>From a related discussion last year [0]: On Tue, Jun 03, 2025 at 12:09:50PM -0500, Nathan Bossart wrote: > On Tue, Jun 03, 2025 at 09:43:59AM -0500, Nathan Bossart wrote: >> On Tue, Jun 03, 2025 at 10:34:06AM -0400, Tom Lane wrote: >>> If we really want to be in peoples' face about this, the thing >>> to do is to print a warning every time they log in with an MD5 >>> password. Also, to Michael's point, that really would be exactly >>> the same place where the eventual "sorry, not supported anymore" >>> message will be. >> >> I held off on this because I was worried it might be far too noisy. That >> does seem like it has the best chance of getting folks' attention, though. >> If it's too noisy, users can always turn off the warnings. > > Here is a draft-grade patch that adds a WARNING upon successful > authentication with an MD5 password. It's a little hacky because AFAICT we > need to wait until well after authentication (for GUCs to be set up, etc.) > before we actually emit the WARNING. When the time comes to remove MD5 > password support completely, we'll need to do something like modify > CheckMD5Auth() to always return STATUS_ERROR with an appropriate logdetail > message.
Since I just added a "connection warnings" infrastructure in commit 1d92e0c2cc, I thought it might be a good time to revisit this idea. Attached is an updated patch. I'm not sure this is v19 material. It could make sense to wait until v20 or something. But I figured it was worth at least having the discussion. [0] https://postgr.es/m/aD8sXgfJeIGLc7-t%40nathan -- nathan
>From 5a80bd6f98c7f83dc9e1fef56c71be2f5570ba29 Mon Sep 17 00:00:00 2001 From: Nathan Bossart <[email protected]> Date: Wed, 11 Feb 2026 11:56:15 -0600 Subject: [PATCH v1 1/1] Add warning upon successful MD5 password authentication. --- doc/src/sgml/config.sgml | 7 ++++--- src/backend/libpq/crypt.c | 17 +++++++++++++++++ src/test/authentication/t/001_password.pl | 7 ++++--- 3 files changed, 25 insertions(+), 6 deletions(-) diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml index 6bc2690ce07..a1f3ca65ed2 100644 --- a/doc/src/sgml/config.sgml +++ b/doc/src/sgml/config.sgml @@ -1188,9 +1188,10 @@ include_dir 'conf.d' <listitem> <para> Controls whether a <literal>WARNING</literal> about MD5 password - deprecation is produced when a <command>CREATE ROLE</command> or - <command>ALTER ROLE</command> statement sets an MD5-encrypted password. - The default value is <literal>on</literal>. + deprecation is produced upon successful MD5 password authentication or + when a <command>CREATE ROLE</command> or <command>ALTER ROLE</command> + statement sets an MD5-encrypted password. The default value is + <literal>on</literal>. </para> </listitem> </varlistentry> diff --git a/src/backend/libpq/crypt.c b/src/backend/libpq/crypt.c index dbdd0e40f41..37ccec355c7 100644 --- a/src/backend/libpq/crypt.c +++ b/src/backend/libpq/crypt.c @@ -294,7 +294,24 @@ md5_crypt_verify(const char *role, const char *shadow_pass, } if (strcmp(client_pass, crypt_pwd) == 0) + { retval = STATUS_OK; + + if (md5_password_warnings) + { + MemoryContext oldcontext; + char *warning; + char *detail; + + oldcontext = MemoryContextSwitchTo(TopMemoryContext); + + warning = pstrdup(_("authenticated with an MD5-encrypted password")); + detail = pstrdup(_("MD5 password support is deprecated and will be removed in a future release of PostgreSQL.")); + StoreConnectionWarning(warning, detail); + + MemoryContextSwitchTo(oldcontext); + } + } else { *logdetail = psprintf(_("Password does not match for user \"%s\"."), diff --git a/src/test/authentication/t/001_password.pl b/src/test/authentication/t/001_password.pl index 0ec9aa9f4e8..45f9f3504f7 100644 --- a/src/test/authentication/t/001_password.pl +++ b/src/test/authentication/t/001_password.pl @@ -498,9 +498,10 @@ test_conn($node, 'user=scram_role', 'md5', 0, SKIP: { skip "MD5 not supported" unless $md5_works; - test_conn($node, 'user=md5_role', 'md5', 0, - log_like => - [qr/connection authenticated: identity="md5_role" method=md5/]); + my @test_params = (); + push @test_params, log_like => [qr/connection authenticated: identity="md5_role" method=md5/]; + push @test_params, expected_stderr => qr/authenticated with an MD5-encrypted password/; + test_conn($node, 'user=md5_role', 'md5', 0, @test_params); } # require_auth succeeds with SCRAM required. -- 2.50.1 (Apple Git-155)
