Univention Bugzilla – Bug 55876
Use scram-sha-256 as default hashing algorithm for postgres (instead of md5)
Last modified: 2023-03-14 15:05:43 CET
Switch the default hashing algorithm for postgresql to scram-sha-256. Postgresql itself switches to that default anyway with v14. For machines that run only self-service this can be achived post-install e.g. using ansible: ``` - name: "enable password_encryption to default to scram-sha-256 in /etc/postgresql/11/main/postgresql.conf" ansible.builtin.lineinfile: path: "/etc/postgresql/11/main/postgresql.conf" regexp: '^#?password_encrption.+' line: "password_encryption = scram-sha-256" - name: "allow only scram-sha-256 for authentication in /etc/postgresql/11/main/pg_hba.conf" ansible.builtin.replace: path: "/etc/postgresql/11/main/pg_hba.conf" regexp: 'md5' replace: 'scram-sha-256' - name: "restart service: postgres" ansible.builtin.systemd: state: "restarted" name: "postgresql" - name: "update password for selfservice in /etc/self-service-db.secret" copy: content: "{{ choose_a_new_password_for_selfservice }}" dest: "/etc/self-service-db.secret" - name: "update password for selfservice in database" become: true become_user: postgres shell: psql -c "ALTER USER selfservice WITH PASSWORD '{{ choose_a_new_password_for_selfservice }}'" ```