Warn upon successful MD5 password authentication.

This uses the "connection warning" infrastructure introduced by commit 1d92e0c2cc to emit a WARNING when an MD5 password is used to authenticate. MD5 password support was marked as deprecated in v18 and will be removed in a future release of Postgres. These warnings are on by default but can be turned off via the existing md5_password_warnings parameter. Reviewed-by: Andreas Karlsson <andreas@proxel.se> Reviewed-by: Xiangyu Liang <liangxiangyu_2013@163.com> Discussion: https://postgr.es/m/aYzeAYEbodkkg5e-%40nathan
2026-04-23 07:07:22 -04:00 · 2026-02-23 11:22:04 -06:00 · 2026-02-23 11:22:04 -06:00 · bc60ee8606
commit bc60ee8606
parent 797872f6b9
3 changed files with 21 additions and 1 deletions
--- a/doc/src/sgml/config.sgml
+++ b/doc/src/sgml/config.sgml
@ -1188,7 +1188,8 @@ include_dir 'conf.d'
      <listitem>
       <para>
        Controls whether a <literal>WARNING</literal> about MD5 password
-        deprecation is produced when a <command>CREATE ROLE</command> or
+        deprecation is produced upon successful MD5 password authentication or
+        when a <command>CREATE ROLE</command> or
        <command>ALTER ROLE</command> statement sets an MD5-encrypted password.
        The default value is <literal>on</literal>.
       </para>
--- a/src/backend/libpq/crypt.c
+++ b/src/backend/libpq/crypt.c
@ -294,7 +294,24 @@ md5_crypt_verify(const char *role, const char *shadow_pass,
 	}

 	if (strcmp(client_pass, crypt_pwd) == 0)
+	{
 		retval = STATUS_OK;
+
+		if (md5_password_warnings)
+		{
+			MemoryContext oldcontext;
+			char	   *warning;
+			char	   *detail;
+
+			oldcontext = MemoryContextSwitchTo(TopMemoryContext);
+
+			warning = pstrdup(_("authenticated with an MD5-encrypted password"));
+			detail = pstrdup(_("MD5 password support is deprecated and will be removed in a future release of PostgreSQL."));
+			StoreConnectionWarning(warning, detail);
+
+			MemoryContextSwitchTo(oldcontext);
+		}
+	}
 	else
 	{
 		*logdetail = psprintf(_("Password does not match for user \"%s\"."),
--- a/src/test/authentication/t/001_password.pl
+++ b/src/test/authentication/t/001_password.pl
@ -499,6 +499,8 @@ SKIP:
 {
 	skip "MD5 not supported" unless $md5_works;
 	test_conn($node, 'user=md5_role', 'md5', 0,
+		expected_stderr =>
+		  qr/authenticated with an MD5-encrypted password/,
 		log_like =>
 		  [qr/connection authenticated: identity="md5_role" method=md5/]);
 }