On Tue, Oct 29, 2019 at 4:48 AM Stephen Frost <sfrost@snowman.net> wrote: > Uh, the user's credentials certainly are sent to the PG server.
Perhaps we should log a warning when PostgreSQL has received a password over the network without SSL. Perhaps we should log another warning when PostgreSQL has sent a password over the network without SSL.
For the old plaintext "password" method, we log a warning when we parse the configuration file.
Maybe we should do the same for LDAP (and RADIUS)? This seems like a better place to put it than to log it at every time it's received?