On Wed, Jul 9, 2025 at 10:59 AM Greg Sabino Mullane <htamf...@gmail.com>
wrote:

> On Wed, Jul 9, 2025 at 9:57 AM Alpaslan AKDAĞ <alpaslanak...@gmail.com>
> wrote:
>
>> Is it expected behavior that users created with scram-sha-256 passwords
>> can still connect via md5 in pg_hba.conf?
>
>
> Yes. From the docs:
>
>> To ease transition from the md5 method to the newer SCRAM method, if md5 is
>> specified as a method in pg_hba.conf but the user's password on the
>> server is encrypted for SCRAM (see below), then SCRAM-based authentication
>> will automatically be chosen instead.
>
>
> You can think of "md5" inside pg_hba.conf as "md5 or better"
>
> As a result, some users are able to connect, while others cannot.
>
>
> Can you expand on this? Nothing you have done should be preventing logins,
> as far as I can tell.
>
> Best solution: Upgrade everyone to scram, then change md5 to scram in
> pg_hba.conf and never look back.
>

That requires setting the password to null and then recreating the
password, no?  Otherwise IIRC, changing an md5 password leaves the new
password also in md5 format.

-- 
Death to <Redacted>, and butter sauce.
Don't boil me, I'm still alive.
<Redacted> lobster!

Reply via email to