Password Encryption, SCRAM Iterations, MD5 Warnings, and Kerberos Configuration

SCRAM-SHA-256, and <literal>md5</literal>, which stores the password as an MD5 hash. The default is <literal>scram-sha-256</literal>. </para> <para> Note that older clients might lack support for the SCRAM authentication mechanism, and hence not work with passwords encrypted with SCRAM-SHA-256. See <xref linkend="auth-password"/> for more details. </para> <warning> <para> Support for MD5-encrypted passwords is deprecated and will be removed in a future release of <productname>PostgreSQL</productname>. Refer to <xref linkend="auth-password"/> for details about migrating to another password type. </para> </warning> </listitem> </varlistentry> <varlistentry id="guc-scram-iterations" xreflabel="scram_iterations"> <term><varname>scram_iterations</varname> (<type>integer</type>) <indexterm> <primary><varname>scram_iterations</varname> configuration parameter</primary> </indexterm> </term> <listitem> <para> The number of computational iterations to be performed when encrypting a password using SCRAM-SHA-256. The default is <literal>4096</literal>. A higher number of iterations provides additional protection against brute-force attacks on stored passwords, but makes authentication slower. Changing the value has no effect on existing passwords encrypted with SCRAM-SHA-256 as the iteration count is fixed at the time of encryption. In order to make use of a changed value, a new password must be set. </para> </listitem> </varlistentry> <varlistentry id="guc-md5-password-warnings" xreflabel="md5_password_warnings"> <term><varname>md5_password_warnings</varname> (<type>boolean</type>) <indexterm> <primary><varname>md5_password_warnings</varname> configuration parameter</primary> </indexterm> </term> <listitem> <para> Controls whether a <literal>WARNING</literal> about MD5 password deprecation is produced when a <command>CREATE ROLE</command> or <command>ALTER ROLE</command> statement sets an MD5-encrypted password. The default value is <literal>on</literal>. </para> </listitem> </varlistentry> <varlistentry id="guc-krb-server-keyfile" xreflabel="krb_server_keyfile"> <term><varname>krb_server_keyfile</varname> (<type>string</type>) <indexterm> <primary><varname>krb_server_keyfile</varname> configuration parameter</primary> </indexterm> </term> <listitem> <para> Sets the location of the server's Kerberos key file. The default is <filename>FILE:/usr/local/pgsql/etc/krb5.keytab</filename> (where the directory part is whatever was specified as <varname>sysconfdir</varname> at build time; use <literal>pg_config --sysconfdir</literal> to determine that). If this parameter is set to an empty string, it is ignored and a system-dependent default is used. This parameter can only be set in the <filename>postgresql.conf</filename> file or on the server command line. See <xref linkend="gssapi-auth"/> for more information. </para> </listitem> </varlistentry> <varlistentry id="guc-krb-caseins-users" xreflabel="krb_caseins_users"> <term><varname>krb_caseins_users</varname> (<type>boolean</type>) <indexterm> <primary><varname>krb_caseins_users</varname> configuration parameter</primary> </indexterm> </term> <listitem> <para> Sets whether GSSAPI user names should be treated case-insensitively. The default is <literal>off</literal> (case sensitive). This parameter can only be set in the <filename>postgresql.conf</filename> file or on the server command line. </para>

This section details several parameters related to authentication: `password_encryption` (specifying SCRAM-SHA-256 or MD5, with MD5 being deprecated), `scram_iterations` (number of iterations for SCRAM-SHA-256 encryption), `md5_password_warnings` (controls warnings for MD5 password usage), `krb_server_keyfile` (location of Kerberos key file), and `krb_caseins_users` (controls case sensitivity of GSSAPI user names).