SHA512 Hash Upgrade Guidelines
Are there any guidelines or best practices around changing the hash authentication after upgrading from 7.0 to 7.1? I'm under the impression that during the upgrade, the hash will remain as MD5. Post upgrade, SHA512 should then be explicitly set using
SET_CONFIG_PARAMETER(SecurityAlgorithm, 'SHA512');
forcing user passwords to expire. 0
Comments
Hello Norbert,
You are correct. Prior to 7.1, MD5 is the only encrpytion algorithm available. 7.1 adds SHA512. After upgrading to 7.1, MD5 is still the default algorithm. If SHA512 is desired, it will have to be configure manually and users password will have to be set to expire manually or you need to ask users to change their password. Below is an excerpt from 7.1 document:
HP Vertica 7.1 provides the capability to use the Secure Hash Algorithm—specifically, SHA-512—for password encryption.
When you upgrade to HP Vertica 7.1, the MD5 encryption is the default hash algorithm. The SHA-512 algorithm provides more secure hashing than MD5.
You configure the hash algorithm in one of two ways:
•
At the system level, set the SecurityAlgorithm configuration parameter. Valid values are:
•'NONE'
•'MD5'
•'SHA512'
This setting applies to all users, unless the DBADMIN has set the user-level parameter to 'MD5' or 'SHA512'. In that case, the user-level value overrides the system-level value.
•
At the user level, use ALTER USER to set the Security_Algorithm user parameter. Valid values are the same as for the system-level parameter:
•'NONE'
•'MD5'
•'SHA512'
If the value of the user-level parameter Security_Algorithm is 'NONE', HP Vertica uses the algorithm specified in the system-level parameter, SecurityAlgorithm. If both parameters are 'NONE', HP Vertica uses the MD5 algorithm
Upgrade Considerations for Hash Authentication:
For HP Vertica releases prior to 7.1, MD5 is the only algorithm used for hashing passwords. In HP Vertica 7.1, you can use either the MD5 algorithm or the more secure SHA-512 algorithm. Before you upgrade, you must consider the following behaviors.
Upgrade the Client and Server
To implement the more secure SHA-512 algorithm for hashing passwords, you must upgrade both the client and the server to HP Vertica 7.1 or higher. Suppose you upgrade the server but not the client. Then you configure one or more users to have their passwords stored using SHA-512. The client does not understand hashing with SHA-512. When it sends a message to the server, the server returns an error.
User-Level Parameter Has Priority Over System-Level Parameter
When you initially upgrade from a pre-7.1 database, the user-level parameter Security_Algorithm is set to 'NONE'. This allows all existing users to continue connecting to the HP Vertica server, and their passwords are hashed using MD5.
If you want one or more users to use the SHA-512 algorithm, first set the system-level parameter SecurityAlgorithm to 'SHA512'. Then you must do one of the following:
•
Manually set the user's user-level security algorithm to 'SHA512'. Then, change the user’s password, as in the following statement:
=> ALTER USER username SECURITY_ALGORITHM 'SHA512' IDENTIFIED BY 'newpassword';
•
Set the user's password to expire immediately as in the following statement. After the password expires, the user responds by changing it.
=> ALTER USER username PASSWORD EXPIRE;
•
Ask the user to change the password.
All new passwords inherit the system-level security algorithm, which is SHA-512.
Important: The change does not take effect until after the user password changes.Just changing the system-level parameter to SHA-512 does not change the hash algorithm to SHA-512 for existing users
Regards,
Han