ADPG supports several password authentication methods that differ in how a password is stored on the server and transmitted over the connection. The table below contains supported methods.
Uses a custom secure challenge-response mechanism. It prevents password sniffing and stores passwords on the server in a hashed form but provides no protection if the password hash is stolen from the server. The md5 hash algorithm is not secure against collision attacks.
Sends the password in the clear text format. This method is vulnerable to password sniffing attacks. You can use this method if the connection is protected by SSL encryption
The following options control the password authentication settings:
The pg_hba.conf file contains a set of records, one per line. A record consists of fields separated by spaces or tabs. Each record defines an authentication rule for a connection: it specifies a connection type, a client IP address range, a database name, a user name, and the authentication method. The first record, that matches the current connection, is used to perform authentication. If the authentication fails, subsequent records are not considered. If no record matches, access is denied.
A record can have one of the following formats:
local database user auth-method [auth-options] host database user address auth-method [auth-options] hostssl database user address auth-method [auth-options] hostnossl database user address auth-method [auth-options] hostgssenc database user address auth-method [auth-options] hostnogssenc database user address auth-method [auth-options] host database user IP-address IP-mask auth-method [auth-options] hostssl database user IP-address IP-mask auth-method [auth-options] hostnossl database user IP-address IP-mask auth-method [auth-options] hostgssenc database user IP-address IP-mask auth-method [auth-options] hostnogssenc database user IP-address IP-mask auth-method [auth-options]
Refer to the following link for the detailed field description: The pg_hba.conf file.
A record field can contain a white space if its value is double-quoted. To use a keyword in a database, user, or address field, enclose it in quotes. Blank lines and text after the
# comment character are ignored. To continue a record on the next line, end the line with a backslash. You can also use backslashes within quoted text or comments.
Use the ADCM UI to edit pg_hba.conf. To do this, open the CLUSTERS → ADPG cluster → Services → Configuration tab and add lines to the PG_HBA field. For example, the following record allows a connection established over TCP/IP to all databases, by all users, from all IPv4 addresses with the
scram-sha-256 authentication method:
host all all 0.0.0.0/0 scram-sha-256
Click the Save button on the Configuration tab and execute the Reconfigure & Reload action to apply changes. The following lines are added to pg_data1\adpg14\pg_hba.conf:
# BEGIN Customs from ADCM host all all 0.0.0.0/0 scram-sha-256 # END Customs from ADCM
If you set a password in the CREATE ROLE or ALTER ROLE SQL command, the password_encryption parameter determines the password encryption algorithm. Possible values are
scram-sha-256 (the default value) and
md5 is specified as an authentication method in pg_hba.conf but the user’s password on the server is encrypted with the
scram-sha-256 algorithm, the
scram-sha-256 authentication is used as the most secure method.
You can change the password_encryption parameter via ADCM UI. To do this, open the CLUSTERS → ADPG cluster → Services → Configuration tab, enable the Advanced checkbox to display postgresql.conf custom section, and set a new value for password_encryption in this section. For example, the following line sets the
md5 algorithm for the password encryption:
You can also execute the following SQL statement to change the password_encryption parameter for the current session:
SET password_encryption = 'scram-sha-256';
If you do not set a password for a user, the user’s password is NULL and the password authentication fails for this user.
CREATE ROLE user1 WITH LOGIN PASSWORD 'password1';
To change the password for an existing role, execute the ALTER ROLE command.
ALTER ROLE user1 WITH PASSWORD 'password2';
\password psql meta-command also changes the password of the current role.
\password command is executed, the command prompt asks you to enter a new password twice:
Enter new password for user "postgres": Enter it again:
If the entered passwords match, the current password is changed.
The password hash for each database user is stored in the pg_authid catalog. You can run the following SQL command to view roles and passwords:
SELECT rolname, rolpassword FROM pg_authid;
The command output:
rolname | rolpassword ---------------------------+---------------------------------------- pg_database_owner | pg_read_all_data | pg_write_all_data | pg_monitor | pg_read_all_settings | pg_read_all_stats | pg_stat_scan_tables | pg_read_server_files | pg_write_server_files | pg_execute_server_program | pg_signal_backend | postgres | SCRAM-SHA-256$4096:2yHlw+fjx7PWll0dScESNA==$SETiIdi xLSGgtE/EEk/5kfRBsIpu+09XuCDPWIFmAuE=:Fyy6OPtQmm1+Ms8ryqww47NT1YhLJ6/zik4iskkm3M o= user_md5 | md5ea4a7de3c817a0c8cc2670dab9aecc47 (13 rows)
An encrypted password starts with the method name. In this example, the
postgres role password is encrypted using the
scram-sha-256 method and the
user_md5 role password is encrypted with the