Re: md5_password_warnings for password auth with MD5-encrypted passwords
Japin Li <japinli@hotmail.com>
From: Japin Li <japinli@hotmail.com>
To: Chao Li <li.evan.chao@gmail.com>
Cc: Fujii Masao <masao.fujii@gmail.com>, PostgreSQL Hackers
<pgsql-hackers@lists.postgresql.org>
Date: 2026-06-23T03:17:31Z
Lists: pgsql-hackers
On Tue, 23 Jun 2026 at 10:44, Chao Li <li.evan.chao@gmail.com> wrote: >> On Jun 23, 2026, at 09:39, Fujii Masao <masao.fujii@gmail.com> wrote: >> >> Hi, >> >> While testing md5_password_warnings, I noticed that authentication >> with an MD5-encrypted password emits the expected warning when the HBA >> method is md5, but not when it is password. >> >> Was this intentional, or just an oversight? >> >> I couldn't find any discussion about this, so I put together the >> attached patch. It updates the authentication code to emit the same >> MD5 deprecation connection warning after successful password >> authentication when the stored password is MD5-encrypted. >> >> Thoughts? >> >> Regards, >> >> -- >> Fujii Masao >> <v1-0001-Warn-on-password-auth-with-MD5-encrypted-password.patch> > > Given that the original warning emission was in md5_crypt_verify(), I > think it might be a bit better to keep the two private helpers in > crypt.c and add the warning emission in plain_crypt_verify(), because > that function has already determined the password type and > authentication result. > +1 Placing it in plain_crypt_verify() leverages the already-determined type and result, while keeping the helpers internal to crypt.c is cleaner. > Best regards, > -- > Chao Li (Evan) > HighGo Software Co., Ltd. > https://www.highgo.com/ -- Regards, Japin Li ChengDu WenWu Information Technology Co., Ltd.
Commits
-
Warn on password auth with MD5-encrypted passwords
- e57a865dc700 19 (unreleased) landed
- f6fdc2a4a737 master landed