Re: sunsetting md5 password support

From: Heikki Linnakangas <hlinnaka(at)iki(dot)fi>
To: Bruce Momjian <bruce(at)momjian(dot)us>, Jelte Fennema-Nio <postgres(at)jeltef(dot)nl>
Cc: Nathan Bossart <nathandbossart(at)gmail(dot)com>, pgsql-hackers(at)postgresql(dot)org
Subject: Re: sunsetting md5 password support
Date: 2024-10-10 21:45:19
Message-ID: a5d2e990-f183-418f-92e4-4521bf38833c@iki.fi
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

On 11/10/2024 00:03, Bruce Momjian wrote:
> On Wed, Oct 9, 2024 at 10:30:15PM +0200, Jelte Fennema-Nio wrote:
>> On Wed, 9 Oct 2024 at 21:55, Nathan Bossart <nathandbossart(at)gmail(dot)com> wrote:
>>> In this message, I propose a multi-year, incremental approach to remove MD5
>>> password support from Postgres.
>>
>> +many for the general idea
>>
>> I think it makes sense to also remove the "password" authentication
>> option while we're at it (this can currently be used with SCRAM stored
>> passwords).
>
> I remember "password" as being recommended for SSL connections where
> there is no risk of the password contents being seen.

I wouldn't recommend it if SCRAM is available, but yeah, with TLS and
sslmode=verify-full, it's secure enough.

Note that some authentication methods like LDAP and Radius use
"password" authentication on the wire.

--
Heikki Linnakangas
Neon (https://neon.tech)

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Jelte Fennema-Nio 2024-10-10 21:59:10 Re: sunsetting md5 password support
Previous Message Heikki Linnakangas 2024-10-10 21:21:12 Speed up TransactionIdIsCurrentTransactionId() with lots of subxacts