| From: | Kyotaro Horiguchi <horikyota(dot)ntt(at)gmail(dot)com> |
|---|---|
| To: | masao(dot)fujii(at)gmail(dot)com |
| Cc: | pgsql-hackers(at)lists(dot)postgresql(dot)org |
| Subject: | Re: md5_password_warnings for password auth with MD5-encrypted passwords |
| Date: | 2026-06-23 04:49:09 |
| Message-ID: | 20260623.134909.1732049979153597000.horikyota.ntt@gmail.com |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Hello,
At Tue, 23 Jun 2026 10:39:42 +0900, Fujii Masao <masao(dot)fujii(at)gmail(dot)com> wrote in
> While testing md5_password_warnings, I noticed that authentication
> with an MD5-encrypted password emits the expected warning when the HBA
> method is md5, but not when it is password.
>
> Was this intentional, or just an oversight?
>
> I couldn't find any discussion about this, so I put together the
> attached patch. It updates the authentication code to emit the same
> MD5 deprecation connection warning after successful password
> authentication when the stored password is MD5-encrypted.
The current behavior seems reasonable to me. The warning is intended
to discourage the use of MD5 password authentication and MD5 password
storage. In the password authentication case, the authentication
protocol itself does not use MD5, and MD5 password storage is already
warned about when the verifier is created. Therefore I don't see a
strong reason to emit an additional warning during
authentication. Also, given that MD5 password authentication is
already deprecated and expected to be removed eventually, I don't see
a strong reason to change this behavior now.
Regards,
--
Kyotaro Horiguchi
NTT Open Source Software Center
| From | Date | Subject | |
|---|---|---|---|
| Previous Message | Fujii Masao | 2026-06-23 04:31:53 | Re: md5_password_warnings for password auth with MD5-encrypted passwords |