[Question posted by a user on YugabyteDB Community Slack ]
How to use SCRAM authentication in YSQL?
In this case, we’ll change the password of yugabyte user to yugabyte but in SCRAM instead of default MD5.
You need to change the authentication of YSQL to use scram-sha-256 for authentication. This is a PostgreSQL config, so you have to use [–ysql-pg-conf]yb-tserver configuration reference | YugabyteDB Docs.
Put this line in your gflag file:
ysql_pg_conf=password_encryption = scram-sha-256
Then you should change --yb_hba_conf to use scram-sha-256. In this case, I put:
--ysql_hba_conf=host all postgres 0.0.0.0/0 trust, host all all 0.0.0.0/0 scram-sha-256, host all postgres ::0/0 trust, host all all ::0/0 scram-sha-256
Which says to require authentication for all users except postgres role.
Then we connect to the server and change the password for role yugabyte:
./bin/ysqlsh --username=postgres
postgres=# \password yugabyte
Enter new password:
Enter it again:
And verify that the password was hashed with SCRAM:
postgres=# SELECT
rolname, rolpassword
FROM pg_authid
WHERE rolcanlogin;
rolname | rolpassword
----------+---------------------------------------------------------------------------------------------------------------------------------------
postgres |
yugabyte | SCRAM-SHA-256$4096:dnsF94xZmdJYZHoW5wXtdA==$4bxAFNHgmz9VXIWUxijReO4zyJ0DnX/iLNndKq32WOg=:TSXL3EF0fCroBXTndmp16Wle4F1MH+qc1P1iVFkqMQ8=
(2 rows)