md5 authentication working?

Hi,

I'm getting ready to open up port 80 of my apache/pgsql server to the
world and am working on tightening up security.

I have password based authentication working with phpPgAdmin, and Apache
mod_auth_pgsql, as well as PHP.

However, when I set the authentication to md5:

local all all md5

in pg_hba.conf it just works. Always. It doesn't matter if I have
auth_PG_hash_type set to CRYPT in auth_pgsql.conf, or whether or not I:

alter user USERNAME with password PASSWORD

or

alter user USERNAME with encrypted password PASSWORD

No matter what I do, as long as the user and password are correct, it
works. If I set the passwords differently, it correctly denies access.

Looking in /var/lib/pgsql/global/pg_pwd shows passwords with an md5
prefix and which are obviously encrypted. In fact, even the users I
have not altered to use encrypted passwords have them.

I'm running Fedora Core 1 with the vendor provided 7.4.2-1 rpms, and
stock Fedora Core 1 apache and mod_auth_pgsql. PHP is 5.0.0 from
php.net.

So, is my information old, and md5 is "just standard" now? Or is
something else going on?

Thanks,
Steve Bergman