v1-0002-Add-documentation-regarding-effective-password-le.patch
application/octet-stream
Filename: v1-0002-Add-documentation-regarding-effective-password-le.patch
Type: application/octet-stream
Part: 0
Message:
Maximum password length
Patch
Format: format-patch
Series: patch v1-0002
Subject: Add documentation regarding effective password length limits.
| File | + | − |
|---|---|---|
| doc/src/sgml/client-auth.sgml | 80 | 0 |
| doc/src/sgml/libpq.sgml | 10 | 0 |
| doc/src/sgml/ref/clusterdb.sgml | 16 | 0 |
| doc/src/sgml/ref/createdb.sgml | 16 | 0 |
| doc/src/sgml/ref/createuser.sgml | 21 | 0 |
| doc/src/sgml/ref/dropdb.sgml | 16 | 0 |
| doc/src/sgml/ref/dropuser.sgml | 16 | 0 |
| doc/src/sgml/ref/pg_basebackup.sgml | 16 | 0 |
| doc/src/sgml/ref/pg_dumpall.sgml | 16 | 0 |
| doc/src/sgml/ref/pg_dump.sgml | 16 | 0 |
| doc/src/sgml/ref/pg_receivewal.sgml | 16 | 0 |
| doc/src/sgml/ref/pg_recvlogical.sgml | 16 | 0 |
| doc/src/sgml/ref/pg_restore.sgml | 16 | 0 |
| doc/src/sgml/ref/psql-ref.sgml | 16 | 0 |
| doc/src/sgml/ref/reindexdb.sgml | 16 | 0 |
| doc/src/sgml/ref/vacuumdb.sgml | 16 | 0 |
From 418697e051b36dcdcb1a07b79717e7c81629e36a Mon Sep 17 00:00:00 2001
From: Nathan Bossart <bossartn@amazon.com>
Date: Fri, 12 Oct 2018 17:26:37 +0000
Subject: [PATCH v1 2/3] Add documentation regarding effective password length
limits.
---
doc/src/sgml/client-auth.sgml | 80 ++++++++++++++++++++++++++++++++++++
doc/src/sgml/libpq.sgml | 10 +++++
doc/src/sgml/ref/clusterdb.sgml | 16 ++++++++
doc/src/sgml/ref/createdb.sgml | 16 ++++++++
doc/src/sgml/ref/createuser.sgml | 21 ++++++++++
doc/src/sgml/ref/dropdb.sgml | 16 ++++++++
doc/src/sgml/ref/dropuser.sgml | 16 ++++++++
doc/src/sgml/ref/pg_basebackup.sgml | 16 ++++++++
doc/src/sgml/ref/pg_dump.sgml | 16 ++++++++
doc/src/sgml/ref/pg_dumpall.sgml | 16 ++++++++
doc/src/sgml/ref/pg_receivewal.sgml | 16 ++++++++
doc/src/sgml/ref/pg_recvlogical.sgml | 16 ++++++++
doc/src/sgml/ref/pg_restore.sgml | 16 ++++++++
doc/src/sgml/ref/psql-ref.sgml | 16 ++++++++
doc/src/sgml/ref/reindexdb.sgml | 16 ++++++++
doc/src/sgml/ref/vacuumdb.sgml | 16 ++++++++
16 files changed, 319 insertions(+)
diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml
index c2114021c3..1ce581ae0a 100644
--- a/doc/src/sgml/client-auth.sgml
+++ b/doc/src/sgml/client-auth.sgml
@@ -994,6 +994,26 @@ omicron bryanh guest1
</varlistentry>
</variablelist>
+ <note>
+ <para>
+ While <literal>md5</literal> passwords do not have a defined maximum length
+ and <literal>scram-sha-256</literal> passwords may be up to 1024 characters
+ long, many client utilities (e.g. <application>psql</application>) will
+ truncate passwords provided via prompt to 99 characters. Longer passwords
+ may be specified using alternatives to password prompts such as the
+ <filename>.pgpass</filename> file (<xref linkend="libpq-pgpass"/>) and the
+ <envar>PGPASSWORD</envar> environment variable
+ (<xref linkend="libpq-envars"/>).
+ </para>
+ <para>
+ Furthermore, it should be noted that the server restricts password messages
+ to an effective limit of 995 characters. While this is enough for the
+ <literal>scram-sha-256</literal> and <literal>md5</literal> authentication
+ methods, it may not be enough for passwords sent in clear-text via the
+ method <literal>password</literal>.
+ </para>
+ </note>
+
<para>
<productname>PostgreSQL</productname> database passwords are
separate from operating system user passwords. The password for
@@ -1482,6 +1502,21 @@ omicron bryanh guest1
two separate connections to the LDAP server to be made.
</para>
+ <note>
+ <para>
+ While PostgreSQL's LDAP authentication method does not have a defined
+ maximum password length, many client utilities (e.g.
+ <application>psql</application>) will truncate passwords provided via
+ prompt to 99 characters. Longer passwords may be specified using
+ alternatives to password prompts such as the <filename>.pgpass</filename>
+ file (<xref linkend="libpq-pgpass"/>) and the <envar>PGPASSWORD</envar>
+ environment variable (<xref linkend="libpq-envars"/>). However, it should
+ be noted that the server restricts password messages to an effective limit
+ of 995 characters, which presents an upper bound to the length of passwords
+ that will work with LDAP authentication.
+ </para>
+ </note>
+
<para>
The following configuration options are used in both modes:
<variablelist>
@@ -1765,6 +1800,21 @@ host ... ldap ldapserver=ldap.example.net ldapbasedn="dc=example, dc=net" ldapse
a single value, in which case this value will apply to all servers.
</para>
+ <note>
+ <para>
+ While PostgreSQL's RADIUS authentication method does not have a defined
+ maximum password length, many client utilities (e.g.
+ <application>psql</application>) will truncate passwords provided via
+ prompt to 99 characters. Longer passwords may be specified using
+ alternatives to password prompts such as the <filename>.pgpass</filename>
+ file (<xref linkend="libpq-pgpass"/>) and the <envar>PGPASSWORD</envar>
+ environment variable (<xref linkend="libpq-envars"/>). However, it should
+ be noted that the server restricts password messages to an effective limit
+ of 995 characters, which presents an upper bound to the length of passwords
+ that will work with RADIUS authentication.
+ </para>
+ </note>
+
<para>
The following configuration options are supported for RADIUS:
<variablelist>
@@ -1893,6 +1943,21 @@ host ... ldap ldapserver=ldap.example.net ldapbasedn="dc=example, dc=net" ldapse
<productname>Linux-PAM</productname> Page</ulink>.
</para>
+ <note>
+ <para>
+ While PostgreSQL's PAM authentication method does not have a defined
+ maximum password length, many client utilities (e.g.
+ <application>psql</application>) will truncate passwords provided via
+ prompt to 99 characters. Longer passwords may be specified using
+ alternatives to password prompts such as the <filename>.pgpass</filename>
+ file (<xref linkend="libpq-pgpass"/>) and the <envar>PGPASSWORD</envar>
+ environment variable (<xref linkend="libpq-envars"/>). However, it should
+ be noted that the server restricts password messages to an effective limit
+ of 995 characters, which presents an upper bound to the length of passwords
+ that will work with PAM authentication.
+ </para>
+ </note>
+
<para>
The following configuration options are supported for PAM:
<variablelist>
@@ -1956,6 +2021,21 @@ host ... ldap ldapserver=ldap.example.net ldapbasedn="dc=example, dc=net" ldapse
exist, and <productname>PostgreSQL</productname> will use the default login class.
</para>
+ <note>
+ <para>
+ While PostgreSQL's BSD authentication method does not have a defined
+ maximum password length, many client utilities (e.g.
+ <application>psql</application>) will truncate passwords provided via
+ prompt to 99 characters. Longer passwords may be specified using
+ alternatives to password prompts such as the <filename>.pgpass</filename>
+ file (<xref linkend="libpq-pgpass"/>) and the <envar>PGPASSWORD</envar>
+ environment variable (<xref linkend="libpq-envars"/>). However, it should
+ be noted that the server restricts password messages to an effective limit
+ of 995 characters, which presents an upper bound to the length of passwords
+ that will work with BSD authentication.
+ </para>
+ </note>
+
<note>
<para>
To use BSD Authentication, the PostgreSQL user account (that is, the
diff --git a/doc/src/sgml/libpq.sgml b/doc/src/sgml/libpq.sgml
index 06d909e804..28d5c0e57c 100644
--- a/doc/src/sgml/libpq.sgml
+++ b/doc/src/sgml/libpq.sgml
@@ -1102,6 +1102,16 @@ postgresql://%2Fvar%2Flib%2Fpostgresql/dbname
<para>
Password to be used if the server demands password authentication.
</para>
+ <note>
+ <para>
+ The server restricts password messages to an effective limit of 995
+ characters. While this is enough for the
+ <literal>scram-sha-256</literal> and <literal>md5</literal>
+ authentication methods, it may not be enough for passwords sent in
+ clear-text via methods such as <literal>password</literal>. See
+ <xref linkend="client-authentication"/> for more information.
+ </para>
+ </note>
</listitem>
</varlistentry>
diff --git a/doc/src/sgml/ref/clusterdb.sgml b/doc/src/sgml/ref/clusterdb.sgml
index ed343dd7da..6b41910e8c 100644
--- a/doc/src/sgml/ref/clusterdb.sgml
+++ b/doc/src/sgml/ref/clusterdb.sgml
@@ -239,6 +239,22 @@ PostgreSQL documentation
In some cases it is worth typing <option>-W</option> to avoid the extra
connection attempt.
</para>
+
+ <note>
+ <para>
+ Passwords provided via prompt will be truncated to 99 characters.
+ Longer passwords may be specified using alternatives to password
+ prompts such as the <filename>.pgpass</filename> file
+ (<xref linkend="libpq-pgpass"/>) and the <envar>PGPASSWORD</envar>
+ environment variable (<xref linkend="libpq-envars"/>). However, it
+ should be noted that the server restricts password messages to an
+ effective limit of 995 characters. While this is enough for the
+ <literal>scram-sha-256</literal> and <literal>md5</literal>
+ authentication methods, it may not be enough for passwords sent in
+ clear-text via methods such as <literal>password</literal>. See
+ <xref linkend="client-authentication"/> for more information.
+ </para>
+ </note>
</listitem>
</varlistentry>
diff --git a/doc/src/sgml/ref/createdb.sgml b/doc/src/sgml/ref/createdb.sgml
index 2658efeb1a..dc995bb295 100644
--- a/doc/src/sgml/ref/createdb.sgml
+++ b/doc/src/sgml/ref/createdb.sgml
@@ -274,6 +274,22 @@ PostgreSQL documentation
In some cases it is worth typing <option>-W</option> to avoid the extra
connection attempt.
</para>
+
+ <note>
+ <para>
+ Passwords provided via prompt will be truncated to 99 characters.
+ Longer passwords may be specified using alternatives to password
+ prompts such as the <filename>.pgpass</filename> file
+ (<xref linkend="libpq-pgpass"/>) and the <envar>PGPASSWORD</envar>
+ environment variable (<xref linkend="libpq-envars"/>). However, it
+ should be noted that the server restricts password messages to an
+ effective limit of 995 characters. While this is enough for the
+ <literal>scram-sha-256</literal> and <literal>md5</literal>
+ authentication methods, it may not be enough for passwords sent in
+ clear-text via methods such as <literal>password</literal>. See
+ <xref linkend="client-authentication"/> for more information.
+ </para>
+ </note>
</listitem>
</varlistentry>
diff --git a/doc/src/sgml/ref/createuser.sgml b/doc/src/sgml/ref/createuser.sgml
index 22ee99f2cc..e1db7f96e6 100644
--- a/doc/src/sgml/ref/createuser.sgml
+++ b/doc/src/sgml/ref/createuser.sgml
@@ -213,6 +213,11 @@ PostgreSQL documentation
the password of the new user. This is not necessary if you do not plan
on using password authentication.
</para>
+ <note>
+ <para>
+ Passwords provided via prompt will be truncated to 99 characters.
+ </para>
+ </note>
</listitem>
</varlistentry>
@@ -378,6 +383,22 @@ PostgreSQL documentation
In some cases it is worth typing <option>-W</option> to avoid the extra
connection attempt.
</para>
+
+ <note>
+ <para>
+ Passwords provided via prompt will be truncated to 99 characters.
+ Longer passwords may be specified using alternatives to password
+ prompts such as the <filename>.pgpass</filename> file
+ (<xref linkend="libpq-pgpass"/>) and the <envar>PGPASSWORD</envar>
+ environment variable (<xref linkend="libpq-envars"/>). However, it
+ should be noted that the server restricts password messages to an
+ effective limit of 995 characters. While this is enough for the
+ <literal>scram-sha-256</literal> and <literal>md5</literal>
+ authentication methods, it may not be enough for passwords sent in
+ clear-text via methods such as <literal>password</literal>. See
+ <xref linkend="client-authentication"/> for more information.
+ </para>
+ </note>
</listitem>
</varlistentry>
</variablelist>
diff --git a/doc/src/sgml/ref/dropdb.sgml b/doc/src/sgml/ref/dropdb.sgml
index 38f38f01ce..5e96079d0d 100644
--- a/doc/src/sgml/ref/dropdb.sgml
+++ b/doc/src/sgml/ref/dropdb.sgml
@@ -194,6 +194,22 @@ PostgreSQL documentation
In some cases it is worth typing <option>-W</option> to avoid the extra
connection attempt.
</para>
+
+ <note>
+ <para>
+ Passwords provided via prompt will be truncated to 99 characters.
+ Longer passwords may be specified using alternatives to password
+ prompts such as the <filename>.pgpass</filename> file
+ (<xref linkend="libpq-pgpass"/>) and the <envar>PGPASSWORD</envar>
+ environment variable (<xref linkend="libpq-envars"/>). However, it
+ should be noted that the server restricts password messages to an
+ effective limit of 995 characters. While this is enough for the
+ <literal>scram-sha-256</literal> and <literal>md5</literal>
+ authentication methods, it may not be enough for passwords sent in
+ clear-text via methods such as <literal>password</literal>. See
+ <xref linkend="client-authentication"/> for more information.
+ </para>
+ </note>
</listitem>
</varlistentry>
diff --git a/doc/src/sgml/ref/dropuser.sgml b/doc/src/sgml/ref/dropuser.sgml
index 3d4e4b37b3..8904f68119 100644
--- a/doc/src/sgml/ref/dropuser.sgml
+++ b/doc/src/sgml/ref/dropuser.sgml
@@ -198,6 +198,22 @@ PostgreSQL documentation
In some cases it is worth typing <option>-W</option> to avoid the extra
connection attempt.
</para>
+
+ <note>
+ <para>
+ Passwords provided via prompt will be truncated to 99 characters.
+ Longer passwords may be specified using alternatives to password
+ prompts such as the <filename>.pgpass</filename> file
+ (<xref linkend="libpq-pgpass"/>) and the <envar>PGPASSWORD</envar>
+ environment variable (<xref linkend="libpq-envars"/>). However, it
+ should be noted that the server restricts password messages to an
+ effective limit of 995 characters. While this is enough for the
+ <literal>scram-sha-256</literal> and <literal>md5</literal>
+ authentication methods, it may not be enough for passwords sent in
+ clear-text via methods such as <literal>password</literal>. See
+ <xref linkend="client-authentication"/> for more information.
+ </para>
+ </note>
</listitem>
</varlistentry>
</variablelist>
diff --git a/doc/src/sgml/ref/pg_basebackup.sgml b/doc/src/sgml/ref/pg_basebackup.sgml
index c9f6ce4bb3..d97a859b53 100644
--- a/doc/src/sgml/ref/pg_basebackup.sgml
+++ b/doc/src/sgml/ref/pg_basebackup.sgml
@@ -641,6 +641,22 @@ PostgreSQL documentation
In some cases it is worth typing <option>-W</option> to avoid the extra
connection attempt.
</para>
+
+ <note>
+ <para>
+ Passwords provided via prompt will be truncated to 99 characters.
+ Longer passwords may be specified using alternatives to password
+ prompts such as the <filename>.pgpass</filename> file
+ (<xref linkend="libpq-pgpass"/>) and the <envar>PGPASSWORD</envar>
+ environment variable (<xref linkend="libpq-envars"/>). However, it
+ should be noted that the server restricts password messages to an
+ effective limit of 995 characters. While this is enough for the
+ <literal>scram-sha-256</literal> and <literal>md5</literal>
+ authentication methods, it may not be enough for passwords sent in
+ clear-text via methods such as <literal>password</literal>. See
+ <xref linkend="client-authentication"/> for more information.
+ </para>
+ </note>
</listitem>
</varlistentry>
</variablelist>
diff --git a/doc/src/sgml/ref/pg_dump.sgml b/doc/src/sgml/ref/pg_dump.sgml
index 790e81c32c..96b16824a8 100644
--- a/doc/src/sgml/ref/pg_dump.sgml
+++ b/doc/src/sgml/ref/pg_dump.sgml
@@ -1172,6 +1172,22 @@ PostgreSQL documentation
In some cases it is worth typing <option>-W</option> to avoid the extra
connection attempt.
</para>
+
+ <note>
+ <para>
+ Passwords provided via prompt will be truncated to 99 characters.
+ Longer passwords may be specified using alternatives to password
+ prompts such as the <filename>.pgpass</filename> file
+ (<xref linkend="libpq-pgpass"/>) and the <envar>PGPASSWORD</envar>
+ environment variable (<xref linkend="libpq-envars"/>). However, it
+ should be noted that the server restricts password messages to an
+ effective limit of 995 characters. While this is enough for the
+ <literal>scram-sha-256</literal> and <literal>md5</literal>
+ authentication methods, it may not be enough for passwords sent in
+ clear-text via methods such as <literal>password</literal>. See
+ <xref linkend="client-authentication"/> for more information.
+ </para>
+ </note>
</listitem>
</varlistentry>
diff --git a/doc/src/sgml/ref/pg_dumpall.sgml b/doc/src/sgml/ref/pg_dumpall.sgml
index c51a130f43..b8c489ef55 100644
--- a/doc/src/sgml/ref/pg_dumpall.sgml
+++ b/doc/src/sgml/ref/pg_dumpall.sgml
@@ -623,6 +623,22 @@ PostgreSQL documentation
to be dumped. Usually, it's better to set up a
<filename>~/.pgpass</filename> file than to rely on manual password entry.
</para>
+
+ <note>
+ <para>
+ Passwords provided via prompt will be truncated to 99 characters.
+ Longer passwords may be specified using alternatives to password
+ prompts such as the <filename>.pgpass</filename> file
+ (<xref linkend="libpq-pgpass"/>) and the <envar>PGPASSWORD</envar>
+ environment variable (<xref linkend="libpq-envars"/>). However, it
+ should be noted that the server restricts password messages to an
+ effective limit of 995 characters. While this is enough for the
+ <literal>scram-sha-256</literal> and <literal>md5</literal>
+ authentication methods, it may not be enough for passwords sent in
+ clear-text via methods such as <literal>password</literal>. See
+ <xref linkend="client-authentication"/> for more information.
+ </para>
+ </note>
</listitem>
</varlistentry>
diff --git a/doc/src/sgml/ref/pg_receivewal.sgml b/doc/src/sgml/ref/pg_receivewal.sgml
index a18ddd4bff..55c3580f04 100644
--- a/doc/src/sgml/ref/pg_receivewal.sgml
+++ b/doc/src/sgml/ref/pg_receivewal.sgml
@@ -325,6 +325,22 @@ PostgreSQL documentation
In some cases it is worth typing <option>-W</option> to avoid the extra
connection attempt.
</para>
+
+ <note>
+ <para>
+ Passwords provided via prompt will be truncated to 99 characters.
+ Longer passwords may be specified using alternatives to password
+ prompts such as the <filename>.pgpass</filename> file
+ (<xref linkend="libpq-pgpass"/>) and the <envar>PGPASSWORD</envar>
+ environment variable (<xref linkend="libpq-envars"/>). However, it
+ should be noted that the server restricts password messages to an
+ effective limit of 995 characters. While this is enough for the
+ <literal>scram-sha-256</literal> and <literal>md5</literal>
+ authentication methods, it may not be enough for passwords sent in
+ clear-text via methods such as <literal>password</literal>. See
+ <xref linkend="client-authentication"/> for more information.
+ </para>
+ </note>
</listitem>
</varlistentry>
</variablelist>
diff --git a/doc/src/sgml/ref/pg_recvlogical.sgml b/doc/src/sgml/ref/pg_recvlogical.sgml
index 141c5cddce..d052db8fa8 100644
--- a/doc/src/sgml/ref/pg_recvlogical.sgml
+++ b/doc/src/sgml/ref/pg_recvlogical.sgml
@@ -356,6 +356,22 @@ PostgreSQL documentation
In some cases it is worth typing <option>-W</option> to avoid the extra
connection attempt.
</para>
+
+ <note>
+ <para>
+ Passwords provided via prompt will be truncated to 99 characters.
+ Longer passwords may be specified using alternatives to password
+ prompts such as the <filename>.pgpass</filename> file
+ (<xref linkend="libpq-pgpass"/>) and the <envar>PGPASSWORD</envar>
+ environment variable (<xref linkend="libpq-envars"/>). However, it
+ should be noted that the server restricts password messages to an
+ effective limit of 995 characters. While this is enough for the
+ <literal>scram-sha-256</literal> and <literal>md5</literal>
+ authentication methods, it may not be enough for passwords sent in
+ clear-text via methods such as <literal>password</literal>. See
+ <xref linkend="client-authentication"/> for more information.
+ </para>
+ </note>
</listitem>
</varlistentry>
</variablelist>
diff --git a/doc/src/sgml/ref/pg_restore.sgml b/doc/src/sgml/ref/pg_restore.sgml
index 725acb192c..726d53eba0 100644
--- a/doc/src/sgml/ref/pg_restore.sgml
+++ b/doc/src/sgml/ref/pg_restore.sgml
@@ -781,6 +781,22 @@
In some cases it is worth typing <option>-W</option> to avoid the extra
connection attempt.
</para>
+
+ <note>
+ <para>
+ Passwords provided via prompt will be truncated to 99 characters.
+ Longer passwords may be specified using alternatives to password
+ prompts such as the <filename>.pgpass</filename> file
+ (<xref linkend="libpq-pgpass"/>) and the <envar>PGPASSWORD</envar>
+ environment variable (<xref linkend="libpq-envars"/>). However, it
+ should be noted that the server restricts password messages to an
+ effective limit of 995 characters. While this is enough for the
+ <literal>scram-sha-256</literal> and <literal>md5</literal>
+ authentication methods, it may not be enough for passwords sent in
+ clear-text via methods such as <literal>password</literal>. See
+ <xref linkend="client-authentication"/> for more information.
+ </para>
+ </note>
</listitem>
</varlistentry>
diff --git a/doc/src/sgml/ref/psql-ref.sgml b/doc/src/sgml/ref/psql-ref.sgml
index eb9d93a168..c49e925cc5 100644
--- a/doc/src/sgml/ref/psql-ref.sgml
+++ b/doc/src/sgml/ref/psql-ref.sgml
@@ -526,6 +526,22 @@ EOF
and so it affects uses of the meta-command
<command>\connect</command> as well as the initial connection attempt.
</para>
+
+ <note>
+ <para>
+ Passwords provided via prompt will be truncated to 99 characters.
+ Longer passwords may be specified using alternatives to password prompts
+ such as the <filename>.pgpass</filename> file
+ (<xref linkend="libpq-pgpass"/>) and the <envar>PGPASSWORD</envar>
+ environment variable (<xref linkend="libpq-envars"/>). However, it
+ should be noted that the server restricts password messages to an
+ effective limit of 995 characters. While this is enough for the
+ <literal>scram-sha-256</literal> and <literal>md5</literal>
+ authentication methods, it may not be enough for passwords sent in
+ clear-text via methods such as <literal>password</literal>. See
+ <xref linkend="client-authentication"/> for more information.
+ </para>
+ </note>
</listitem>
</varlistentry>
diff --git a/doc/src/sgml/ref/reindexdb.sgml b/doc/src/sgml/ref/reindexdb.sgml
index 1273dad807..ddc1b7cd56 100644
--- a/doc/src/sgml/ref/reindexdb.sgml
+++ b/doc/src/sgml/ref/reindexdb.sgml
@@ -307,6 +307,22 @@ PostgreSQL documentation
In some cases it is worth typing <option>-W</option> to avoid the extra
connection attempt.
</para>
+
+ <note>
+ <para>
+ Passwords provided via prompt will be truncated to 99 characters.
+ Longer passwords may be specified using alternatives to password
+ prompts such as the <filename>.pgpass</filename> file
+ (<xref linkend="libpq-pgpass"/>) and the <envar>PGPASSWORD</envar>
+ environment variable (<xref linkend="libpq-envars"/>). However, it
+ should be noted that the server restricts password messages to an
+ effective limit of 995 characters. While this is enough for the
+ <literal>scram-sha-256</literal> and <literal>md5</literal>
+ authentication methods, it may not be enough for passwords sent in
+ clear-text via methods such as <literal>password</literal>. See
+ <xref linkend="client-authentication"/> for more information.
+ </para>
+ </note>
</listitem>
</varlistentry>
diff --git a/doc/src/sgml/ref/vacuumdb.sgml b/doc/src/sgml/ref/vacuumdb.sgml
index 955a17a849..ca7ff34816 100644
--- a/doc/src/sgml/ref/vacuumdb.sgml
+++ b/doc/src/sgml/ref/vacuumdb.sgml
@@ -332,6 +332,22 @@ PostgreSQL documentation
In some cases it is worth typing <option>-W</option> to avoid the extra
connection attempt.
</para>
+
+ <note>
+ <para>
+ Passwords provided via prompt will be truncated to 99 characters.
+ Longer passwords may be specified using alternatives to password
+ prompts such as the <filename>.pgpass</filename> file
+ (<xref linkend="libpq-pgpass"/>) and the <envar>PGPASSWORD</envar>
+ environment variable (<xref linkend="libpq-envars"/>). However, it
+ should be noted that the server restricts password messages to an
+ effective limit of 995 characters. While this is enough for the
+ <literal>scram-sha-256</literal> and <literal>md5</literal>
+ authentication methods, it may not be enough for passwords sent in
+ clear-text via methods such as <literal>password</literal>. See
+ <xref linkend="client-authentication"/> for more information.
+ </para>
+ </note>
</listitem>
</varlistentry>
--
2.16.2