| From: | Andreas Karlsson <andreas(at)proxel(dot)se> |
|---|---|
| To: | Nathan Bossart <nathandbossart(at)gmail(dot)com> |
| Cc: | pgsql-hackers(at)postgresql(dot)org, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Subject: | Re: add warning upon successful md5 password auth |
| Date: | 2026-02-17 06:08:17 |
| Message-ID: | 3c4c95a2-c27b-4d9c-8eda-c96a17ba1d37@proxel.se |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On 2/13/26 6:26 PM, Nathan Bossart wrote:
> On Fri, Feb 13, 2026 at 06:04:14AM +0100, Andreas Karlsson wrote:
>> The patch looks good and I think it would make sense to merge it in 19, why
>> wait for 20? But the main question I see is if this is too noisy or not.
>> Some applications connected to PostgreSQL quite a lot and I am sure we would
>> make some users unhappy so I am not fully on board with this patch. But on
>> the other hand we have way too many people who still use md5 and we really
>> should push them towards using scram.
>
> FWIW if users are really annoyed with these warnings, they can disable them
> by setting md5_password_warnings to off. But I think we really ought to do
> something like $subject before we completely remove MD5 password support.
After thinking more on the subject I have come around. I think warning
spam (that can be disabled) is fine and why not introduce it directly in 19?
As for the patch itself I think it looks good, but I am not a fan of the
test code. Why not simply write like the below?
test_conn($node, 'user=md5_role', 'md5', 0,
log_like =>
[qr/connection authenticated: identity="md5_role" method=md5/],
expected_stderr =>
[qr/authenticated with an MD5-encrypted password/])
Andreas
| From | Date | Subject | |
|---|---|---|---|
| Next Message | lakshmi | 2026-02-17 06:11:13 | Re: parallel data loading for pgbench -i |
| Previous Message | Alexander Lakhin | 2026-02-17 06:00:00 | Re: BUG: Former primary node might stuck when started as a standby |