Configuring Hash Authentication

Follow these steps to configure hash authentication:

1. Create an authentication method that is based on hash encryption. When you create an authentication method, it is automatically enabled for use.

   The following example shows how to create an authentication method v_hash for users logging in from the IP address 10.0.0.0/0.

   => CREATE AUTHENTICATION v_hash METHOD 'hash' HOST '10.0.0.0/0';

   If users are trying to connect from an IPv6 address, the statement might look like this example:

   => CREATE AUTHENTICATION v_hash METHOD 'hash' HOST '2001:db8:ab::123/128';

2. Decide which password-hashing algorithm you want to use: MD5 or the more secure SHA-512.
3. Specify the security algorithm as follows:

• At the system level, set the SecurityAlgorithm configuration parameter. This setting applies to all users, unless their user-level security is set to another value:

  => ALTER DATABASE DEFAULT SET SecurityAlgorithm = 'MD5';
  => ALTER DATABASE DEFAULT SET SecurityAlgorithm = 'SHA512';

  If you want users to inherit the system-level security, set their passwords to expire immediately. Users must change their passwords before they log in again. Alternatively, you can ask users to change their passwords. Vertica hashes all new passwords using the system-level security algorithm.

• At the user level, use ALTER USER to set the Security_Algorithm user parameter. Changing this parameter at the user level overrides the system-level value:

  => ALTER USER username SECURITY_ALGORITHM 'MD5' IDENTIFIED BY 'newpassword';
  => ALTER USER username SECURITY_ALGORITHM 'SHA512' IDENTIFIED BY 'newpassword';

4. Associate the v_hash authentication method with the desired users or user roles, using a GRANT statement:

   => GRANT AUTHENTICATION v_hash to user1, user2, ...; 

For more information about how these parameters work, see Hash Authentication Parameters.