Re: Help in vetting Switch from "MD5" to "scram-sha-256" - during DB Upgrade from EC2- PGS - Community Edn ver 13.X to 15.X

On 2/6/25 18:03, Bharani SV-forum wrote:
> Adrian
> TQ for your valuable input's.
>
> *Additional Qsn*
>
> Assume  DB ver = 15.X
>
> By default encryption = scram-sha-256, Assume pg_hba.conf is quoted the
> usage as MD5 for the
>  dbuserid "test_usr_1"
>
> *e.g .)*
> *
> *
> hostssl   all test_usr_1 10.20.30.40  md5
>
> i.e .)
> Assume if the respective db userid (e.g test_usr_1) is quoted for usage
> md5,  in pg_hba.conf, No Need to Change, the respective *Role/Userid
> password mandatorily.* DB System will allow to use existing password
> with the old MD5 passwords still work, as long as the authentication
> method in pg_hba.conf is set to md5

Yes.

It gives you time to switch the passwords to scram-sha-256 encryption
after you do the migration. In other words you can have both md5 and
scram-sha-256 passwords in use without changing the pg_hba.conf lines.
Once the transition to scram-sha-256 is done then you can change the
lines to scram-sha-256 and that will prevent use of m5 passwords going
forward.

>
> e.g.) hostssl     all         LOGS_USER_1 10.9.0.0/21    md5
>
> Is their,  any security problem due to usage of md5 in the pg_hba.conf
> file  with underlying db =15.X ?

You are currently using it, have there been any issues?

If not then moving to Postgres 15 won't change that.

>
> I am Aware ,
> (a) *MD5 hash algorithm is nowadays no longer considered secure against
> determined attacks.*
> *(a)  MD5 method cannot be used with the db_user_namespace feature.
> *
>
>
>

--
Adrian Klaver
adrian(dot)klaver(at)aklaver(dot)com