Обсуждение: [Patch] Mention md5 is deprecated in postgresql.conf.sample
Hi, while looking through postgresql.conf on PG18, I noticed that password_encryption mentions md5 as valid alternative to scram-sha-256. I think it would be useful to mention md5 is deprecated so that people looking at it (but have otherwise not gotten the memo) will realize and hopefully act on it. Patch attached, I think it would be a candidate for being back-patched to PG18 if accepted. Michael
Вложения
> On 14 Nov 2025, at 11:47, Michael Banck <mbanck@gmx.net> wrote: > while looking through postgresql.conf on PG18, I noticed that > password_encryption mentions md5 as valid alternative to scram-sha-256. > I think it would be useful to mention md5 is deprecated so that people > looking at it (but have otherwise not gotten the memo) will realize and > hopefully act on it. No objection. I suspect the overlap between users who don't read release notes and users who read .conf.sample comments closely is pretty small, but it certainly won't hurt. -#password_encryption = scram-sha-256 # scram-sha-256 or md5 +#password_encryption = scram-sha-256 # scram-sha-256 or (deprecated) md5 #scram_iterations = 4096 #md5_password_warnings = on Maybe this should be combined with a comment on md5_password_warnings as well? -- Daniel Gustafsson
Hi, On Fri, Nov 14, 2025 at 12:53:41PM +0100, Daniel Gustafsson wrote: > > On 14 Nov 2025, at 11:47, Michael Banck <mbanck@gmx.net> wrote: > > while looking through postgresql.conf on PG18, I noticed that > > password_encryption mentions md5 as valid alternative to scram-sha-256. > > I think it would be useful to mention md5 is deprecated so that people > > looking at it (but have otherwise not gotten the memo) will realize and > > hopefully act on it. > > No objection. I suspect the overlap between users who don't read release notes > and users who read .conf.sample comments closely is pretty small, but it > certainly won't hurt. I was under the impression (and it is the case on Debian/Ubuntu at least, but pretty sure also for the RPM-based packaging) that the content of postgresql.conf.sample was folded into the default postgresql.conf on instance creation via distribution tools, so I think people would generally see this (for new instances) if they look around that part of their config files. > -#password_encryption = scram-sha-256 # scram-sha-256 or md5 > +#password_encryption = scram-sha-256 # scram-sha-256 or (deprecated) md5 > #scram_iterations = 4096 > #md5_password_warnings = on > > Maybe this should be combined with a comment on md5_password_warnings as well? Good point, how about the attached? Michael
Вложения
> On 14 Nov 2025, at 13:15, Michael Banck <mbanck@gmx.net> wrote: > On Fri, Nov 14, 2025 at 12:53:41PM +0100, Daniel Gustafsson wrote: >>> On 14 Nov 2025, at 11:47, Michael Banck <mbanck@gmx.net> wrote: >>> while looking through postgresql.conf on PG18, I noticed that >>> password_encryption mentions md5 as valid alternative to scram-sha-256. >>> I think it would be useful to mention md5 is deprecated so that people >>> looking at it (but have otherwise not gotten the memo) will realize and >>> hopefully act on it. >> >> No objection. I suspect the overlap between users who don't read release notes >> and users who read .conf.sample comments closely is pretty small, but it >> certainly won't hurt. > > I was under the impression (and it is the case on Debian/Ubuntu at > least, but pretty sure also for the RPM-based packaging) that the > content of postgresql.conf.sample was folded into the default > postgresql.conf on instance creation via distribution tools, so I think > people would generally see this (for new instances) if they look around > that part of their config files. Yes. I meant to write .conf but my fingers were faster than my brain and typed the full .conf.sample. Sorry about that. >> -#password_encryption = scram-sha-256 # scram-sha-256 or md5 >> +#password_encryption = scram-sha-256 # scram-sha-256 or (deprecated) md5 >> #scram_iterations = 4096 >> #md5_password_warnings = on >> >> Maybe this should be combined with a comment on md5_password_warnings as well? > > Good point, how about the attached? Something like that yes. I'll wait for others to chime in but unless there are objections I think we should go with something like this. -- Daniel Gustafsson
On Fri, Nov 14, 2025 at 01:57:28PM +0100, Daniel Gustafsson wrote: > Something like that yes. I'll wait for others to chime in but unless there are > objections I think we should go with something like this. Seems fine to me. I'd like to start emitting WARNINGs in ~v20 when folks log in using MD5 passwords, but until then, IMHO it's worthwhile to try alerting folks in less intrusive ways. -- nathan
On Fri, Nov 14, 2025 at 5:48 AM Michael Banck <mbanck@gmx.net> wrote: > > Hi, > > while looking through postgresql.conf on PG18, I noticed that > password_encryption mentions md5 as valid alternative to scram-sha-256. > I think it would be useful to mention md5 is deprecated so that people > looking at it (but have otherwise not gotten the memo) will realize and > hopefully act on it. > > Patch attached, I think it would be a candidate for being back-patched > to PG18 if accepted. > +1 to the general idea, though I think it should go the other way around (it is a small enough grammatical point I'm sure some would argue the other way around). # password_encryption = scram-sha-256 # scram-sha-256 or md5 (deprecated) Also +1 for backpatching. IIRC this would only show up in new clusters, but we're still pretty early on in the cycle, so it seems worth it. Robert Treat https://xzilla.net
Hi, On Sat, Nov 15, 2025 at 09:37:37AM -0500, Robert Treat wrote: > +1 to the general idea, though I think it should go the other way > around (it is a small enough grammatical point I'm sure some would > argue the other way around). > > # password_encryption = scram-sha-256 # scram-sha-256 or md5 (deprecated) I thought about that, but then wondered whether people would think the whole thing (password_encryption) is deprecated or maybe both scram-sha-256 and md5? > Also +1 for backpatching. IIRC this would only show up in new > clusters, but we're still pretty early on in the cycle, so it seems > worth it. Yeah. Michael