Re: [GENERAL] pgAdmin4 needs information of v10 SCRAM authentication
On Mon, Apr 24, 2017 at 3:04 PM, Akshay Joshiwrote: >I have gone through this, but still facing issue to encrypt/change the > database server password. In pgAdmin4 we have "Change Password" feature where > user will enter the old and new password for the database server, now we will > have to encrypt it (in Python) as per SCRAM standards and set it to the > database. By using SET password_encryption = 'scram-sha-256' and sending the raw password you would be able to hash the password correctly. Or you could just mimic scram_build_password() (routine in Postgres code to generate that correctly). > The example you have given in > https://www.postgresql.org/message-id/76ac7e67-4e3a-f4df-e087-fbac90151...@iki.fi > I have below questions: > To encode the password you already have entry from pg_authid table which > won't be possible for non superuser to access that table. How we can get that > value from pg_authid table or do we have any other solution to this. I don't understand this question, any user can update this field using CREATE/ALTER ROLE, and the client has no need to know this value for the exchange. > For constructing the whole client-final-message, we need to calculate > ClientSignature and ClientProof, which depend on the nonces, and is > therefore different on every authentication exchange. How to calculate > ClientSignature and ClientProof? > Can you please guide me here, how can we achieve that in python. You will need a C equivalent of what is proposed in fe-auth-scram.c in the Postgres code to build the messages that are exchanged from the server, see particularly calculate_client_proof() which describes step by step the calculation of the client proof when building the last message for the client. I didn't check in details, but the routines are the same as in the message above. The format of the hashed password has changed a bit since commit 68e61ee though. -- Michael -- Sent via pgsql-general mailing list (pgsql-general@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
Re: [GENERAL] pgAdmin4 needs information of v10 SCRAM authentication
Hi Michael On Fri, Apr 21, 2017 at 12:07 PM, Michael Paquierwrote: > On Fri, Apr 21, 2017 at 3:27 PM, Akshay Joshi > wrote: > > from passlib.hash import scram > > hash = scram.encrypt(data['newPassword']) -- This function provide > password for all the supported digest like [md5, sha-1, sha-256, sha-512]. > Didn't work I have tried with all the passwords. > > test = scram.extract_digest_info(hash, "sha-256") -- This function > extract info for specified digest "sha-256". I have retrieve the password > which was in hexadecimal. Didn't work as well. > > > > Now I am stuck here and no clue how to encrypt/decrypt the password for > SCRAM authentication. Can someone guide me out here. > > Here you go: > https://www.postgresql.org/message-id/76ac7e67-4e3a-f4df- > e087-fbac90151...@iki.fi I have gone through this, but still facing issue to encrypt/change the database server password. In pgAdmin4 we have "Change Password" feature where user will enter the old and new password for the database server, now we will have to encrypt it (in Python) as per SCRAM standards and set it to the database. The example you have given in https://www.postgresql.org/ message-id/76ac7e67-4e3a-f4df-e087-fbac90151...@iki.fi I have below questions: - To encode the password you already have entry from pg_authid table which won't be possible for non superuser to access that table. How we can get that value from pg_authid table or do we have any other solution to this. - For constructing the whole client-final-message, we need to calculate * ClientSignature* and *ClientProof*, which depend on the nonces, and is therefore different on every authentication exchange. How to calculate *ClientSignature* and *ClientProof?* Can you please guide me here, how can we achieve that in python. > > -- > Michael > -- *Akshay Joshi* *Principal Software Engineer * *Phone: +91 20-3058-9517Mobile: +91 976-788-8246*
Re: [GENERAL] pgAdmin4 needs information of v10 SCRAM authentication
On Fri, Apr 21, 2017 at 12:20 PM, Michael Paquierwrote: > On Fri, Apr 21, 2017 at 3:43 PM, Akshay Joshi > wrote: > >Thanks Michael, will check this. > > One thing I forgot to mention... Both StoredKey and ServerKey are now > encoded in hex, but there is still an open item related to the > handling of psql's \password on which I have written a patch to switch > their encoding to base64 for simplicity. Not sure what is Heikki's > take on the matter, but I would recommend to be careful about that. My > last set of patches is here: > https://www.postgresql.org/message-id/CAB7nPqSbsCBCxy8- > DtwzRxYgTnbGUtY4uFEkLQhG=R=uo=g...@mail.gmail.com Thanks Michael > > -- > Michael > -- *Akshay Joshi* *Principal Software Engineer * *Phone: +91 20-3058-9517Mobile: +91 976-788-8246*
Re: [GENERAL] pgAdmin4 needs information of v10 SCRAM authentication
On Fri, Apr 21, 2017 at 3:43 PM, Akshay Joshiwrote: >Thanks Michael, will check this. One thing I forgot to mention... Both StoredKey and ServerKey are now encoded in hex, but there is still an open item related to the handling of psql's \password on which I have written a patch to switch their encoding to base64 for simplicity. Not sure what is Heikki's take on the matter, but I would recommend to be careful about that. My last set of patches is here: https://www.postgresql.org/message-id/CAB7nPqSbsCBCxy8-DtwzRxYgTnbGUtY4uFEkLQhG=R=uo=g...@mail.gmail.com -- Michael -- Sent via pgsql-general mailing list (pgsql-general@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
Re: [GENERAL] pgAdmin4 needs information of v10 SCRAM authentication
On Fri, Apr 21, 2017 at 12:07 PM, Michael Paquierwrote: > On Fri, Apr 21, 2017 at 3:27 PM, Akshay Joshi > wrote: > > from passlib.hash import scram > > hash = scram.encrypt(data['newPassword']) -- This function provide > password for all the supported digest like [md5, sha-1, sha-256, sha-512]. > Didn't work I have tried with all the passwords. > > test = scram.extract_digest_info(hash, "sha-256") -- This function > extract info for specified digest "sha-256". I have retrieve the password > which was in hexadecimal. Didn't work as well. > > > > Now I am stuck here and no clue how to encrypt/decrypt the password for > SCRAM authentication. Can someone guide me out here. > > Here you go: > https://www.postgresql.org/message-id/76ac7e67-4e3a-f4df- > e087-fbac90151...@iki.fi Thanks Michael, will check this. > > -- > Michael > -- *Akshay Joshi* *Principal Software Engineer * *Phone: +91 20-3058-9517Mobile: +91 976-788-8246*
Re: [GENERAL] pgAdmin4 needs information of v10 SCRAM authentication
On Fri, Apr 21, 2017 at 3:27 PM, Akshay Joshiwrote: > from passlib.hash import scram > hash = scram.encrypt(data['newPassword']) -- This function provide password > for all the supported digest like [md5, sha-1, sha-256, sha-512]. Didn't work > I have tried with all the passwords. > test = scram.extract_digest_info(hash, "sha-256") -- This function extract > info for specified digest "sha-256". I have retrieve the password which was > in hexadecimal. Didn't work as well. > > Now I am stuck here and no clue how to encrypt/decrypt the password for SCRAM > authentication. Can someone guide me out here. Here you go: https://www.postgresql.org/message-id/76ac7e67-4e3a-f4df-e087-fbac90151...@iki.fi -- Michael -- Sent via pgsql-general mailing list (pgsql-general@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
[GENERAL] pgAdmin4 needs information of v10 SCRAM authentication
Hi All We are into development phase where we are trying to incorporate the v10 changes into pgAdmin4. v10 added support for the SCRAM authentication into database server, so pgAdmin4 needs to incorporate that feature(for 'Change Password'). Now problem I am facing is, unable to find correct set of python api's which I can use to perform SCRAM encryption/decryption through pgAdmin4 (Most of you already know that pgAdmin4 is re-written in Python and Web technologies). I have googled for how to encrypt password for scram and found https:// passlib.readthedocs.io/en/1.6.2/lib/passlib.hash.scram.html?highlight=scram# passlib.hash.scram . I have tried below logic to encrypt the password: - from passlib.hash import scram - hash = scram.encrypt(data['newPassword']) -- This function provide password for all the supported digest like [md5, sha-1, sha-256, sha-512]. Didn't work I have tried with all the passwords. - test = scram.extract_digest_info(hash, "sha-256") -- This function extract info for specified digest "sha-256". I have retrieve the password which was in hexadecimal. Didn't work as well. Now I am stuck here and no clue how to encrypt/decrypt the password for SCRAM authentication. Can someone guide me out here. -- *Akshay Joshi* *Principal Software Engineer * *Phone: +91 20-3058-9517Mobile: +91 976-788-8246*