From 5a80bd6f98c7f83dc9e1fef56c71be2f5570ba29 Mon Sep 17 00:00:00 2001 From: Nathan Bossart Date: Wed, 11 Feb 2026 11:56:15 -0600 Subject: [PATCH v1 1/1] Add warning upon successful MD5 password authentication. --- doc/src/sgml/config.sgml | 7 ++++--- src/backend/libpq/crypt.c | 17 +++++++++++++++++ src/test/authentication/t/001_password.pl | 7 ++++--- 3 files changed, 25 insertions(+), 6 deletions(-) diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml index 6bc2690ce07..a1f3ca65ed2 100644 --- a/doc/src/sgml/config.sgml +++ b/doc/src/sgml/config.sgml @@ -1188,9 +1188,10 @@ include_dir 'conf.d' Controls whether a WARNING about MD5 password - deprecation is produced when a CREATE ROLE or - ALTER ROLE statement sets an MD5-encrypted password. - The default value is on. + deprecation is produced upon successful MD5 password authentication or + when a CREATE ROLE or ALTER ROLE + statement sets an MD5-encrypted password. The default value is + on. diff --git a/src/backend/libpq/crypt.c b/src/backend/libpq/crypt.c index dbdd0e40f41..37ccec355c7 100644 --- a/src/backend/libpq/crypt.c +++ b/src/backend/libpq/crypt.c @@ -294,7 +294,24 @@ md5_crypt_verify(const char *role, const char *shadow_pass, } if (strcmp(client_pass, crypt_pwd) == 0) + { retval = STATUS_OK; + + if (md5_password_warnings) + { + MemoryContext oldcontext; + char *warning; + char *detail; + + oldcontext = MemoryContextSwitchTo(TopMemoryContext); + + warning = pstrdup(_("authenticated with an MD5-encrypted password")); + detail = pstrdup(_("MD5 password support is deprecated and will be removed in a future release of PostgreSQL.")); + StoreConnectionWarning(warning, detail); + + MemoryContextSwitchTo(oldcontext); + } + } else { *logdetail = psprintf(_("Password does not match for user \"%s\"."), diff --git a/src/test/authentication/t/001_password.pl b/src/test/authentication/t/001_password.pl index 0ec9aa9f4e8..45f9f3504f7 100644 --- a/src/test/authentication/t/001_password.pl +++ b/src/test/authentication/t/001_password.pl @@ -498,9 +498,10 @@ test_conn($node, 'user=scram_role', 'md5', 0, SKIP: { skip "MD5 not supported" unless $md5_works; - test_conn($node, 'user=md5_role', 'md5', 0, - log_like => - [qr/connection authenticated: identity="md5_role" method=md5/]); + my @test_params = (); + push @test_params, log_like => [qr/connection authenticated: identity="md5_role" method=md5/]; + push @test_params, expected_stderr => qr/authenticated with an MD5-encrypted password/; + test_conn($node, 'user=md5_role', 'md5', 0, @test_params); } # require_auth succeeds with SCRAM required. -- 2.50.1 (Apple Git-155)