Re: sunsetting md5 password support

Nathan Bossart <nathandbossart@gmail.com>

From: Nathan Bossart <nathandbossart@gmail.com>
To: Andrew Dunstan <andrew@dunslane.net>
Cc: Tom Lane <tgl@sss.pgh.pa.us>, Heikki Linnakangas <hlinnaka@iki.fi>, pgsql-hackers@postgresql.org
Date: 2024-10-16T15:30:11Z
Lists: pgsql-hackers

Attachments

On Fri, Oct 11, 2024 at 04:36:27PM -0500, Nathan Bossart wrote:
> Here is a first attempt at a patch for marking MD5 passwords as deprecated.
> It's quite bare-bones at the moment, so I anticipate future revisions will
> add more content.  Besides sprinkling several deprecation notices
> throughout the documentation, this patch teaches CREATE ROLE and ALTER ROLE
> to emit warnings when setting MD5 passwords.  A new GUC named
> md5_password_warnings can be set to "off" to disable these warnings.  I
> considered adding even more warnings (e.g., when authenticating), but I
> felt that would be far too noisy.

In v2, I've added an entry for the new md5_password_warnings GUC to the
documentation, and I've simplified the passwordcheck test changes a bit.

-- 
nathan

Commits

  1. Deprecate MD5 passwords.