Thread: Regarding RM #2214 SCRAM Authentication for Change Password

Hi Hackers, 

As a part of RM #2214, we will have to support SCRAM authentication. User will be able to login, but the problem is with "Change Password" of database server won't work, as we are encrypting new password using md5 and set the new password using "ALTER USER <user> WITH ENCRYPTED PASSWORD <pwd>" query.

If password_encryption = scram-sha-256 in postgresql.conf file then it will change the password with md5 encryption which is not correct and user won't be able to login using changed password. I have  tried previously (almost 12 months ago) and tried following again

from passlib.hash import scram

scram.default_rounds = 4096
digest_info = scram.extract_digest_info(scram.encrypt(password), 'sha-256')

salt = digest_info[0]
rounds = digest_info[1]
secret = digest_info[2]

salted_password = hashlib.pbkdf2_hmac('sha256', secret, salt, rounds)

but not able to encrypt the password for SCRAM. 

There is new method introduce in PostgreSQL 10 to encrypt the password:

char *PQencryptPasswordConn(PGconn *conn, const char *passwd, const char *user, const char *algorithm);

As we are using psycopg2, so the support for the above method should be available in psycopg2. Ashesh Vashi has already send the patch to support for preparing encrypted password and they are planning to merge his patch in version 2.8. Following is the link of his patch 

https://github.com/psycopg/psycopg2/pull/576

So when the above patch will be merged and released by psycopg2, we will work on this feature again and modified the code. I'll update the RM accordingly.