There are several password-based authentication methods. These methods operate similarly but differ in how the users' passwords are stored on the server and how the password provided by a client is sent across the connection.
scram-sha-256
The method scram-sha-256
performs SCRAM-SHA-256
authentication, as described in
RFC 7677. It
is a challenge-response scheme that prevents password sniffing on
untrusted connections and supports storing passwords on the server in a
cryptographically hashed form that is thought to be secure.
This is the most secure of the currently provided methods, but it is not supported by older client libraries.
md5
The method md5
uses a custom less secure challenge-response
mechanism. It prevents password sniffing and avoids storing passwords
on the server in plain text but provides no protection if an attacker
manages to steal the password hash from the server. Also, the MD5 hash
algorithm is nowadays no longer considered secure against determined
attacks.
The md5
method cannot be used with
the db_user_namespace feature.
To ease transition from the md5
method to the newer
SCRAM method, if md5
is specified as a method
in pg_hba.conf
but the user's password on the
server is encrypted for SCRAM (see below), then SCRAM-based
authentication will automatically be chosen instead.
password
The method password
sends the password in clear-text and is
therefore vulnerable to password “sniffing” attacks. It should
always be avoided if possible. If the connection is protected by SSL
encryption then password
can be used safely, though.
(Though SSL certificate authentication might be a better choice if one
is depending on using SSL).
PostgreSQL 데이터베이스 패스워드는 운영 체제 사용자 패스워드와
구분된다. 각 데이터베이스 사용자에 대한 패스워드는 pg_authid
시스템 카탈로그에 저장된다. 패스워드는 SQL 명령 CREATE ROLE
및 ALTER ROLE으로 관리할 수 있으며, 예를
들면 CREATE ROLE foo WITH LOGIN PASSWORD 'secret'
,
또는 psql 내장 명령어
\password
같은 작업으로 처리한다. 패스워드가 사용자에 대해 설정되지 않은
경우 저장된 패스워드는 null이고 패스워드 인증은 해당 사용자에 대해 항상 실패한다.
The availability of the different password-based authentication methods
depends on how a user's password on the server is encrypted (or hashed,
more accurately). This is controlled by the configuration
parameter password_encryption at the time the
password is set. If a password was encrypted using
the scram-sha-256
setting, then it can be used for the
authentication methods scram-sha-256
and password
(but password transmission will be in
plain text in the latter case). The authentication method
specification md5
will automatically switch to using
the scram-sha-256
method in this case, as explained
above, so it will also work. If a password was encrypted using
the md5
setting, then it can be used only for
the md5
and password
authentication
method specifications (again, with the password transmitted in plain text
in the latter case). (Previous PostgreSQL releases supported storing the
password on the server in plain text. This is no longer possible.) To
check the currently stored password hashes, see the system
catalog pg_authid
.
To upgrade an existing installation from md5
to scram-sha-256
, after having ensured that all client
libraries in use are new enough to support SCRAM,
set password_encryption = 'scram-sha-256'
in postgresql.conf
, make all users set new passwords,
and change the authentication method specifications
in pg_hba.conf
to scram-sha-256
.