From: Nathan Bossart <nathan@postgresql.org>
Date: Mon, 23 Feb 2026 17:22:04 +0000 (-0600)
Subject: Warn upon successful MD5 password authentication.
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=bc60ee86066520ee0f86abd3d47bb8ab9757842f;p=thirdparty%2Fpostgresql.git

Warn upon successful MD5 password authentication.

This uses the "connection warning" infrastructure introduced by
commit 1d92e0c2cc to emit a WARNING when an MD5 password is used to
authenticate.  MD5 password support was marked as deprecated in
v18 and will be removed in a future release of Postgres.  These
warnings are on by default but can be turned off via the existing
md5_password_warnings parameter.

Reviewed-by: Andreas Karlsson <andreas@proxel.se>
Reviewed-by: Xiangyu Liang <liangxiangyu_2013@163.com>
Discussion: https://postgr.es/m/aYzeAYEbodkkg5e-%40nathan
---

diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml
index 20dbcaeb3ee..f670e2d4c31 100644
--- a/doc/src/sgml/config.sgml
+++ b/doc/src/sgml/config.sgml
@@ -1188,7 +1188,8 @@ include_dir 'conf.d'
       <listitem>
        <para>
         Controls whether a <literal>WARNING</literal> about MD5 password
-        deprecation is produced when a <command>CREATE ROLE</command> or
+        deprecation is produced upon successful MD5 password authentication or
+        when a <command>CREATE ROLE</command> or
         <command>ALTER ROLE</command> statement sets an MD5-encrypted password.
         The default value is <literal>on</literal>.
        </para>
diff --git a/src/backend/libpq/crypt.c b/src/backend/libpq/crypt.c
index dbdd0e40f41..37ccec355c7 100644
--- a/src/backend/libpq/crypt.c
+++ b/src/backend/libpq/crypt.c
@@ -294,7 +294,24 @@ md5_crypt_verify(const char *role, const char *shadow_pass,
 	}
 
 	if (strcmp(client_pass, crypt_pwd) == 0)
+	{
 		retval = STATUS_OK;
+
+		if (md5_password_warnings)
+		{
+			MemoryContext oldcontext;
+			char	   *warning;
+			char	   *detail;
+
+			oldcontext = MemoryContextSwitchTo(TopMemoryContext);
+
+			warning = pstrdup(_("authenticated with an MD5-encrypted password"));
+			detail = pstrdup(_("MD5 password support is deprecated and will be removed in a future release of PostgreSQL."));
+			StoreConnectionWarning(warning, detail);
+
+			MemoryContextSwitchTo(oldcontext);
+		}
+	}
 	else
 	{
 		*logdetail = psprintf(_("Password does not match for user \"%s\"."),
diff --git a/src/test/authentication/t/001_password.pl b/src/test/authentication/t/001_password.pl
index 0ec9aa9f4e8..a4b11673c26 100644
--- a/src/test/authentication/t/001_password.pl
+++ b/src/test/authentication/t/001_password.pl
@@ -499,6 +499,8 @@ SKIP:
 {
 	skip "MD5 not supported" unless $md5_works;
 	test_conn($node, 'user=md5_role', 'md5', 0,
+		expected_stderr =>
+		  qr/authenticated with an MD5-encrypted password/,
 		log_like =>
 		  [qr/connection authenticated: identity="md5_role" method=md5/]);
 }