| From: | Ron Johnson <ronljohnsonjr(at)gmail(dot)com> |
|---|---|
| To: | "pgsql-general(at)lists(dot)postgresql(dot)org" <pgsql-general(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: Password Encryption and Connection Issues |
| Date: | 2025-07-09 15:09:10 |
| Message-ID: | CANzqJaC2zgNWzizoXLHS6EOmKOOezq3Rnd9WvJZ2rB7-__=OEA@mail.gmail.com |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On Wed, Jul 9, 2025 at 10:59 AM Greg Sabino Mullane <htamfids(at)gmail(dot)com>
wrote:
> On Wed, Jul 9, 2025 at 9:57 AM Alpaslan AKDAĞ <alpaslanakdag(at)gmail(dot)com>
> wrote:
>
>> Is it expected behavior that users created with scram-sha-256 passwords
>> can still connect via md5 in pg_hba.conf?
>
>
> Yes. From the docs:
>
>> To ease transition from the md5 method to the newer SCRAM method, if md5 is
>> specified as a method in pg_hba.conf but the user's password on the
>> server is encrypted for SCRAM (see below), then SCRAM-based authentication
>> will automatically be chosen instead.
>
>
> You can think of "md5" inside pg_hba.conf as "md5 or better"
>
> As a result, some users are able to connect, while others cannot.
>
>
> Can you expand on this? Nothing you have done should be preventing logins,
> as far as I can tell.
>
> Best solution: Upgrade everyone to scram, then change md5 to scram in
> pg_hba.conf and never look back.
>
That requires setting the password to null and then recreating the
password, no? Otherwise IIRC, changing an md5 password leaves the new
password also in md5 format.
--
Death to <Redacted>, and butter sauce.
Don't boil me, I'm still alive.
<Redacted> lobster!
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Adrian Klaver | 2025-07-09 15:11:29 | Re: Password Encryption and Connection Issues |
| Previous Message | Greg Sabino Mullane | 2025-07-09 14:58:15 | Re: Password Encryption and Connection Issues |