITH NOSUPERUSER INHERIT NOCREATEROLE NOCREATEDB LOGIN NOREPLICATION NOBYPASSRLS PASSWORD 'SCRAM-SHA-256096:27klCUc487uwvJVGKI5YNA==K2Y+S3YBlpfRNrLROoO2ulWmnrQoRlGI1GqpNRq0T0=:y4esBVjK/hMtxDB5aWN4ynS1SnQcT1TFTqV0J/snls4='
  ALTER ROLE

Possible Solution

I replaced the $ character with \$ and then the authentication will work with the correct password.

  postgresql_user user1 do
    password 'SCRAM-SHA-256$4096:27klCUc487uwvJVGKI5YNA==$6K2Y+S3YBlpfRNrLROoO2ulWmnrQoRlGI1GqpNRq0T0=:y4esBVjK/hMtxDB5aWN4ynS1SnQcT1TFTqV0J/snls4='.gsub('$', '\$')
    action [:create, :update]
  end

Additional context

The company I work for has it's own control panel where users can create databases and provide the password they would like to use. The password is hashed on the fly and then a chef job is scheduled to create the required database and user. Chef only gets the hashed password never the plain text one.
I created the hashed password with the help off the code in: https://github.com/supercaracal/scram-sha-256.

@roaldle roaldle added the Feature Request Enhancement to existing functionality or new functionality label Apr 8, 2022
@damacus damacus added Documentation Improvements or additions to documentation and removed Feature Request Enhancement to existing functionality or new functionality labels Nov 4, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Documentation Improvements or additions to documentation
Projects
None yet
Development

No branches or pull requests

2 participants