Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1tgErS-008vqV-Co
	for pgsql-general@arkaria.postgresql.org; Fri, 07 Feb 2025 03:16:59 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1tgErO-00Ebsi-Ny
	for pgsql-general@arkaria.postgresql.org; Fri, 07 Feb 2025 03:16:54 +0000
Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29])
	by malur.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <adrian.klaver@aklaver.com>)
	id 1tgErN-00Ebsa-DJ
	for pgsql-general@lists.postgresql.org; Fri, 07 Feb 2025 03:16:54 +0000
Received: from fout-b5-smtp.messagingengine.com ([202.12.124.148])
	by magus.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <adrian.klaver@aklaver.com>)
	id 1tgErJ-004ERL-0a
	for pgsql-general@postgresql.org;
	Fri, 07 Feb 2025 03:16:52 +0000
Received: from phl-compute-01.internal (phl-compute-01.phl.internal [10.202.2.41])
	by mailfout.stl.internal (Postfix) with ESMTP id F286C114010C;
	Thu,  6 Feb 2025 22:16:46 -0500 (EST)
Received: from phl-mailfrontend-02 ([10.202.2.163])
  by phl-compute-01.internal (MEProxy); Thu, 06 Feb 2025 22:16:47 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aklaver.com; h=
	cc:cc:content-transfer-encoding:content-type:content-type:date
	:date:from:from:in-reply-to:in-reply-to:message-id:mime-version
	:references:reply-to:subject:subject:to:to; s=fm2; t=1738898206;
	 x=1738984606; bh=4CQL9TFyIJmB6kt706IAI9p/fB2zk7DAK0pMQ6UK63Y=; b=
	JX6dY+U+bMPmByQPO5NFnAkuKJ50kPUwMRLbhb3w/2cfh/DU/bJ5w85OByVQVk7z
	X0kE2Ic4P7LR+vYzclW3qsko85eRe4Rk1y2WGBIC2Q7q/JLFB7TSses8/7xO8Rs8
	whtUxYV4r/nL2AUKTBOH1Es1O/yxct0TtVFQrIodhWB9u9CxVwbyG9pkuxLb4JFz
	gTpQdN0J1Qnp/W9Teezkigk7bzZVXNBiYt+l7rXnm9kvAZvIbEXp/1GNRlrm7nJM
	AVEnbalzZnediKLpYzY1qS9b61nkWMuAE1BrAutzXj0pM6xgo0pZ6KFUzR0a4WUK
	s73PhiLzv69t61O1TmRNkQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
	messagingengine.com; h=cc:cc:content-transfer-encoding
	:content-type:content-type:date:date:feedback-id:feedback-id
	:from:from:in-reply-to:in-reply-to:message-id:mime-version
	:references:reply-to:subject:subject:to:to:x-me-proxy
	:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; t=1738898206; x=
	1738984606; bh=4CQL9TFyIJmB6kt706IAI9p/fB2zk7DAK0pMQ6UK63Y=; b=E
	fxGanD26cLSc2MhawVWa578rKNVGwCcYv/r4+oPAyw79bCJbgclhA6gZxuBNFrOk
	1G1Cl4GgIoo/GeE/Fk/jO0cDYpaYczzWhLEF95z1tLtHvPVXA5hprwpIDC8t1cRv
	G/AE/O76U3ZK5AWp3YB/Dw9VZVFp6kt4MCtUN+gzNaMTHWYo+4shpeAwApVE9EpX
	3K9rhrfhmNHuF2EQwP4oOuiOuRVlciyt8JaJaa2Q8H4JnRCVEsIGZQwj35jAF1rT
	wsXv9kjT+LK7O7JvdZyJYG0OwmQ5yUm9zH8d1UgoCFpskBC0r+6Xr1NkM0u+VpdR
	m6UcGJVegy/aVFusv0saw==
X-ME-Sender: <xms:HnulZ2NH0QuO_U1sVsf7MSfradDnxIDoyMTXxvtXgP45PDQ_L7iJ8A>
    <xme:HnulZ09zeP__ZLQl1p9PJAppsRzJWy1Fd0-csdpN4xzwWnY0a9ZcvhKZUxehd14GO
    iWFoo2r0omGcys>
X-ME-Received: <xmr:HnulZ9RqFsT2JvQzp1DLCKw_N0Nchs4WfApDDHG43R9VKufv-U9qPsokAxbLRFG9BG7GF1AfOcvjHmakp9N2p1Y1stu-aQ>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeefvddrtddtgddvkeduiecutefuodetggdotefrod
    ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpggftfghnshhusghstghrihgsvgdp
    uffrtefokffrpgfnqfghnecuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivg
    hnthhsucdlqddutddtmdenucfjughrpefkffggfgfuvfevfhfhjggtgfesthekredttddv
    jeenucfhrhhomheptegurhhirghnucfmlhgrvhgvrhcuoegrughrihgrnhdrkhhlrghvvg
    hrsegrkhhlrghvvghrrdgtohhmqeenucggtffrrghtthgvrhhnpeefgeefieeutdfggfet
    gefgheekjeehteeileeigfetieekjedvieeviefgheevtdenucevlhhushhtvghrufhiii
    gvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpegrughrihgrnhdrkhhlrghvvghrsegr
    khhlrghvvghrrdgtohhmpdhnsggprhgtphhtthhopeegpdhmohguvgepshhmthhpohhuth
    dprhgtphhtthhopegvshhtvggvmhgsshhvqdhfohhruhhmseihrghhohhordgtohhmpdhr
    tghpthhtohephhhtrghmfhhiughssehgmhgrihhlrdgtohhmpdhrtghpthhtoheprhhonh
    hljhhohhhnshhonhhjrhesghhmrghilhdrtghomhdprhgtphhtthhopehpghhsqhhlqdhg
    vghnvghrrghlsehpohhsthhgrhgvshhqlhdrohhrgh
X-ME-Proxy: <xmx:HnulZ2tg2TlSn-TB-Uqqp10R8tJuEss7pLCs0BVCXlCd2nZ2VAFIaA>
    <xmx:HnulZ-fzFdcqhDOtjHdAN6q_IKX0LBjdBpTHMbuFpWU44B77IVYOrw>
    <xmx:HnulZ63_VPncmX0gIjb6PGVhZDHLLvk9VAvBhxN4WRTKsujNqMZaAA>
    <xmx:HnulZy_c_7ITJfzPTuOvgoZ1RIhbhqPQPEhu2wEsHkiKfDFBwZDEsA>
    <xmx:HnulZ94heVU9P5EZ8ITKrFAHOEZqadhWIf6Hu9p5lNwJOLjydLA-8zxF>
Feedback-ID: i76984098:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Thu,
 6 Feb 2025 22:16:46 -0500 (EST)
Message-ID: <104ef218-379a-4ca5-9918-29ab68a9405b@aklaver.com>
Date: Thu, 6 Feb 2025 19:16:45 -0800
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: Help in vetting Switch from "MD5" to "scram-sha-256" - during DB
 Upgrade from EC2- PGS - Community Edn ver 13.X to 15.X
To: Bharani SV-forum <esteembsv-forum@yahoo.com>,
 Greg Sabino Mullane <htamfids@gmail.com>,
 Ron Johnson <ronljohnsonjr@gmail.com>
Cc: pgsql-general <pgsql-general@postgresql.org>
References: <0558ddd4d71641bdb41fa49b2425f73c@safrangroup.com>
 <CANzqJaC1Uk4H=55vV_jbFYMuD1f9Bb_4Y9WKvkZA3bt92bEUnw@mail.gmail.com>
 <498dfb34-4dd7-4f48-8188-355e1488d7e6@aklaver.com>
 <1061066336.5835157.1733316137292@mail.yahoo.com>
 <CAKAnmmKZdhnhdNRd3OgDyEco9OPkT=qA_TeWMFMRvUM9pXauKg@mail.gmail.com>
 <1482982714.8486017.1735661703839@mail.yahoo.com>
 <1763130721.4001842.1737733841628@mail.yahoo.com>
 <c3fc88ef-d155-4455-bc01-2c569b401998@aklaver.com>
 <132487461.4068668.1737741687606@mail.yahoo.com>
 <0dc06cb7-33cc-43ba-a95f-535fdf0a0439@aklaver.com>
 <1751608443.5432365.1738081421269@mail.yahoo.com>
 <74599d1d-c8a2-4e59-a50d-019dcc973de8@aklaver.com>
 <200665967.5560583.1738095230696@mail.yahoo.com>
 <21b5d62a-19d1-413f-9d5e-d681cd2bb91b@aklaver.com>
 <47454513.6047834.1738179914107@mail.yahoo.com>
 <1841861276.9581730.1738888679871@mail.yahoo.com>
 <fabc9547-1de0-4efa-baf5-124d91e3fab5@aklaver.com>
 <56243553.9616888.1738893835649@mail.yahoo.com>
Content-Language: en-US
From: Adrian Klaver <adrian.klaver@aklaver.com>
In-Reply-To: <56243553.9616888.1738893835649@mail.yahoo.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
List-Id: <pgsql-general.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-general@lists.postgresql.org>
List-Owner: <mailto:pgsql-general-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-general>
Archived-At: <https://www.postgresql.org/message-id/104ef218-379a-4ca5-9918-29ab68a9405b%40aklaver.com>
Precedence: bulk

On 2/6/25 18:03, Bharani SV-forum wrote:
> Adrian
> TQ for your valuable input's.
> 
> *Additional Qsn*
> 
> Assume  DB ver = 15.X
> 
> By default encryption = scram-sha-256, Assume pg_hba.conf is quoted the 
> usage as MD5 for the
>   dbuserid "test_usr_1"
> 
> *e.g .)*
> *
> *
> hostssl   all test_usr_1 10.20.30.40  md5
> 
> i.e .)
> Assume if the respective db userid (e.g test_usr_1) is quoted for usage 
> md5,  in pg_hba.conf, No Need to Change, the respective *Role/Userid 
> password mandatorily.* DB System will allow to use existing password 
> with the old MD5 passwords still work, as long as the authentication 
> method in pg_hba.conf is set to md5

Yes.

It gives you time to switch the passwords to scram-sha-256 encryption 
after you do the migration. In other words you can have both md5 and 
scram-sha-256 passwords in use without changing the pg_hba.conf lines. 
Once the transition to scram-sha-256 is done then you can change the 
lines to scram-sha-256 and that will prevent use of m5 passwords going 
forward.

> 
> e.g.) hostssl     all         LOGS_USER_1 10.9.0.0/21    md5
> 
> Is their,  any security problem due to usage of md5 in the pg_hba.conf 
> file  with underlying db =15.X ?

You are currently using it, have there been any issues?

If not then moving to Postgres 15 won't change that.

> 
> I am Aware ,
> (a) *MD5 hash algorithm is nowadays no longer considered secure against 
> determined attacks.*
> *(a)  MD5 method cannot be used with the db_user_namespace feature.
> *
> 
> 
> 



-- 
Adrian Klaver
adrian.klaver@aklaver.com