Microsofts old Single Server for PostgreSQL on Azure offers password encryption md5 only, normaly IT Governance responsible people getting nervous by that.
On the new Flexible Server for PostgreSQL on AZure md5 is still the default setting, but a workaround makes scram-sha-256 posssible to use.

Since PostgreSQL 10 it is possible to switch from md5 to scram-sha-256, by using community packages scram-sha-256 is the default setting since PostgreSQL 13.

Within this small block i will descibe how to switch over to scram-sha-256 using Microsofts Flexible Server for PostgreSQL on Azure.

The Flexible Server has two parameters for the configuration of the password encryption.

azure.accepted_password_auth_method

show azure.accepted_password_auth_method;
azure.accepted_password_auth_method    md5

password_encryption

show password_encryption;
password_encryption    md5

The azure.accepted_password_auth_method parameter is auth_method within pg_hba.conf.
The password_encryption is one to one the parameter from postgresql.conf.

Swichting to scram-sha-256 need three steps:

First switch password_encryption to scram-sha-256, keep azure.accepted_password_auth_method on md5:

azure.accepted_password_auth_method

show azure.accepted_password_auth_method;
azure.accepted_password_auth_method    md5

password_encryption

show password_encryption;
password_encryption    scram-sha-256

Second renew all user passwords to be rehashed with scram-sha-256!

Third switch azure.accepted_password_auth_metho to scram-sha-256:

azure.accepted_password_auth_method

show azure.accepted_password_auth_method;
azure.accepted_password_auth_method    scram-sha-256

password_encryption

show password_encryption;
password_encryption    scram-sha-256

These order is critical, not following means loosing all connectivity to the database including the admin user defined within the Azure portal.


Thumbnail [60x60]
by
Karsten Lenz