Re: sunsetting md5 password support
Jesper Pedersen <jesper.pedersen@comcast.net>
From: Jesper Pedersen <jesper.pedersen@comcast.net>
To: Heikki Linnakangas <hlinnaka@iki.fi>, Bruce Momjian <bruce@momjian.us>,
Jelte Fennema-Nio <postgres@jeltef.nl>
Cc: Nathan Bossart <nathandbossart@gmail.com>, pgsql-hackers@postgresql.org
Date: 2024-10-10T22:00:20Z
Lists: pgsql-hackers
On 10/10/24 5:45 PM, Heikki Linnakangas wrote: > On 11/10/2024 00:03, Bruce Momjian wrote: >> On Wed, Oct 9, 2024 at 10:30:15PM +0200, Jelte Fennema-Nio wrote: >>> On Wed, 9 Oct 2024 at 21:55, Nathan Bossart >>> <nathandbossart@gmail.com> wrote: >>>> In this message, I propose a multi-year, incremental approach to >>>> remove MD5 >>>> password support from Postgres. >>> >>> +many for the general idea >>> >>> I think it makes sense to also remove the "password" authentication >>> option while we're at it (this can currently be used with SCRAM stored >>> passwords). >> >> I remember "password" as being recommended for SSL connections where >> there is no risk of the password contents being seen. > > I wouldn't recommend it if SCRAM is available, but yeah, with TLS and > sslmode=verify-full, it's secure enough. > > Note that some authentication methods like LDAP and Radius use > "password" authentication on the wire. > Please, deprecate - aka remove - old methods. All client libraries have caught up, and if they havn't then it their issue not Core. +1. Best regards, Jesper
Commits
-
Deprecate MD5 passwords.
- db6a4a985bc0 18.0 landed