Rename "scram" to "scram-sha-256" in pg_hba.conf and password_encryption.

Per discussion, plain "scram" is confusing because we actually implement SCRAM-SHA-256 rather than the original SCRAM that uses SHA-1 as the hash algorithm. If we add support for SCRAM-SHA-512 or some other mechanism in the SCRAM family in the future, that would become even more confusing. Most of the internal files and functions still use just "scram" as a shorthand for SCRMA-SHA-256, but I did change PASSWORD_TYPE_SCRAM to PASSWORD_TYPE_SCRAM_SHA_256, as that could potentially be used by 3rd party extensions that hook into the password-check hook. Michael Paquier did this in an earlier version of the SCRAM patch set already, but I didn't include that in the version that was committed. Discussion: https://www.postgresql.org/message-id/fde71ff1-5858-90c8-99a9-1c2427e7bafb@iki.fi
author: Heikki Linnakangas <heikki.linnakangas@iki.fi> 2017-04-18 14:50:50 +0300
committer: Heikki Linnakangas <heikki.linnakangas@iki.fi> 2017-04-18 14:50:50 +0300
commit: c727f120ff50f624a1ee3abe700d995c18314a0b (patch)
tree: a3fb2b94b43e51f386d31dca2b056d004b787ae3 /doc/src
parent: 123aaffb5b881f3dadaac676877a90b50233a847 (diff)
2 files changed, 10 insertions, 9 deletions
diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml
index d871c041ce5..819db811b26 100644
--- a/doc/src/sgml/client-auth.sgml
+++ b/doc/src/sgml/client-auth.sgml
@@ -412,7 +412,7 @@ hostnossl  <replaceable>database</replaceable>  <replaceable>user</replaceable>
        </varlistentry>
 
        <varlistentry>
-        <term><literal>scram</></term>
+        <term><literal>scram-sha-256</></term>
         <listitem>
          <para>
           Perform SCRAM-SHA-256 authentication to verify the user's
@@ -683,7 +683,7 @@ host    postgres        all             192.168.93.0/24         ident
 # "postgres" if the user's password is correctly supplied.
 #
 # TYPE  DATABASE        USER            ADDRESS                 METHOD
-host    postgres        all             192.168.12.10/32        scram
+host    postgres        all             192.168.12.10/32        scram-sha-256
 
 # Allow any user from hosts in the example.com domain to connect to
 # any database if the user's password is correctly supplied.
@@ -694,7 +694,7 @@ host    postgres        all             192.168.12.10/32        scram
 #
 # TYPE  DATABASE        USER            ADDRESS                 METHOD
 host    all             mike            .example.com            md5
-host    all             all             .example.com            scram
+host    all             all             .example.com            scram-sha-256
 
 # In the absence of preceding "host" lines, these two lines will
 # reject all connections from 192.168.54.1 (since that entry will be
@@ -922,7 +922,7 @@ omicron         bryanh                  guest1
    </indexterm>
 
    <para>
-    The password-based authentication methods are <literal>scram</>,
+    The password-based authentication methods are <literal>scram-sha-256</>,
     <literal>md5</>, and <literal>password</>. These methods operate
     similarly except for the way that the password is sent across the
     connection.
@@ -939,8 +939,9 @@ omicron         bryanh                  guest1
 
 
    <para>
-    <literal>scram</> performs SCRAM-SHA-256 authentication, as described
-    in <ulink url="https://tools.ietf.org/html/rfc5802">RFC5802</ulink>. It
+    <literal>scram-sha-256</> performs SCRAM-SHA-256 authentication, as
+    described in
+    <ulink url="https://tools.ietf.org/html/rfc5802">RFC5802</ulink>. It
     is a challenge-response scheme, that prevents password sniffing on
     untrusted connections. It is more secure than the <literal>md5</>
     method, but might not be supported by older clients.
@@ -953,7 +954,7 @@ omicron         bryanh                  guest1
     protection if an attacker manages to steal the password hash from the
     server, and it cannot be used with the <xref
     linkend="guc-db-user-namespace"> feature. For all other users,
-    <literal>md5</> works the same as <literal>scram</>.
+    <literal>md5</> works the same as <literal>scram-sha-256</>.
    </para>
 
    <para>
diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml
index 744c5e8f37a..e02b0c80df0 100644
--- a/doc/src/sgml/config.sgml
+++ b/doc/src/sgml/config.sgml
@@ -1194,8 +1194,8 @@ include_dir 'conf.d'
         stores the password as an MD5 hash. Setting this to <literal>plain</> stores
         it in plaintext. <literal>on</> and <literal>off</> are also accepted, as
         aliases for <literal>md5</> and <literal>plain</>, respectively.  Setting
-        this parameter to <literal>scram</> will encrypt the password with
-        SCRAM-SHA-256.
+        this parameter to <literal>scram-sha-256</> will encrypt the password
+        with SCRAM-SHA-256.
        </para>
       </listitem>
      </varlistentry>
author	Heikki Linnakangas <heikki.linnakangas@iki.fi>	2017-04-18 14:50:50 +0300
committer	Heikki Linnakangas <heikki.linnakangas@iki.fi>	2017-04-18 14:50:50 +0300
commit	c727f120ff50f624a1ee3abe700d995c18314a0b (patch)
tree	a3fb2b94b43e51f386d31dca2b056d004b787ae3 /doc/src
parent	123aaffb5b881f3dadaac676877a90b50233a847 (diff)