Re: sunsetting md5 password support

On 09/10/2024 22:55, Nathan Bossart wrote:
> In this message, I propose a multi-year, incremental approach to remove MD5
> password support from Postgres.

+1

> 2. In v19, allow upgrading with MD5 passwords and allow authenticating
> with them, but disallow creating new ones (i.e., restrict/remove
> password_encryption and don't allow setting pre-hashed MD5 passwords).

This is a bit weird state. What exactly is "upgrading"? I guess you mean
pg_upgrade, but lots of people use pg_dump & restore or logical
replication or something else entirely for upgrading. That's
indistinguishable from setting a pre-hashed MD5 password.

I think it's bad if you cannot pg_dump & restore your database.

> 3. In v20, allow upgrading with MD5 passwords, but disallow using them
> for authentication. Users would only be able to update these
> passwords to SCRAM-SHA-256 after upgrading.

This step makes more sense. Notably, if we disallow using the passwords
for authentication, there would be little harm in still allowing them to
be dumped & restored.

It seems pointless though. What's the point of "upgrading" with the MD5
passwords, if you can't use them? You might as well set all the MD5
passwords to null.

My feeling is that it would be less confusing to users to just disallow
md5 passwords in one release. I'm not sure these intermediate steps are
really doing anyone any favors.

--
Heikki Linnakangas
Neon (https://neon.tech)