Re: md5_password_warnings for password auth with MD5-encrypted passwords

Japin Li <japinli@hotmail.com>

From: Japin Li <japinli@hotmail.com>
To: Chao Li <li.evan.chao@gmail.com>
Cc: Fujii Masao <masao.fujii@gmail.com>, PostgreSQL Hackers <pgsql-hackers@lists.postgresql.org>
Date: 2026-06-23T03:17:31Z
Lists: pgsql-hackers
On Tue, 23 Jun 2026 at 10:44, Chao Li <li.evan.chao@gmail.com> wrote:
>> On Jun 23, 2026, at 09:39, Fujii Masao <masao.fujii@gmail.com> wrote:
>> 
>> Hi,
>> 
>> While testing md5_password_warnings, I noticed that authentication
>> with an MD5-encrypted password emits the expected warning when the HBA
>> method is md5, but not when it is password.
>> 
>> Was this intentional, or just an oversight?
>> 
>> I couldn't find any discussion about this, so I put together the
>> attached patch. It updates the authentication code to emit the same
>> MD5 deprecation connection warning after successful password
>> authentication when the stored password is MD5-encrypted.
>> 
>> Thoughts?
>> 
>> Regards,
>> 
>> -- 
>> Fujii Masao
>> <v1-0001-Warn-on-password-auth-with-MD5-encrypted-password.patch>
>
> Given that the original warning emission was in md5_crypt_verify(), I
> think it might be a bit better to keep the two private helpers in
> crypt.c and add the warning emission in plain_crypt_verify(), because
> that function has already determined the password type and
> authentication result.
>
+1

Placing it in plain_crypt_verify() leverages the already-determined type and
result, while keeping the helpers internal to crypt.c is cleaner.

> Best regards,
> --
> Chao Li (Evan)
> HighGo Software Co., Ltd.
> https://www.highgo.com/

-- 
Regards,
Japin Li
ChengDu WenWu Information Technology Co., Ltd.



Commits

  1. Warn on password auth with MD5-encrypted passwords