Re: sunsetting md5 password support
Tom Lane <tgl@sss.pgh.pa.us>
From: Tom Lane <tgl@sss.pgh.pa.us>
To: Jim Nasby <jnasby@upgrade.com>
Cc: Greg Sabino Mullane <htamfids@gmail.com>,
Nathan Bossart <nathandbossart@gmail.com>,
Andrew Dunstan <andrew@dunslane.net>,
Heikki Linnakangas <hlinnaka@iki.fi>,
pgsql-hackers <pgsql-hackers@postgresql.org>
Date: 2024-10-28T21:24:02Z
Lists: pgsql-hackers
Jim Nasby <jnasby@upgrade.com> writes: > Patch itself looks good, but it does leave me wondering if cleartext should also be deprecated? Not much point unless we also deprecate all of the other auth methods that require cleartext password transmission, which from a quick scan include PAM, BSD, LDAP, and RADIUS. Seems unlikely to fly. In any case, I don't think this is about password security per se. It's more about deprecating a method that might look like it's secure but isn't. In the case of the cleartext-password methods, it's obvious that you'd better use SSL or GSS encryption if you want your password hidden from network tapping. I don't recall how in-your-face we are about that point, but certainly the docs need to be up front about it, and probably make the point explicitly with respect to the four methods listed above. regards, tom lane
Commits
-
Deprecate MD5 passwords.
- db6a4a985bc0 18.0 landed