Skip to content

Adjust POSTGRES_HOST_AUTH_METHOD to automatically match configured password_encryption #897

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 18, 2021
Merged

Adjust POSTGRES_HOST_AUTH_METHOD to automatically match configured password_encryption #897

merged 1 commit into from
Oct 18, 2021

Conversation

yosifkit
Copy link
Member

this release now makes the standards-compliant SCRAM-SHA-256 password management and authentication system the default on new PostgreSQL instances

https://www.postgresql.org/about/news/postgresql-14-released-2318/

With the swap to scram-sha-256 as the default, initdb uses that unless specified otherwise. So for the initial user created, the password is SCRAM encrypted.

To ease transition from the md5 method to the newer SCRAM method, if md5 is specified as a method in pg_hba.conf but the user's password on the server is encrypted for SCRAM (see below), then SCRAM-based authentication will automatically be chosen instead.

https://www.postgresql.org/docs/14/auth-password.html
See #895 (comment)

So, the current md5 in the host auth method will use scram-sha-256 if that is how the password was saved.

With this change on postgres:14, the host auth method in pg_hba.conf will reflect the change to scram-sha-256 instead of using md5. But there is the possibility of breaking users that are using a pre-hashed md5 password and are starting a newly initialized PostgreSQL 14 container.

This change makes it possible to change the initial auth and have pg_hba.conf reflect the change automatically by using POSTGRES_INITDB_ARGS=--auth-host=scram-sha-256 and not having to also set POSTGRES_HOST_AUTH_METHOD.

Setting -c password_encryption=md5 is not enough to affect the initial user created by initdb (even though it is passed along to initdb 😢).

Our POSTGRES_HOST_AUTH_METHOD variable still only effects the line in pg_hba.conf.

@yosifkit
Copy link
Member Author

yosifkit commented Oct 15, 2021
edited
Loading

A table showing which values override which and where. The major difference from the current images, is that
POSTGRES_INITDB_ARGS=--auth-host= and password_encryption= via the command line can change the line that the entrypoint adds to pg_hba.conf.

password_encryption in a postgresql.conf that is used/seen by initdb should be equivalent to POSTGRES_INITDB_ARGS.

Affected users/file ➡️
Settings supplied ⬇️		 Initial postgres user pg_hba.conf new users
POSTGRES_INITDB_ARGS=--auth-host=initValue initValue initValue initValue
POSTGRES_HOST_AUTH_METHOD=authValue default authValue default
-c password_encryption=encValue default encValue encValue
POSTGRES_INITDB_ARGS=--auth-host=initValue
POSTGRES_HOST_AUTH_METHOD=authValue		 initValue authValue initValue
POSTGRES_HOST_AUTH_METHOD=authValue
-c password_encryption=encValue		 default authValue encValue
POSTGRES_INITDB_ARGS=--auth-host=initValue
-c password_encryption=encValue		 initValue encValue encValue
POSTGRES_INITDB_ARGS=--auth-host=initValue
POSTGRES_HOST_AUTH_METHOD=authValue
-c password_encryption=encValue		 initValue authValue encValue

@yosifkit yosifkit mentioned this pull request Oct 15, 2021
Closed
tianon
tianon approved these changes Oct 18, 2021
View reviewed changes
Copy link
Member

@tianon tianon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

😍

@tianon tianon merged commit 0db92cd into docker-library:master Oct 18, 2021
@tianon tianon deleted the auth-method-14 branch October 18, 2021 17:47
docker-library-bot added a commit to docker-library-bot/official-images that referenced this pull request Oct 18, 2021
@docker-library-bot
Update postgres
966cf9f 
Changes:

- docker-library/postgres@0db92cd: Merge pull request docker-library/postgres#897 from infosiftr/auth-method-14
- docker-library/postgres@c6329e3: Adjust POSTGRES_HOST_AUTH_METHOD to automatically match configured password_encryption
@tianon tianon mentioned this pull request Oct 18, 2021
Merged
NeilHanlon pushed a commit to NeilHanlon/official-images that referenced this pull request Oct 27, 2021
@docker-library-bot @NeilHanlon
Update postgres
a16f947 
Changes:

- docker-library/postgres@0db92cd: Merge pull request docker-library/postgres#897 from infosiftr/auth-method-14
- docker-library/postgres@c6329e3: Adjust POSTGRES_HOST_AUTH_METHOD to automatically match configured password_encryption
This was referenced Nov 30, 2021
Closed
Closed
@groundhog2k groundhog2k mentioned this pull request Jan 20, 2022
Closed
@yosifkit yosifkit mentioned this pull request Feb 26, 2022
Closed
@tianon tianon mentioned this pull request May 10, 2022
Merged
@tianon tianon mentioned this pull request Jun 8, 2022
Closed
@yosifkit yosifkit mentioned this pull request Jan 6, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tianon tianon tianon approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@yosifkit @tianon