v1-0002-Add-documentation-regarding-effective-password-le.patch

application/octet-stream

Filename: v1-0002-Add-documentation-regarding-effective-password-le.patch
Type: application/octet-stream
Part: 0
Message: Maximum password length

Patch

Format: format-patch
Series: patch v1-0002
Subject: Add documentation regarding effective password length limits.
File+
doc/src/sgml/client-auth.sgml 80 0
doc/src/sgml/libpq.sgml 10 0
doc/src/sgml/ref/clusterdb.sgml 16 0
doc/src/sgml/ref/createdb.sgml 16 0
doc/src/sgml/ref/createuser.sgml 21 0
doc/src/sgml/ref/dropdb.sgml 16 0
doc/src/sgml/ref/dropuser.sgml 16 0
doc/src/sgml/ref/pg_basebackup.sgml 16 0
doc/src/sgml/ref/pg_dumpall.sgml 16 0
doc/src/sgml/ref/pg_dump.sgml 16 0
doc/src/sgml/ref/pg_receivewal.sgml 16 0
doc/src/sgml/ref/pg_recvlogical.sgml 16 0
doc/src/sgml/ref/pg_restore.sgml 16 0
doc/src/sgml/ref/psql-ref.sgml 16 0
doc/src/sgml/ref/reindexdb.sgml 16 0
doc/src/sgml/ref/vacuumdb.sgml 16 0
From 418697e051b36dcdcb1a07b79717e7c81629e36a Mon Sep 17 00:00:00 2001
From: Nathan Bossart <bossartn@amazon.com>
Date: Fri, 12 Oct 2018 17:26:37 +0000
Subject: [PATCH v1 2/3] Add documentation regarding effective password length
 limits.

---
 doc/src/sgml/client-auth.sgml        | 80 ++++++++++++++++++++++++++++++++++++
 doc/src/sgml/libpq.sgml              | 10 +++++
 doc/src/sgml/ref/clusterdb.sgml      | 16 ++++++++
 doc/src/sgml/ref/createdb.sgml       | 16 ++++++++
 doc/src/sgml/ref/createuser.sgml     | 21 ++++++++++
 doc/src/sgml/ref/dropdb.sgml         | 16 ++++++++
 doc/src/sgml/ref/dropuser.sgml       | 16 ++++++++
 doc/src/sgml/ref/pg_basebackup.sgml  | 16 ++++++++
 doc/src/sgml/ref/pg_dump.sgml        | 16 ++++++++
 doc/src/sgml/ref/pg_dumpall.sgml     | 16 ++++++++
 doc/src/sgml/ref/pg_receivewal.sgml  | 16 ++++++++
 doc/src/sgml/ref/pg_recvlogical.sgml | 16 ++++++++
 doc/src/sgml/ref/pg_restore.sgml     | 16 ++++++++
 doc/src/sgml/ref/psql-ref.sgml       | 16 ++++++++
 doc/src/sgml/ref/reindexdb.sgml      | 16 ++++++++
 doc/src/sgml/ref/vacuumdb.sgml       | 16 ++++++++
 16 files changed, 319 insertions(+)

diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml
index c2114021c3..1ce581ae0a 100644
--- a/doc/src/sgml/client-auth.sgml
+++ b/doc/src/sgml/client-auth.sgml
@@ -994,6 +994,26 @@ omicron         bryanh                  guest1
     </varlistentry>
    </variablelist>
 
+   <note>
+    <para>
+     While <literal>md5</literal> passwords do not have a defined maximum length
+     and <literal>scram-sha-256</literal> passwords may be up to 1024 characters
+     long, many client utilities (e.g. <application>psql</application>) will
+     truncate passwords provided via prompt to 99 characters.  Longer passwords
+     may be specified using alternatives to password prompts such as the
+     <filename>.pgpass</filename> file (<xref linkend="libpq-pgpass"/>) and the
+     <envar>PGPASSWORD</envar> environment variable
+     (<xref linkend="libpq-envars"/>).
+    </para>
+    <para>
+     Furthermore, it should be noted that the server restricts password messages
+     to an effective limit of 995 characters.  While this is enough for the
+     <literal>scram-sha-256</literal> and <literal>md5</literal> authentication
+     methods, it may not be enough for passwords sent in clear-text via the
+     method <literal>password</literal>.
+    </para>
+   </note>
+
    <para>
     <productname>PostgreSQL</productname> database passwords are
     separate from operating system user passwords. The password for
@@ -1482,6 +1502,21 @@ omicron         bryanh                  guest1
     two separate connections to the LDAP server to be made.
    </para>
 
+   <note>
+    <para>
+     While PostgreSQL's LDAP authentication method does not have a defined
+     maximum password length, many client utilities (e.g.
+     <application>psql</application>) will truncate passwords provided via
+     prompt to 99 characters.  Longer passwords may be specified using
+     alternatives to password prompts such as the <filename>.pgpass</filename>
+     file (<xref linkend="libpq-pgpass"/>) and the <envar>PGPASSWORD</envar>
+     environment variable (<xref linkend="libpq-envars"/>).  However, it should
+     be noted that the server restricts password messages to an effective limit
+     of 995 characters, which presents an upper bound to the length of passwords
+     that will work with LDAP authentication.
+    </para>
+   </note>
+
    <para>
     The following configuration options are used in both modes:
     <variablelist>
@@ -1765,6 +1800,21 @@ host ... ldap ldapserver=ldap.example.net ldapbasedn="dc=example, dc=net" ldapse
     a single value, in which case this value will apply to all servers.
    </para>
 
+   <note>
+    <para>
+     While PostgreSQL's RADIUS authentication method does not have a defined
+     maximum password length, many client utilities (e.g.
+     <application>psql</application>) will truncate passwords provided via
+     prompt to 99 characters.  Longer passwords may be specified using
+     alternatives to password prompts such as the <filename>.pgpass</filename>
+     file (<xref linkend="libpq-pgpass"/>) and the <envar>PGPASSWORD</envar>
+     environment variable (<xref linkend="libpq-envars"/>).  However, it should
+     be noted that the server restricts password messages to an effective limit
+     of 995 characters, which presents an upper bound to the length of passwords
+     that will work with RADIUS authentication.
+    </para>
+   </note>
+
    <para>
     The following configuration options are supported for RADIUS:
      <variablelist>
@@ -1893,6 +1943,21 @@ host ... ldap ldapserver=ldap.example.net ldapbasedn="dc=example, dc=net" ldapse
     <productname>Linux-PAM</productname> Page</ulink>.
    </para>
 
+   <note>
+    <para>
+     While PostgreSQL's PAM authentication method does not have a defined
+     maximum password length, many client utilities (e.g.
+     <application>psql</application>) will truncate passwords provided via
+     prompt to 99 characters.  Longer passwords may be specified using
+     alternatives to password prompts such as the <filename>.pgpass</filename>
+     file (<xref linkend="libpq-pgpass"/>) and the <envar>PGPASSWORD</envar>
+     environment variable (<xref linkend="libpq-envars"/>).  However, it should
+     be noted that the server restricts password messages to an effective limit
+     of 995 characters, which presents an upper bound to the length of passwords
+     that will work with PAM authentication.
+    </para>
+   </note>
+
    <para>
     The following configuration options are supported for PAM:
     <variablelist>
@@ -1956,6 +2021,21 @@ host ... ldap ldapserver=ldap.example.net ldapbasedn="dc=example, dc=net" ldapse
     exist, and <productname>PostgreSQL</productname> will use the default login class.
    </para>
 
+   <note>
+    <para>
+     While PostgreSQL's BSD authentication method does not have a defined
+     maximum password length, many client utilities (e.g.
+     <application>psql</application>) will truncate passwords provided via
+     prompt to 99 characters.  Longer passwords may be specified using
+     alternatives to password prompts such as the <filename>.pgpass</filename>
+     file (<xref linkend="libpq-pgpass"/>) and the <envar>PGPASSWORD</envar>
+     environment variable (<xref linkend="libpq-envars"/>).  However, it should
+     be noted that the server restricts password messages to an effective limit
+     of 995 characters, which presents an upper bound to the length of passwords
+     that will work with BSD authentication.
+    </para>
+   </note>
+
    <note>
     <para>
      To use BSD Authentication, the PostgreSQL user account (that is, the
diff --git a/doc/src/sgml/libpq.sgml b/doc/src/sgml/libpq.sgml
index 06d909e804..28d5c0e57c 100644
--- a/doc/src/sgml/libpq.sgml
+++ b/doc/src/sgml/libpq.sgml
@@ -1102,6 +1102,16 @@ postgresql://%2Fvar%2Flib%2Fpostgresql/dbname
       <para>
        Password to be used if the server demands password authentication.
       </para>
+      <note>
+       <para>
+        The server restricts password messages to an effective limit of 995
+        characters.  While this is enough for the
+        <literal>scram-sha-256</literal> and <literal>md5</literal>
+        authentication methods, it may not be enough for passwords sent in
+        clear-text via methods such as <literal>password</literal>.  See
+        <xref linkend="client-authentication"/> for more information.
+       </para>
+      </note>
       </listitem>
      </varlistentry>
 
diff --git a/doc/src/sgml/ref/clusterdb.sgml b/doc/src/sgml/ref/clusterdb.sgml
index ed343dd7da..6b41910e8c 100644
--- a/doc/src/sgml/ref/clusterdb.sgml
+++ b/doc/src/sgml/ref/clusterdb.sgml
@@ -239,6 +239,22 @@ PostgreSQL documentation
         In some cases it is worth typing <option>-W</option> to avoid the extra
         connection attempt.
        </para>
+
+       <note>
+        <para>
+         Passwords provided via prompt will be truncated to 99 characters.
+         Longer passwords may be specified using alternatives to password
+         prompts such as the <filename>.pgpass</filename> file
+         (<xref linkend="libpq-pgpass"/>) and the <envar>PGPASSWORD</envar>
+         environment variable (<xref linkend="libpq-envars"/>).  However, it
+         should be noted that the server restricts password messages to an
+         effective limit of 995 characters.   While this is enough for the
+         <literal>scram-sha-256</literal> and <literal>md5</literal>
+         authentication methods, it may not be enough for passwords sent in
+         clear-text via methods such as <literal>password</literal>.  See
+         <xref linkend="client-authentication"/> for more information.
+        </para>
+       </note>
       </listitem>
      </varlistentry>
 
diff --git a/doc/src/sgml/ref/createdb.sgml b/doc/src/sgml/ref/createdb.sgml
index 2658efeb1a..dc995bb295 100644
--- a/doc/src/sgml/ref/createdb.sgml
+++ b/doc/src/sgml/ref/createdb.sgml
@@ -274,6 +274,22 @@ PostgreSQL documentation
         In some cases it is worth typing <option>-W</option> to avoid the extra
         connection attempt.
        </para>
+
+       <note>
+        <para>
+         Passwords provided via prompt will be truncated to 99 characters.
+         Longer passwords may be specified using alternatives to password
+         prompts such as the <filename>.pgpass</filename> file
+         (<xref linkend="libpq-pgpass"/>) and the <envar>PGPASSWORD</envar>
+         environment variable (<xref linkend="libpq-envars"/>).  However, it
+         should be noted that the server restricts password messages to an
+         effective limit of 995 characters.   While this is enough for the
+         <literal>scram-sha-256</literal> and <literal>md5</literal>
+         authentication methods, it may not be enough for passwords sent in
+         clear-text via methods such as <literal>password</literal>.  See
+         <xref linkend="client-authentication"/> for more information.
+        </para>
+       </note>
       </listitem>
      </varlistentry>
 
diff --git a/doc/src/sgml/ref/createuser.sgml b/doc/src/sgml/ref/createuser.sgml
index 22ee99f2cc..e1db7f96e6 100644
--- a/doc/src/sgml/ref/createuser.sgml
+++ b/doc/src/sgml/ref/createuser.sgml
@@ -213,6 +213,11 @@ PostgreSQL documentation
        the password of the new user. This is not necessary if you do not plan
        on using password authentication.
        </para>
+       <note>
+        <para>
+         Passwords provided via prompt will be truncated to 99 characters.
+        </para>
+       </note>
       </listitem>
      </varlistentry>
 
@@ -378,6 +383,22 @@ PostgreSQL documentation
         In some cases it is worth typing <option>-W</option> to avoid the extra
         connection attempt.
        </para>
+
+       <note>
+        <para>
+         Passwords provided via prompt will be truncated to 99 characters.
+         Longer passwords may be specified using alternatives to password
+         prompts such as the <filename>.pgpass</filename> file
+         (<xref linkend="libpq-pgpass"/>) and the <envar>PGPASSWORD</envar>
+         environment variable (<xref linkend="libpq-envars"/>).  However, it
+         should be noted that the server restricts password messages to an
+         effective limit of 995 characters.   While this is enough for the
+         <literal>scram-sha-256</literal> and <literal>md5</literal>
+         authentication methods, it may not be enough for passwords sent in
+         clear-text via methods such as <literal>password</literal>.  See
+         <xref linkend="client-authentication"/> for more information.
+        </para>
+       </note>
       </listitem>
      </varlistentry>
    </variablelist>
diff --git a/doc/src/sgml/ref/dropdb.sgml b/doc/src/sgml/ref/dropdb.sgml
index 38f38f01ce..5e96079d0d 100644
--- a/doc/src/sgml/ref/dropdb.sgml
+++ b/doc/src/sgml/ref/dropdb.sgml
@@ -194,6 +194,22 @@ PostgreSQL documentation
         In some cases it is worth typing <option>-W</option> to avoid the extra
         connection attempt.
        </para>
+
+       <note>
+        <para>
+         Passwords provided via prompt will be truncated to 99 characters.
+         Longer passwords may be specified using alternatives to password
+         prompts such as the <filename>.pgpass</filename> file
+         (<xref linkend="libpq-pgpass"/>) and the <envar>PGPASSWORD</envar>
+         environment variable (<xref linkend="libpq-envars"/>).  However, it
+         should be noted that the server restricts password messages to an
+         effective limit of 995 characters.   While this is enough for the
+         <literal>scram-sha-256</literal> and <literal>md5</literal>
+         authentication methods, it may not be enough for passwords sent in
+         clear-text via methods such as <literal>password</literal>.  See
+         <xref linkend="client-authentication"/> for more information.
+        </para>
+       </note>
       </listitem>
      </varlistentry>
 
diff --git a/doc/src/sgml/ref/dropuser.sgml b/doc/src/sgml/ref/dropuser.sgml
index 3d4e4b37b3..8904f68119 100644
--- a/doc/src/sgml/ref/dropuser.sgml
+++ b/doc/src/sgml/ref/dropuser.sgml
@@ -198,6 +198,22 @@ PostgreSQL documentation
         In some cases it is worth typing <option>-W</option> to avoid the extra
         connection attempt.
        </para>
+
+       <note>
+        <para>
+         Passwords provided via prompt will be truncated to 99 characters.
+         Longer passwords may be specified using alternatives to password
+         prompts such as the <filename>.pgpass</filename> file
+         (<xref linkend="libpq-pgpass"/>) and the <envar>PGPASSWORD</envar>
+         environment variable (<xref linkend="libpq-envars"/>).  However, it
+         should be noted that the server restricts password messages to an
+         effective limit of 995 characters.   While this is enough for the
+         <literal>scram-sha-256</literal> and <literal>md5</literal>
+         authentication methods, it may not be enough for passwords sent in
+         clear-text via methods such as <literal>password</literal>.  See
+         <xref linkend="client-authentication"/> for more information.
+        </para>
+       </note>
       </listitem>
      </varlistentry>
    </variablelist>
diff --git a/doc/src/sgml/ref/pg_basebackup.sgml b/doc/src/sgml/ref/pg_basebackup.sgml
index c9f6ce4bb3..d97a859b53 100644
--- a/doc/src/sgml/ref/pg_basebackup.sgml
+++ b/doc/src/sgml/ref/pg_basebackup.sgml
@@ -641,6 +641,22 @@ PostgreSQL documentation
         In some cases it is worth typing <option>-W</option> to avoid the extra
         connection attempt.
        </para>
+
+       <note>
+        <para>
+         Passwords provided via prompt will be truncated to 99 characters.
+         Longer passwords may be specified using alternatives to password
+         prompts such as the <filename>.pgpass</filename> file
+         (<xref linkend="libpq-pgpass"/>) and the <envar>PGPASSWORD</envar>
+         environment variable (<xref linkend="libpq-envars"/>).  However, it
+         should be noted that the server restricts password messages to an
+         effective limit of 995 characters.   While this is enough for the
+         <literal>scram-sha-256</literal> and <literal>md5</literal>
+         authentication methods, it may not be enough for passwords sent in
+         clear-text via methods such as <literal>password</literal>.  See
+         <xref linkend="client-authentication"/> for more information.
+        </para>
+       </note>
       </listitem>
      </varlistentry>
     </variablelist>
diff --git a/doc/src/sgml/ref/pg_dump.sgml b/doc/src/sgml/ref/pg_dump.sgml
index 790e81c32c..96b16824a8 100644
--- a/doc/src/sgml/ref/pg_dump.sgml
+++ b/doc/src/sgml/ref/pg_dump.sgml
@@ -1172,6 +1172,22 @@ PostgreSQL documentation
         In some cases it is worth typing <option>-W</option> to avoid the extra
         connection attempt.
        </para>
+
+       <note>
+        <para>
+         Passwords provided via prompt will be truncated to 99 characters.
+         Longer passwords may be specified using alternatives to password
+         prompts such as the <filename>.pgpass</filename> file
+         (<xref linkend="libpq-pgpass"/>) and the <envar>PGPASSWORD</envar>
+         environment variable (<xref linkend="libpq-envars"/>).  However, it
+         should be noted that the server restricts password messages to an
+         effective limit of 995 characters.   While this is enough for the
+         <literal>scram-sha-256</literal> and <literal>md5</literal>
+         authentication methods, it may not be enough for passwords sent in
+         clear-text via methods such as <literal>password</literal>.  See
+         <xref linkend="client-authentication"/> for more information.
+        </para>
+       </note>
       </listitem>
      </varlistentry>
 
diff --git a/doc/src/sgml/ref/pg_dumpall.sgml b/doc/src/sgml/ref/pg_dumpall.sgml
index c51a130f43..b8c489ef55 100644
--- a/doc/src/sgml/ref/pg_dumpall.sgml
+++ b/doc/src/sgml/ref/pg_dumpall.sgml
@@ -623,6 +623,22 @@ PostgreSQL documentation
         to be dumped.  Usually, it's better to set up a
         <filename>~/.pgpass</filename> file than to rely on manual password entry.
        </para>
+
+       <note>
+        <para>
+         Passwords provided via prompt will be truncated to 99 characters.
+         Longer passwords may be specified using alternatives to password
+         prompts such as the <filename>.pgpass</filename> file
+         (<xref linkend="libpq-pgpass"/>) and the <envar>PGPASSWORD</envar>
+         environment variable (<xref linkend="libpq-envars"/>).  However, it
+         should be noted that the server restricts password messages to an
+         effective limit of 995 characters.   While this is enough for the
+         <literal>scram-sha-256</literal> and <literal>md5</literal>
+         authentication methods, it may not be enough for passwords sent in
+         clear-text via methods such as <literal>password</literal>.  See
+         <xref linkend="client-authentication"/> for more information.
+        </para>
+       </note>
       </listitem>
      </varlistentry>
 
diff --git a/doc/src/sgml/ref/pg_receivewal.sgml b/doc/src/sgml/ref/pg_receivewal.sgml
index a18ddd4bff..55c3580f04 100644
--- a/doc/src/sgml/ref/pg_receivewal.sgml
+++ b/doc/src/sgml/ref/pg_receivewal.sgml
@@ -325,6 +325,22 @@ PostgreSQL documentation
         In some cases it is worth typing <option>-W</option> to avoid the extra
         connection attempt.
        </para>
+
+       <note>
+        <para>
+         Passwords provided via prompt will be truncated to 99 characters.
+         Longer passwords may be specified using alternatives to password
+         prompts such as the <filename>.pgpass</filename> file
+         (<xref linkend="libpq-pgpass"/>) and the <envar>PGPASSWORD</envar>
+         environment variable (<xref linkend="libpq-envars"/>).  However, it
+         should be noted that the server restricts password messages to an
+         effective limit of 995 characters.   While this is enough for the
+         <literal>scram-sha-256</literal> and <literal>md5</literal>
+         authentication methods, it may not be enough for passwords sent in
+         clear-text via methods such as <literal>password</literal>.  See
+         <xref linkend="client-authentication"/> for more information.
+        </para>
+       </note>
       </listitem>
      </varlistentry>
     </variablelist>
diff --git a/doc/src/sgml/ref/pg_recvlogical.sgml b/doc/src/sgml/ref/pg_recvlogical.sgml
index 141c5cddce..d052db8fa8 100644
--- a/doc/src/sgml/ref/pg_recvlogical.sgml
+++ b/doc/src/sgml/ref/pg_recvlogical.sgml
@@ -356,6 +356,22 @@ PostgreSQL documentation
          In some cases it is worth typing <option>-W</option> to avoid the extra
          connection attempt.
         </para>
+
+        <note>
+         <para>
+          Passwords provided via prompt will be truncated to 99 characters.
+          Longer passwords may be specified using alternatives to password
+          prompts such as the <filename>.pgpass</filename> file
+          (<xref linkend="libpq-pgpass"/>) and the <envar>PGPASSWORD</envar>
+          environment variable (<xref linkend="libpq-envars"/>).  However, it
+          should be noted that the server restricts password messages to an
+          effective limit of 995 characters.   While this is enough for the
+          <literal>scram-sha-256</literal> and <literal>md5</literal>
+          authentication methods, it may not be enough for passwords sent in
+          clear-text via methods such as <literal>password</literal>.  See
+          <xref linkend="client-authentication"/> for more information.
+         </para>
+        </note>
       </listitem>
      </varlistentry>
      </variablelist>
diff --git a/doc/src/sgml/ref/pg_restore.sgml b/doc/src/sgml/ref/pg_restore.sgml
index 725acb192c..726d53eba0 100644
--- a/doc/src/sgml/ref/pg_restore.sgml
+++ b/doc/src/sgml/ref/pg_restore.sgml
@@ -781,6 +781,22 @@
         In some cases it is worth typing <option>-W</option> to avoid the extra
         connection attempt.
        </para>
+
+       <note>
+        <para>
+         Passwords provided via prompt will be truncated to 99 characters.
+         Longer passwords may be specified using alternatives to password
+         prompts such as the <filename>.pgpass</filename> file
+         (<xref linkend="libpq-pgpass"/>) and the <envar>PGPASSWORD</envar>
+         environment variable (<xref linkend="libpq-envars"/>).  However, it
+         should be noted that the server restricts password messages to an
+         effective limit of 995 characters.   While this is enough for the
+         <literal>scram-sha-256</literal> and <literal>md5</literal>
+         authentication methods, it may not be enough for passwords sent in
+         clear-text via methods such as <literal>password</literal>.  See
+         <xref linkend="client-authentication"/> for more information.
+        </para>
+       </note>
       </listitem>
      </varlistentry>
 
diff --git a/doc/src/sgml/ref/psql-ref.sgml b/doc/src/sgml/ref/psql-ref.sgml
index eb9d93a168..c49e925cc5 100644
--- a/doc/src/sgml/ref/psql-ref.sgml
+++ b/doc/src/sgml/ref/psql-ref.sgml
@@ -526,6 +526,22 @@ EOF
        and so it affects uses of the meta-command
        <command>\connect</command> as well as the initial connection attempt.
       </para>
+
+      <note>
+       <para>
+        Passwords provided via prompt will be truncated to 99 characters.
+        Longer passwords may be specified using alternatives to password prompts
+        such as the <filename>.pgpass</filename> file
+        (<xref linkend="libpq-pgpass"/>) and the <envar>PGPASSWORD</envar>
+        environment variable (<xref linkend="libpq-envars"/>).  However, it
+        should be noted that the server restricts password messages to an
+        effective limit of 995 characters.   While this is enough for the
+        <literal>scram-sha-256</literal> and <literal>md5</literal>
+        authentication methods, it may not be enough for passwords sent in
+        clear-text via methods such as <literal>password</literal>.  See
+        <xref linkend="client-authentication"/> for more information.
+       </para>
+      </note>
       </listitem>
     </varlistentry>
 
diff --git a/doc/src/sgml/ref/reindexdb.sgml b/doc/src/sgml/ref/reindexdb.sgml
index 1273dad807..ddc1b7cd56 100644
--- a/doc/src/sgml/ref/reindexdb.sgml
+++ b/doc/src/sgml/ref/reindexdb.sgml
@@ -307,6 +307,22 @@ PostgreSQL documentation
         In some cases it is worth typing <option>-W</option> to avoid the extra
         connection attempt.
        </para>
+
+       <note>
+        <para>
+         Passwords provided via prompt will be truncated to 99 characters.
+         Longer passwords may be specified using alternatives to password
+         prompts such as the <filename>.pgpass</filename> file
+         (<xref linkend="libpq-pgpass"/>) and the <envar>PGPASSWORD</envar>
+         environment variable (<xref linkend="libpq-envars"/>).  However, it
+         should be noted that the server restricts password messages to an
+         effective limit of 995 characters.   While this is enough for the
+         <literal>scram-sha-256</literal> and <literal>md5</literal>
+         authentication methods, it may not be enough for passwords sent in
+         clear-text via methods such as <literal>password</literal>.  See
+         <xref linkend="client-authentication"/> for more information.
+        </para>
+       </note>
       </listitem>
      </varlistentry>
 
diff --git a/doc/src/sgml/ref/vacuumdb.sgml b/doc/src/sgml/ref/vacuumdb.sgml
index 955a17a849..ca7ff34816 100644
--- a/doc/src/sgml/ref/vacuumdb.sgml
+++ b/doc/src/sgml/ref/vacuumdb.sgml
@@ -332,6 +332,22 @@ PostgreSQL documentation
         In some cases it is worth typing <option>-W</option> to avoid the extra
         connection attempt.
        </para>
+
+       <note>
+        <para>
+         Passwords provided via prompt will be truncated to 99 characters.
+         Longer passwords may be specified using alternatives to password
+         prompts such as the <filename>.pgpass</filename> file
+         (<xref linkend="libpq-pgpass"/>) and the <envar>PGPASSWORD</envar>
+         environment variable (<xref linkend="libpq-envars"/>).  However, it
+         should be noted that the server restricts password messages to an
+         effective limit of 995 characters.   While this is enough for the
+         <literal>scram-sha-256</literal> and <literal>md5</literal>
+         authentication methods, it may not be enough for passwords sent in
+         clear-text via methods such as <literal>password</literal>.  See
+         <xref linkend="client-authentication"/> for more information.
+        </para>
+       </note>
       </listitem>
      </varlistentry>
 
-- 
2.16.2