From db6a4a985bc09d260d5c29848e3c97f080646a53 Mon Sep 17 00:00:00 2001
From: Nathan Bossart
Date: Mon, 2 Dec 2024 13:30:07 -0600
Subject: Deprecate MD5 passwords.
MD5 has been considered to be unsuitable for use as a cryptographic
hash algorithm for some time. Furthermore, MD5 password hashes in
PostgreSQL are vulnerable to pass-the-hash attacks, i.e., knowing
the username and hashed password is sufficient to authenticate.
The SCRAM-SHA-256 method added in v10 is not subject to these
problems and is considered to be superior to MD5.
This commit marks MD5 password support in PostgreSQL as deprecated
and to be removed in a future release. The documentation now
contains several deprecation notices, and CREATE ROLE and ALTER
ROLE now emit deprecation warnings when setting MD5 passwords. The
warnings can be disabled by setting the md5_password_warnings
parameter to "off".
Reviewed-by: Greg Sabino Mullane, Jim Nasby
Discussion: https://postgr.es/m/ZwbfpJJol7lDWajL%40nathan
---
doc/src/sgml/catalogs.sgml | 9 +++++++++
doc/src/sgml/client-auth.sgml | 17 +++++++++++++++++
doc/src/sgml/config.sgml | 24 ++++++++++++++++++++++++
doc/src/sgml/libpq.sgml | 9 +++++++++
doc/src/sgml/protocol.sgml | 8 ++++++++
doc/src/sgml/ref/create_role.sgml | 8 ++++++++
doc/src/sgml/runtime.sgml | 10 ++++++++++
7 files changed, 85 insertions(+)
(limited to 'doc/src')
diff --git a/doc/src/sgml/catalogs.sgml b/doc/src/sgml/catalogs.sgml
index 59bb833f48d..bf3cee08a93 100644
--- a/doc/src/sgml/catalogs.sgml
+++ b/doc/src/sgml/catalogs.sgml
@@ -1618,6 +1618,15 @@
will store the md5 hash of xyzzyjoe.
+
+
+ Support for MD5-encrypted passwords is deprecated and will be removed in a
+ future release of PostgreSQL. Refer to
+ for details about migrating to another
+ password type.
+
+
+
If the password is encrypted with SCRAM-SHA-256, it has the format:
diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml
index 51343de7cad..782b49c85ac 100644
--- a/doc/src/sgml/client-auth.sgml
+++ b/doc/src/sgml/client-auth.sgml
@@ -531,6 +531,15 @@ include_dir directory
user's password. See
for details.
+
+
+ Support for MD5-encrypted passwords is deprecated and will be
+ removed in a future release of
+ PostgreSQL. Refer to
+ for details about migrating to
+ another password type.
+
+
@@ -1260,6 +1269,14 @@ omicron bryanh guest1
server is encrypted for SCRAM (see below), then SCRAM-based
authentication will automatically be chosen instead.
+
+
+
+ Support for MD5-encrypted passwords is deprecated and will be removed
+ in a future release of PostgreSQL. Refer to
+ the text below for details about migrating to another password type.
+
+
diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml
index 76ab72db964..e0c8325a39c 100644
--- a/doc/src/sgml/config.sgml
+++ b/doc/src/sgml/config.sgml
@@ -1124,6 +1124,14 @@ include_dir 'conf.d'
mechanism, and hence not work with passwords encrypted with
SCRAM-SHA-256. See for more details.
+
+
+ Support for MD5-encrypted passwords is deprecated and will be removed
+ in a future release of PostgreSQL. Refer
+ to for details about migrating to
+ another password type.
+
+
@@ -7913,6 +7921,22 @@ log_line_prefix = '%m [%p] %q%u@%d/%a '
+
+ md5_password_warnings (boolean)
+
+ md5_password_warnings configuration parameter
+
+
+
+
+ Controls whether a WARNING about MD5 password
+ deprecation is produced when a CREATE ROLE or
+ ALTER ROLE statement sets an MD5-encrypted password.
+ The default value is on.
+
+
+
+
diff --git a/doc/src/sgml/libpq.sgml b/doc/src/sgml/libpq.sgml
index bfefb1289e8..01f259fd0dc 100644
--- a/doc/src/sgml/libpq.sgml
+++ b/doc/src/sgml/libpq.sgml
@@ -1341,6 +1341,15 @@ postgresql://%2Fvar%2Flib%2Fpostgresql/dbname
The server must request MD5 hashed password authentication.
+
+
+ Support for MD5-encrypted passwords is deprecated and will be
+ removed in a future release of
+ PostgreSQL. Refer to
+ for details about migrating to
+ another password type.
+
+
diff --git a/doc/src/sgml/protocol.sgml b/doc/src/sgml/protocol.sgml
index cff0c4099e9..fb5dec1172e 100644
--- a/doc/src/sgml/protocol.sgml
+++ b/doc/src/sgml/protocol.sgml
@@ -312,6 +312,14 @@
(Keep in mind the md5() function returns its
result as a hex string.)
+
+
+ Support for MD5-encrypted passwords is deprecated and will be removed
+ in a future release of PostgreSQL. Refer
+ to for details about migrating to
+ another password type.
+
+
diff --git a/doc/src/sgml/ref/create_role.sgml b/doc/src/sgml/ref/create_role.sgml
index f72ba9affc2..cee23b1ea6b 100644
--- a/doc/src/sgml/ref/create_role.sgml
+++ b/doc/src/sgml/ref/create_role.sgml
@@ -273,6 +273,14 @@ in sync when changing the above synopsis!
different format). This allows reloading of encrypted passwords
during dump/restore.
+
+
+ Support for MD5-encrypted passwords is deprecated and will be removed
+ in a future release of PostgreSQL. Refer
+ to for details about migrating to
+ another password type.
+
+
diff --git a/doc/src/sgml/runtime.sgml b/doc/src/sgml/runtime.sgml
index bcd81e24158..94135e9d5ee 100644
--- a/doc/src/sgml/runtime.sgml
+++ b/doc/src/sgml/runtime.sgml
@@ -2053,6 +2053,16 @@ pg_dumpall -p 5432 | psql -d postgres -p 5433
is an Internet standard and is more secure than the PostgreSQL-specific
MD5 authentication protocol.
+
+
+
+ Support for MD5-encrypted passwords is deprecated and will be removed in
+ a future release of PostgreSQL. Refer to
+ for details about migrating to another
+ password type.
+
+
+
--
cgit v1.2.3