Re: md5_password_warnings for password auth with MD5-encrypted passwords

Chao Li <li.evan.chao@gmail.com>

From: Chao Li <li.evan.chao@gmail.com>
To: Fujii Masao <masao.fujii@gmail.com>
Cc: PostgreSQL Hackers <pgsql-hackers@lists.postgresql.org>
Date: 2026-06-23T02:44:16Z
Lists: pgsql-hackers

> On Jun 23, 2026, at 09:39, Fujii Masao <masao.fujii@gmail.com> wrote:
> 
> Hi,
> 
> While testing md5_password_warnings, I noticed that authentication
> with an MD5-encrypted password emits the expected warning when the HBA
> method is md5, but not when it is password.
> 
> Was this intentional, or just an oversight?
> 
> I couldn't find any discussion about this, so I put together the
> attached patch. It updates the authentication code to emit the same
> MD5 deprecation connection warning after successful password
> authentication when the stored password is MD5-encrypted.
> 
> Thoughts?
> 
> Regards,
> 
> -- 
> Fujii Masao
> <v1-0001-Warn-on-password-auth-with-MD5-encrypted-password.patch>

Given that the original warning emission was in md5_crypt_verify(), I think it might be a bit better to keep the two private helpers in crypt.c and add the warning emission in plain_crypt_verify(), because that function has already determined the password type and authentication result.

Best regards,
--
Chao Li (Evan)
HighGo Software Co., Ltd.
https://www.highgo.com/







Commits

  1. Warn on password auth with MD5-encrypted passwords