PostgreSQL user password change from MD5 to scram-sha-265

Question

I was looking at this Change PostgreSQL password encryption from MD5 to SHA question to figure out how to change the hashing of user passwords in Postgres to something other than MD5 since from what I understand it's basically obsolete now.

But I'm curious if a change is going to be required in the pg_hpa.conf file for the server, as according to this tutorial https://blog.bigbinary.com/2016/01/23/configure-postgresql-to-allow-remote-connection.html you need to add the following to it:

host    all             all              0.0.0.0/0                       md5
host    all             all              ::/0                            md5

Will the "md5" need to be changed? Or is it purely there to specify a password is required, and won't be affected when changing hashing function to scram-sha-256?

Answer 1

You can retain md5 as an authentication method in pg_hba.conf even if you change password_encryption to scram-sha-256. It is just unusual to do so.

The main reason it is unusual is that with password_encryption = scram-sha-256, the client must understand the new hashing method anyway to be able to calculate the hashed password from the password entered by the user. Then why not use it for a more secure authentication as well?

To avoid confusion, I'd like to add that there are two different password hashing operations going on in PostgreSQL:

1. The password the user enters is hashed (together with the user name) to produce the actual PostgreSQL password, as stored in pg_authid. This is to avoid the problem that someone steals the password and reuses it on other systems.

2. During authentication, the server challenges the client to produce a hash of the password (which is already hashed from the previous step) with a certain salt. This “doubly hashed” password is then sent over the line.

Your question, in other words, was: Can we use scram-sha-256 for the first point and md5 for the second?