OpenText Analytics Database 26.2.x – Hash authentication

Security-and-Authentication: Password hashing algorithm

Mon, 01 Jan 0001 00:00:00 +0000

Note

OpenText strongly recommends that you use SHA-512 for hash authentication.

OpenText™ Analytics Database does not store user passwords for the hash authentication method. Rather, the database stores a hash of the password. The hashing algorithm is determined by two parameters:

A system-level configuration parameter, SecurityAlgorithm:

=> ALTER DATABASE DEFAULT SET PARAMETER SecurityAlgorithm = 'hashing_algorithm';

A user-level parameter, SECURITY_ALGORITHM:

=> ALTER USER username SECURITY_ALGORITHM 'hashing_algorithm' IDENTIFIED BY 'new_password';

The system-level parameter, SecurityAlgorithm, can have the following values:

SHA512 (default)
MD5

The user-level parameter, SECURITY_ALGORITHM, can have the following values. Values other than NONE will take priority over the system-level parameter:

NONE (default, uses algorithm specified by the system-level parameter SecurityAlgorithm)
SHA512
MD5

Note
If user's password is hashed with MD5, you cannot change their username with ALTER USER.

A user's EFFECTIVE_SECURITY_ALGORITHM is determined by a combination of the system-level and user-level parameters. If the user-level parameter is set to NONE, the effective security algorithm will be that of the system-level parameter. You can override the system-level parameter for a particular user by setting the user-level parameter to a non-NONE value.

You can view these parameters and their effects on each user by querying the system table PASSWORD_AUDITOR.

The following table shows the various combinations of the system-level and user-level parameters and the effective security algorithm for each.

FIPS mode forces the effective security algorithm to be SHA-512.

Parameter value	Effective Security Algorithm
System level: SecurityAlgorithm	User-level: SECURITY_ALGORITHM	Algorithm Used	Algorithm Used (FIPS mode)
`MD5`	`NONE`	MD5	SHA-512
`SHA512`	`NONE`	SHA-512	SHA-512
`MD5`	`MD5`	MD5	SHA-512
`SHA512`	`MD5`	MD5	SHA-512
`MD5`	`SHA512`	SHA-512	SHA-512
`SHA512`	`SHA512`	SHA-512	SHA-512

Security-and-Authentication: Configuring hash authentication

Mon, 01 Jan 0001 00:00:00 +0000

The hash authentication method allows users to authenticate with a password.

OpenText™ Analytics Database stores hashes (SHA-512 by default) of passwords and not the passwords themselves. For details, see Password hashing algorithm.

Create an authentication record with the hash method. Authentication records are automatically enabled after creation. For example, to create the authentication record v_hash for users that log in from the IP address 192.0.2.0/24:
```
=> CREATE AUTHENTICATION v_hash METHOD 'hash' HOST '192.0.2.0/24';
```
Associate the v_hash authentication method with the desired users or roles, using a GRANT statement:
```
=> GRANT AUTHENTICATION v_hash to user1, user2, ...;
```

Security-and-Authentication: Passwords

Mon, 01 Jan 0001 00:00:00 +0000

Assign a password to a user to allow that user to connect to the database using password authentication. When the user supplies the correct password a connection to the database occurs.

OpenText™ Analytics Database hashes passwords according to each user's EFFECTIVE_SECURITY_ALGORITHM. However, the transmission of the hashed password from the client to the database is in plaintext. Thus, it is possible for a "man-in-the-middle" attack to intercept the plaintext password from the client.

Configuring Hash authentication ensures secure login using passwords.

About password creation and modification

You must be a superuser to create passwords for user accounts using the CREATE USER statement. A superuser can set any user account's password.

To add a password, use the ALTER USER statement.
To change a password, use ALTER USER or the vsql meta-command \password.

Users can also change their own passwords.

To make password authentication more effective, it is recommended that you enforce password policies that control how often users are forced to change passwords and the required content of a password. You set these policies using Profiles.

Default password authentication

When you have not specified any authentication methods, the database defaults to using password authentication for user accounts that have passwords.

If you create authentication methods, even for remote hosts, password authentication is disabled. In such cases, you must explicitly enable password authentication. The following commands create the local_pwd authentication method and make it the default for all users. When you create an authentication method, the database enables it automatically:

=> CREATE AUTHENTICATION local_pwd METHOD hash' LOCAL;
=> GRANT AUTHENTICATION local_pwd To Public;