At 2026-02-12 03:52:33, "Nathan Bossart" <[email protected]> wrote: >From a related discussion last year [0]: > >On Tue, Jun 03, 2025 at 12:09:50PM -0500, Nathan Bossart wrote: >> On Tue, Jun 03, 2025 at 09:43:59AM -0500, Nathan Bossart wrote: >>> On Tue, Jun 03, 2025 at 10:34:06AM -0400, Tom Lane wrote: >>>> If we really want to be in peoples' face about this, the thing >>>> to do is to print a warning every time they log in with an MD5 >>>> password. Also, to Michael's point, that really would be exactly >>>> the same place where the eventual "sorry, not supported anymore" >>>> message will be. >>> >>> I held off on this because I was worried it might be far too noisy. That >>> does seem like it has the best chance of getting folks' attention, though. >>> If it's too noisy, users can always turn off the warnings. >> >> Here is a draft-grade patch that adds a WARNING upon successful >> authentication with an MD5 password. It's a little hacky because AFAICT we >> need to wait until well after authentication (for GUCs to be set up, etc.) >> before we actually emit the WARNING. When the time comes to remove MD5 >> password support completely, we'll need to do something like modify >> CheckMD5Auth() to always return STATUS_ERROR with an appropriate logdetail >> message. > >Since I just added a "connection warnings" infrastructure in commit >1d92e0c2cc, I thought it might be a good time to revisit this idea. >Attached is an updated patch. I'm not sure this is v19 material. It could >make sense to wait until v20 or something. But I figured it was worth at >least having the discussion. > >[0] https://postgr.es/m/aD8sXgfJeIGLc7-t%40nathan > >--
>nathan This looks like a solid patch. I’ve taken a look and don’t have any comments. I applied it locally and the build went through without any issues. I also ran the new TAP test case, and everything looks good on my side. Regards, Xiangyu Liang
