Description Thorsten 2023-03-14 07:52:21 CET

Switch the default hashing algorithm for postgresql to scram-sha-256. Postgresql itself switches to that default anyway with v14.

For machines that run only self-service this can be achived post-install e.g. using ansible:

```
- name: "enable password_encryption to default to scram-sha-256 in /etc/postgresql/11/main/postgresql.conf"
  ansible.builtin.lineinfile:
    path: "/etc/postgresql/11/main/postgresql.conf"
    regexp: '^#?password_encrption.+'
    line: "password_encryption = scram-sha-256"

- name: "allow only scram-sha-256 for authentication in /etc/postgresql/11/main/pg_hba.conf"
  ansible.builtin.replace:
    path: "/etc/postgresql/11/main/pg_hba.conf"
    regexp: 'md5'
    replace: 'scram-sha-256'

- name: "restart service: postgres"
  ansible.builtin.systemd:
    state: "restarted"
    name: "postgresql"

- name: "update password for selfservice in /etc/self-service-db.secret"
  copy:
    content: "{{ choose_a_new_password_for_selfservice }}"
    dest: "/etc/self-service-db.secret"

- name: "update password for selfservice in database"
  become: true
  become_user: postgres
  shell: psql -c "ALTER USER selfservice WITH PASSWORD '{{ choose_a_new_password_for_selfservice }}'"
```