Re: sunsetting md5 password support

From: Jacob Champion <jacob(dot)champion(at)enterprisedb(dot)com>
To: "Jonathan S(dot) Katz" <jkatz(at)postgresql(dot)org>
Cc: Nathan Bossart <nathandbossart(at)gmail(dot)com>, pgsql-hackers(at)postgresql(dot)org
Subject: Re: sunsetting md5 password support
Date: 2024-10-09 22:14:03
Message-ID: CAOYmi+nycvB-H-+_wUGaZYrX86QzSNEMw-NzCxZjGbjQNV4xkA@mail.gmail.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

On Wed, Oct 9, 2024 at 1:44 PM Jonathan S. Katz <jkatz(at)postgresql(dot)org> wrote:
> On 10/9/24 3:55 PM, Nathan Bossart wrote:
> > 1. In v18, continue to support MD5 passwords, but place several notes in
> > the documentation and release notes that unambiguously indicate that
> > MD5 password support is deprecated and will be removed in a future
> > release.
>
> +1. Should we also add something in the logs?

I also think we should start logging warnings as soon as we agree to
deprecate MD5.

> I've mixed feelings on
> this, as this could end up leaking information about what auth methods
> are used.

Leak it to whom? The client and server both know MD5 is being used.

> > 2. In v19, allow upgrading with MD5 passwords and allow authenticating
> > with them, but disallow creating new ones (i.e., restrict/remove
> > password_encryption and don't allow setting pre-hashed MD5 passwords).
> >
> > 3. In v20, allow upgrading with MD5 passwords, but disallow using them
> > for authentication. Users would only be able to update these
> > passwords to SCRAM-SHA-256 after upgrading
>
> > 4. In v21, disallow upgrading with MD5 passwords. At this point, there
> > should be no remaining MD5 password support in Postgres.
>
> I wonder if we can compress this down into the v20 release.

I'd like an accelerated schedule for this too. Your three-step
"complain, restrict, disallow", with strict pg_upgrade failure as part
of step 3, seems right to me.

> (The larger question, which I will pose at least to think on, is how do
> we handle any future password method deprecations, e.g. say
> SCRAM-SHA-512 comes out and we want to remove SCRAM-SHA-256? Not an
> issue today, but we'd likely want to have a similar process in place).

In general I like the three-step method for the server side. The
client side needs to be considered separately, though, like Jelte
pointed out; we have wire compatibility to maintain.

(For the exact example you provided, I think we'd only need a similar
process if the -256 variant turns out to be broken. Otherwise, the
cost of maintaining -256 and -512 together is probably going to be
very close to the cost of maintaining -512 alone, thanks to the past
work generalizing the hashing code. And there may be
security/performance tradeoffs for DBAs to make.)

Thanks,
--Jacob

In response to

Browse pgsql-hackers by date

  From Date Subject
Next Message Heikki Linnakangas 2024-10-09 23:11:53 Re: sunsetting md5 password support
Previous Message Marcos Pegoraro 2024-10-09 21:41:37 Re: Mathematical Functions and Operators