Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1uZVIR-004RKC-3E
	for pgsql-general@arkaria.postgresql.org; Wed, 09 Jul 2025 13:57:15 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1uZVIO-00GxZW-IC
	for pgsql-general@arkaria.postgresql.org; Wed, 09 Jul 2025 13:57:13 +0000
Received: from makus.postgresql.org ([2001:4800:3e1:1::229])
	by malur.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <alpaslanakdag@gmail.com>)
	id 1uZVIO-00GxZO-6p
	for pgsql-general@lists.postgresql.org; Wed, 09 Jul 2025 13:57:12 +0000
Received: from mail-qk1-x732.google.com ([2607:f8b0:4864:20::732])
	by makus.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
	(Exim 4.96)
	(envelope-from <alpaslanakdag@gmail.com>)
	id 1uZVIN-006PJO-06
	for pgsql-general@lists.postgresql.org;
	Wed, 09 Jul 2025 13:57:11 +0000
Received: by mail-qk1-x732.google.com with SMTP id af79cd13be357-7d3f5796755so535606385a.1
        for <pgsql-general@lists.postgresql.org>; Wed, 09 Jul 2025 06:57:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1752069429; x=1752674229; darn=lists.postgresql.org;
        h=to:subject:message-id:date:from:mime-version:from:to:cc:subject
         :date:message-id:reply-to;
        bh=RIDZZaZWT0afuFTrP092L6v/mSt8/AKUJZldT3i3AD8=;
        b=gC0hbm3NSBCNUm1oChXuB6eAUVpRAeXbolqmt6bneOHxIr+VwjC48rjaHdVInChzDR
         Nmau0zTwhDdVLwn0hfX78gRQVn1XN0r0EUxFL1kWCZ1aPz2QQgIW7X/x009U/MWkG+kl
         6g+7m4T0Ld837OIEX61FW+p9GMCyrJFVzuvoeUEEbLPdtCHS/sS9pAZcpDlbPDnQNt9+
         dZ9ZkkcqwpkLUHA5XhNbg4UyCCsAIy0zoYbbRN7su73gKaB/xM6uNGCx7XAVmqW7o1Jb
         /WbgjsH5Vq63ZOqgXfA2jIZ8ynyd21Uu18jvhu/MxlOYIJFlyWsPaMhXSo33AsY+kpi4
         uzmw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1752069429; x=1752674229;
        h=to:subject:message-id:date:from:mime-version:x-gm-message-state
         :from:to:cc:subject:date:message-id:reply-to;
        bh=RIDZZaZWT0afuFTrP092L6v/mSt8/AKUJZldT3i3AD8=;
        b=KZ6uB/qv2S7AFD7aWS8NwLCkrs98o31Hy6uGLCVd3JM2KPOKTdK5IKLYfqvAKpte0+
         2NIqQeAbnbgAzmqXl4QwMJKgJYWTTO4Xclb0F/TX8hpXZU9bpnMIGNcIyKv5+nax7XEl
         KBF26TiUGkCfqpy+nbSkvBXn6Qr44XVQv4uewoDdDxgDNhsy/NbSh+LpyM9GF0RsLcch
         NPIN0OHi5kUCntBpS85zlrH80icJPqLdw/iEMqKTxz2aJfK3ZzjTVKtLFwMa9HE/RJnJ
         3UZp9UqlN8pC016rt5BwuEMV8JYgWnMi2Ah9UoQhcUJlWKmaaOvzOKLVt4B/Fl+2MHgJ
         jWOQ==
X-Gm-Message-State: AOJu0Yx/1iadllCle/W11lYRmTIv5HlceGGm4fPe68KW+APuMK/9dw+O
	5v64eEcCyi3hmr30JT4qZUlwsFsh4BglMC3yyLmErP69MDO4amNUNDKdI/THLsGSnnZp/cqmfDB
	5alDieXxMfJC/jGlSgvRN/tD9Dz0h15pSmGfY
X-Gm-Gg: ASbGncvFXevzmGGGc1GdBho3scsxNIaNGA0ap/LoIL8B2SyLHe6H9U0YQSmGRxMMF+s
	lLZpvAIxCOWZnI/m2hIV4uVRlTmeH+QF5KDk+SOBSfGxOeIwq0avuR0E3RvGTKM3LdO5qIRA07n
	x0s4+vQHl1SSDbyckP0gYxBdnmLYTRNZXDX41IF3wX8wUwHqNUYLw=
X-Google-Smtp-Source: AGHT+IGgHf6h5ky/oBtMGcY118AYJMOT/92vT1r0ZPWF+1/p6kIEx1bCwCHBZYSOVPJ02P+vB1b+7e6IdUo9B+BqHAE=
X-Received: by 2002:a05:6214:590a:b0:702:d9d7:b6e2 with SMTP id
 6a1803df08f44-7048b9b4b63mr40408906d6.34.1752069428912; Wed, 09 Jul 2025
 06:57:08 -0700 (PDT)
MIME-Version: 1.0
From: =?UTF-8?Q?Alpaslan_AKDA=C4=9E?= <alpaslanakdag@gmail.com>
Date: Wed, 9 Jul 2025 15:56:58 +0200
X-Gm-Features: Ac12FXzJ4fB9unoz1YI_m94Qt1svMJ6zmIR5uti5Oi88wdMk60LCG-DutPId9Nk
Message-ID: <CAHKeUX8D-c=Y8su6eFLZXJ09VOVLnSUHYD-649NoXW8cHdBPhg@mail.gmail.com>
Subject: Password Encryption and Connection Issues
To: "pgsql-general@lists.postgresql.org" <pgsql-general@lists.postgresql.org>
Content-Type: multipart/alternative; boundary="000000000000eea69b06397f730d"
List-Id: <pgsql-general.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-general@lists.postgresql.org>
List-Owner: <mailto:pgsql-general-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-general>
Archived-At: <https://www.postgresql.org/message-id/CAHKeUX8D-c%3DY8su6eFLZXJ09VOVLnSUHYD-649NoXW8cHdBPhg%40mail.gmail.com>
Precedence: bulk

--000000000000eea69b06397f730d
Content-Type: text/plain; charset="UTF-8"

Hello all

We have recently upgraded our PostgreSQL instances from version 13 to 16.
During the upgrade, we also changed the password_encryption setting in
postgresql.conf to scram-sha-256.

Before the upgrade, we used pg_dumpall --roles-only to export all users and
their MD5-hashed passwords. After the upgrade, we executed this SQL script
to restore the users, and all users with their MD5 hashes were recreated
successfully.

However, we observed that:

   -

   New users created under the scram-sha-256 encryption setting have
   passwords starting with SCRAM-SHA-256$4096: in pg_authid.
   -

   The imported users still have passwords in the MD5 format, e.g.,
   md5a33e074800fe59f4ec8a123d0085d0e9.
   -

   Our pg_hba.conf still uses md5 as the authentication method.

As a result, some users are able to connect, while others cannot.

My questions are:

   1.

   Is it expected behavior that users created with scram-sha-256 passwords
   can still connect via md5 in pg_hba.conf?
   2.

   Under the current settings, is it still possible to use MD5-style
   password hashes for user creation? How does PostgreSQL treat this
   compatibility?
   3. In such a case, what would be the recommended approach or best
   practice to follow during upgrades in order to avoid this kind of issue?

Thank you in advance for your support.

Best regards,

Alpaslan

--000000000000eea69b06397f730d
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div><div><div>Hello all<br><br></div>We have recently upg=
raded our PostgreSQL instances from version 13 to 16. During the upgrade, w=
e also changed the <code>password_encryption</code> setting in <code>postgr=
esql.conf</code> to <code>scram-sha-256</code>.<p>Before the upgrade, we us=
ed <code>pg_dumpall --roles-only</code> to export all users and their MD5-h=
ashed passwords. After the upgrade, we executed this SQL script to restore =
the users, and all users with their MD5 hashes were recreated successfully.=
</p>
<p>However, we observed that:</p>
<ul><li>
<p>New users created under the <code>scram-sha-256</code> encryption settin=
g have passwords starting with <code>SCRAM-SHA-256$4096:</code> in <code>pg=
_authid</code>.</p>
</li><li>
<p>The imported users still have passwords in the MD5 format, e.g., <code>m=
d5a33e074800fe59f4ec8a123d0085d0e9</code>.</p>
</li><li>
<p>Our <code>pg_hba.conf</code> still uses <code>md5</code> as the authenti=
cation method.</p>
</li></ul>
<p>As a result, some users are able to connect, while others cannot.</p>
<p>My questions are:</p>
<ol><li>
<p>Is it expected behavior that users created with <code>scram-sha-256</cod=
e> passwords can still connect via <code>md5</code> in <code>pg_hba.conf</c=
ode>?</p>
</li><li>
<p>Under the current settings, is it still possible to use MD5-style passwo=
rd hashes for user creation? How does PostgreSQL treat this compatibility?<=
/p></li><li>In such a case, what would be the recommended approach or best =
practice to follow during upgrades in order to avoid this kind of issue?</l=
i></ol>
<p>Thank you in advance for your support.<br><br></p><p>Best regards,<br></=
p><p>Alpaslan</p></div></div><div><br></div></div>

--000000000000eea69b06397f730d--