Hi, On Fri, Nov 14, 2025 at 12:53:41PM +0100, Daniel Gustafsson wrote: > > On 14 Nov 2025, at 11:47, Michael Banck <[email protected]> wrote: > > while looking through postgresql.conf on PG18, I noticed that > > password_encryption mentions md5 as valid alternative to scram-sha-256. > > I think it would be useful to mention md5 is deprecated so that people > > looking at it (but have otherwise not gotten the memo) will realize and > > hopefully act on it. > > No objection. I suspect the overlap between users who don't read release > notes > and users who read .conf.sample comments closely is pretty small, but it > certainly won't hurt.
I was under the impression (and it is the case on Debian/Ubuntu at least, but pretty sure also for the RPM-based packaging) that the content of postgresql.conf.sample was folded into the default postgresql.conf on instance creation via distribution tools, so I think people would generally see this (for new instances) if they look around that part of their config files. > -#password_encryption = scram-sha-256 # scram-sha-256 or md5 > +#password_encryption = scram-sha-256 # scram-sha-256 or (deprecated) md5 > #scram_iterations = 4096 > #md5_password_warnings = on > > Maybe this should be combined with a comment on md5_password_warnings as well? Good point, how about the attached? Michael
From cf89ec0757cdb5a9df7488379fb97fd8feeaf2d2 Mon Sep 17 00:00:00 2001 From: Michael Banck <[email protected]> Date: Fri, 14 Nov 2025 11:38:45 +0100 Subject: [PATCH v2] Mention that md5-hashed passwords are deprecated in sample postgresql.conf. Version 18 deprecates passwords hashed with password_encryption = 'md5', but the comments for this GUC in postgresql.conf.sample did not mention this. Adding a deprecation notice here might make more people aware of this and lead them to migrate to SCRAM. While at, add a comment to the md5_password_warnings GUC mentioning the MD5 deprecation there as well. --- src/backend/utils/misc/postgresql.conf.sample | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/backend/utils/misc/postgresql.conf.sample b/src/backend/utils/misc/postgresql.conf.sample index 08bcef50c19..5bfb0d8e297 100644 --- a/src/backend/utils/misc/postgresql.conf.sample +++ b/src/backend/utils/misc/postgresql.conf.sample @@ -94,9 +94,9 @@ # - Authentication - #authentication_timeout = 1min # 1s-600s -#password_encryption = scram-sha-256 # scram-sha-256 or md5 +#password_encryption = scram-sha-256 # scram-sha-256 or (deprecated) md5 #scram_iterations = 4096 -#md5_password_warnings = on +#md5_password_warnings = on # display md5 deprecation warnings? #oauth_validator_libraries = '' # comma-separated list of trusted validator modules # GSSAPI using Kerberos -- 2.39.5
