Re:add warning upon successful md5 password auth

At 2026-02-12 03:52:33, "Nathan Bossart" <nathandbossart(at)gmail(dot)com> wrote:
>From a related discussion last year [0]:
>
>On Tue, Jun 03, 2025 at 12:09:50PM -0500, Nathan Bossart wrote:
>> On Tue, Jun 03, 2025 at 09:43:59AM -0500, Nathan Bossart wrote:
>>> On Tue, Jun 03, 2025 at 10:34:06AM -0400, Tom Lane wrote:
>>>> If we really want to be in peoples' face about this, the thing
>>>> to do is to print a warning every time they log in with an MD5
>>>> password. Also, to Michael's point, that really would be exactly
>>>> the same place where the eventual "sorry, not supported anymore"
>>>> message will be.
>>>
>>> I held off on this because I was worried it might be far too noisy. That
>>> does seem like it has the best chance of getting folks' attention, though.
>>> If it's too noisy, users can always turn off the warnings.
>>
>> Here is a draft-grade patch that adds a WARNING upon successful
>> authentication with an MD5 password. It's a little hacky because AFAICT we
>> need to wait until well after authentication (for GUCs to be set up, etc.)
>> before we actually emit the WARNING. When the time comes to remove MD5
>> password support completely, we'll need to do something like modify
>> CheckMD5Auth() to always return STATUS_ERROR with an appropriate logdetail
>> message.
>
>Since I just added a "connection warnings" infrastructure in commit
>1d92e0c2cc, I thought it might be a good time to revisit this idea.
>Attached is an updated patch. I'm not sure this is v19 material. It could
>make sense to wait until v20 or something. But I figured it was worth at
>least having the discussion.
>
>[0] https://postgr.es/m/aD8sXgfJeIGLc7-t%40nathan
>
>--

>nathan

This looks like a solid patch. I’ve taken a look and don’t have any comments.
I applied it locally and the build went through without any issues.
I also ran the new TAP test case, and everything looks good on my side.

Regards,
Xiangyu Liang