No support of SCRAM authentification in PostgreSQL #779
Comments
Fix Steps1. Change your password encryptionIn SQL Console (e.g. PgAdmin): > SHOW password_encryption;
scram-sha-256
-- not sure if this is set by the setting in `postgresql.conf`
> SET password_encryption = 'md5';
> ALTER USER "{your-db-user-name}" with password '{your-db-password}';2. Change enryption in
|
|
@signedav thank you very much for the contribution, I followed the steps and everything worked fine. The error: No support of SCRAM authentification in PostgreSQL
Valid postgres version we are using: select version()
> PostgreSQL 15.1 (Ubuntu 15.1-1.pgdg22.04+1) on x86_64-pc-linux-gnu, compiled by gcc (Ubuntu 11.3.0-1ubuntu1~22.04) 11.3.0, 64-bitChange enryption in postgresql.conf SHOW config_file;
/etc/postgresql/15/main/postgresql.conf
Change enryption in pg_hba.conf SHOW hba_file;
/etc/postgresql/15/main/pg_hba.conf
Restart postgres service to apply changes sudo systemctl restart postgresql.serviceUpdate password to md5 SHOW password_encryption;
ALTER USER "postgres" with password 'secret';
SELECT rolpassword from pg_authid where rolname = 'postgres'; |
|
@signedav - we ran into this issue in our PostgreSQL/PostGIS course today. Do you see any chance that the pgjpdbc will support scram-sha-256 in the future? I believe that future DB admin will enforce the better encryption in the future - and then there will be no chance to work with ili2pg/ModelBaker in the future with newer PostgreSQL versions ... DBeaver is also a Java based application and works fine with scram-sha-256 - are they not using pgjpdbc ? Anyway: thank you for the good summary and step-by-step explanation for the workaround! |
|
I think (not sure) pgjpdbc is already supporting it but ili2db is not yet using it (see claeis/ili2db#448) since java "42.2.18.jre6" is used (targeting JRE 6). I don't know about the effort / risk to bump ili2db to a newer JRE (see it's marked as 5.0.0 milestone). |
|
@signedav - thank you for the clarification! |
|
This is fixed with ili2db 5.0.0 🎉 |
See this issue claeis/ili2db#448
At least in the Model Baker Documentation should be an entry of this and a solution.
The documentation says (of course
scram-sha-256could be replaced withmd5to do the other way around):What only a change in one of those files does?
I think - but not sure -
postgresql.confdefines how the password should be encrypted (hashed) when creating / alter a user andpg_hba.confdefines what kind of encryption (hash) is expected by the password sent by the client.But as mentioned in the first quote "[...]
postgresql.conf, make all users set new passwords [...]" - so this step withALTER USERis requested automatically. Not sure if this could be a little risky that currently running clients do not work anymore, when the encryption on server side changed.Btw. I see in the documentation as well:
So it's possible that one changed it on
pg_hba.confbut still the "previous" encryption is used...And here some additional info how to check the password encryption (and change it):
To see how a password is encrypted we can check
pg_authid:When we want to change it (e.g. to
md5) we need to set thepassword_encryptionand then alter the user:And where are the files?
The text was updated successfully, but these errors were encountered: