Re: sunsetting md5 password support

Nathan Bossart <nathandbossart@gmail.com>

From: Nathan Bossart <nathandbossart@gmail.com>
To: Greg Sabino Mullane <htamfids@gmail.com>
Cc: Jim Nasby <jnasby@upgrade.com>, Andrew Dunstan <andrew@dunslane.net>, Tom Lane <tgl@sss.pgh.pa.us>, Heikki Linnakangas <hlinnaka@iki.fi>, pgsql-hackers <pgsql-hackers@postgresql.org>
Date: 2024-11-20T01:55:04Z
Lists: pgsql-hackers
On Tue, Nov 19, 2024 at 07:29:27PM -0500, Greg Sabino Mullane wrote:
> I just took a fresh look at / compiled this patch, and it all works as
> advertised. My one minor nit is this hint:
> 
> HINT:  Refer to the PostgreSQL documentation for details about migrating to
> another password type.
> 
> We don't really have that in the docs, as near as I can tell, the closest
> is 20.5 which says "make all users set new passwords, and change the
> authentication method specifications in pg_hba.conf to scram-sha-256."
> Maybe that's enough?

That was my initial thinking.  I think we have a few other options:

* Expand the documentation.  Perhaps we could add a step-by-step guide for
  migrating to SCRAM-SHA-256 since more users will need to do so when MD5
  password support is removed.
* Remove the hint.  It's arguably doing little more than pointing out the
  obvious, and it doesn't actually tell users where in the documentation to
  look for this information, anyway.
* Both of the above.

WDYT?

-- 
nathan



Commits

  1. Deprecate MD5 passwords.