Which of the two postgres configuration files postgresql.conf and pg_hba.conf takes priority?
pg_hba.conf controls client authentication methods including 'md5' and 'scram-sha-256'
postgresql.conf includes an entry for password_encryption which can be 'md5' or 'scram-sha-256' (or blank, I guess)
So if these values aren't set to the same thing, which takes priority?
1 Answer 1
There is no priority to choose because they have different purposes.
password_encryptionin postgresql.conf tells how to hash a new password when it's changed or a new user is created with a password.the field in
pg_hba.conftells what kind of authentication scheme should be used when a client that matches the rules attempts to connect.
When connecting with a client that does not support SCRAM authentication:
If the first line that matches in pg_hba.conf for this connection attempt has, in the METHOD field:
scram-sha-256, the connection will be rejected.md5and the password of this account is stored with anmd5hash (independently ofpassword_encryption), the connection will succeed.md5and the password of this account is stored with anscram-sha256hash (independently ofpassword_encryption), the connection will be rejected.
A superuser can check what kind of password is assigned to existing accounts by looking at the hashed passwords in the system table pg_catalog.pg_authid.
-
So if I'm connecting to the database via an old version of Npgsql that can't cope with scram-sha-256 I need to ensure that NEITHER of these files mention scram-sha-256?ConanTheGerbil– ConanTheGerbil2020年11月25日 19:41:57 +00:00Commented Nov 25, 2020 at 19:41
-
@ConanTheGerbil: almost. See the edit.Daniel Vérité– Daniel Vérité2020年11月25日 21:56:53 +00:00Commented Nov 25, 2020 at 21:56