Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

enable scram-sha-256 password encryption #713

Closed
wants to merge 3 commits into from
Closed

enable scram-sha-256 password encryption #713

wants to merge 3 commits into from

Conversation

birkb
Copy link

@birkb birkb commented Apr 15, 2020

  • if $POSTGRES_HOST_AUTH_METHOD is set
  • without that update new users are unable to logon,
    because the password would still be saved as md5,
    but the host auth is set to scram-sha-256 in pg_hba.conf

@birkb
enable scram-sha-256 password encryption
eb3eeb4 
- if $POSTGRES_HOST_AUTH_METHOD is set
- without that update new users are unable to logon,
  because the password would still be saved as md5,
  but the host auth is set to scram-sha-256 in pg_hba.conf
@birkb
Copy link
Author

birkb commented Apr 15, 2020

All FORCE_DEB_BUILD=1 builds have been failed. Is sed not available in your Debian image?

birkb added 2 commits April 16, 2020 15:29
@birkb
missing whitespace added
3c71329 
- otherwise FORCE_DEB_BUILD fails
@birkb
Merge 'upstream/master' into branch
d5e208d 
- docker-password_encryption
@birkb
Copy link
Author

birkb commented Apr 16, 2020

The VERSION=12 FORCE_DEB_BUILD=1 build fails, but version 12.2-2.pgdg100+1 is available in the repo.

@birkb
Copy link
Author

birkb commented Apr 16, 2020

http://apt.postgresql.org/pub/repos/apt/dists/buster-pgdg/12/binary-amd64/Packages does not contain the 12.2-2.pgdg100+1 package

@birkb
Copy link
Author

birkb commented Apr 16, 2020

apt-cache search postgresql-12 inside the build container shows no packages. apt-cache search postgresql-11 lists 64 packages.

@birkb birkb mentioned this pull request Apr 16, 2020
Closed
@yosifkit
Copy link
Member

No, we do not want to add anything to the image to change postgresql.conf based on env vars (everything that can be specified in the config can just be passed as docker run arguments). pg_hba.conf is only done because there is no other way to set it.

POSTGRES_HOST_AUTH_METHOD was added in #658 and so it looks like the fix for this is just documentation; to change the auth method to another hashing method, you need to also inform initdb so that the postgres user is created with the proper authentication method:

This works with the current image:

docker run -it --rm \
	-e POSTGRES_HOST_AUTH_METHOD=scram-sha-256 \
	-e POSTGRES_INITDB_ARGS=--auth-host=scram-sha-256 \
	-e POSTGRES_PASSWORD=12345 \
	--network posty \
	--name post \
	postgres

@yosifkit yosifkit closed this Apr 16, 2020
@birkb
Copy link
Author

birkb commented Apr 16, 2020

Thanks for the POSTGRES_INITDB_ARGS hint. That has solved the problem.

@yosifkit yosifkit mentioned this pull request May 6, 2020
Closed
@nicexe
Copy link

nicexe commented May 7, 2020

It might be more proper to modify the initialization script to check if POSTGRES_HOST_AUTH_METHOD is set to scram-sha-256 instead of setting 2 variables to achieve this

@tianon tianon mentioned this pull request Oct 27, 2020
Closed
@ghost
Copy link

ghost commented Dec 16, 2020

Official docker image for version 13 was driving me crazy until I found this thread - please consider updating the docker hub page to include the POSTGRES_INIT_DB_ARGS... entry as required for setting scram-sha-256 to work. I spun it up using docker-compose and burned several hours trying to figure out what I was getting wrong....

@tianon tianon mentioned this pull request Dec 28, 2020
Merged
@tianon
Copy link
Member

tianon commented Dec 28, 2020

Great idea -- docker-library/docs#1857

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@birkb @yosifkit @nicexe @tianon