TransWikia.com

Postgres files postgresql.conf and pg_hba.conf - which take priority?

Database Administrators Asked by ConanTheGerbil on January 7, 2021

Which of the two postgres configuration files postgresql.conf and pg_hba.conf takes priority?

pg_hba.conf controls client authentication methods including ‘md5’ and ‘scram-sha-256’

postgresql.conf includes an entry for password_encryption which can be ‘md5’ or ‘scram-sha-256’ (or blank, I guess)

So if these values aren’t set to the same thing, which takes priority?

One Answer

There is no priority to choose because they have different purposes.

  • password_encryption in postgresql.conf tells how to hash a new password when it's changed or a new user is created with a password.

  • the field in pg_hba.conf tells what kind of authentication scheme should be used when a client that matches the rules attempts to connect.


When connecting with a client that does not support SCRAM authentication:

If the first line that matches in pg_hba.conf for this connection attempt has, in the METHOD field:

  • scram-sha-256, the connection will be rejected.

  • md5 and the password of this account is stored with an md5 hash (independently of password_encryption), the connection will succeed.

  • md5 and the password of this account is stored with an scram-sha256 hash (independently of password_encryption), the connection will be rejected.

A superuser can check what kind of password is assigned to existing accounts by looking at the hashed passwords in the system table pg_catalog.pg_authid.

Correct answer by Daniel Vérité on January 7, 2021

Add your own answers!

Ask a Question

Get help from others!

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP