Re: sunsetting md5 password support - Mailing list pgsql-hackers

From Greg Sabino Mullane
Subject Re: sunsetting md5 password support
Date
Msg-id CAKAnmmK73voOLA59G9sXjRuVZgNy8nT2Cmcxk-k6EZ3s3q+wOw@mail.gmail.com
Whole thread Raw
In response to sunsetting md5 password support  (Nathan Bossart <nathandbossart@gmail.com>)
List pgsql-hackers
Big +1 to the idea, but it's not going to be pretty; there is a lot of baked-in MD5 stuff around.

 
 2.  In v19, allow upgrading with MD5 passwords and allow authenticating
     with them, but disallow creating new ones (i.e., restrict/remove
     password_encryption and don't allow setting pre-hashed MD5 passwords).

Certainly not remove it, that would break lots of things. Perhaps one release with a strong warning when md5 is used, that cannot be disabled, then disallow new ones?
 
 3.  In v20, allow upgrading with MD5 passwords, but disallow using them for authentication.

Again, maybe a release that complains real loudly but still allows it?
 
 4.  In v21, disallow upgrading with MD5 passwords.

You mean having pg_upgrade refuse to go on? Or maybe have it empty the passwords out?

Cheers,
Greg

pgsql-hackers by date:

Previous
From: Jelte Fennema-Nio
Date:
Subject: Re: sunsetting md5 password support
Next
From: Nathan Bossart
Date:
Subject: Re: Pg17 Crash in Planning (Arrays + Casting + UDF)