Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1uZWG7-004gOb-1r for pgsql-general@arkaria.postgresql.org; Wed, 09 Jul 2025 14:58:55 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1uZWG5-0002zY-6R for pgsql-general@arkaria.postgresql.org; Wed, 09 Jul 2025 14:58:53 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1uZWG4-0002wf-R9 for pgsql-general@lists.postgresql.org; Wed, 09 Jul 2025 14:58:53 +0000 Received: from mail-il1-x12a.google.com ([2607:f8b0:4864:20::12a]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.96) (envelope-from ) id 1uZWG3-006PtU-2W for pgsql-general@lists.postgresql.org; Wed, 09 Jul 2025 14:58:52 +0000 Received: by mail-il1-x12a.google.com with SMTP id e9e14a558f8ab-3df2e7cdc69so16743275ab.2 for ; Wed, 09 Jul 2025 07:58:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1752073131; x=1752677931; darn=lists.postgresql.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=QbGhJCFp9Ni/CwY8B3ARhlhcWoCRi9+iBAA7kTUU8bw=; b=jT1a5rfw4T3h2as3S1UYc7B2wTx3xmB+Z7ylobbJQnY+6Cf1RV8cjO1Th7edI/67r7 Tlfj+C6VXme1IcSrSOdbxq2jP5/YruYHFTrT6SJmz/1kXL32M5lXHzi0xEVXMFdaOqir TpLNQpc+e/6rPwMGGWOj+HbRQc1cYsH7nKmi1jEugXL7nmvgx2xwwqZi539I0Z++k+0V 24IJbHg0Iot+vEIP5UUdjg3DZRvsmrp2McvS+sbIgN+UwOruj0UsDafC7sGvlmc8sfRw LcLh22vOhMWaOfDN0bQ9wvAzc1PJN4osxCJgFZq7cry2y+M+9qN9TooBb5U7kCM7Np9I HQ+Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1752073131; x=1752677931; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=QbGhJCFp9Ni/CwY8B3ARhlhcWoCRi9+iBAA7kTUU8bw=; b=ngQE9cwJJ7l/DVnizT34tqGHgCe/LnKAG6hg4K8abcZcQj06Mirr/FRRVH2/OUcHFR qrpdqwDRjF6uTwBgs0CavqnGuAaq2tSSfYaYrJIfJa1XGMH2InWTx+MREYNNF1OoKy/T 30a75J/Tgnsf2RKr5pQjKQ0HlN2vf8twkAzBlpVEc+oujHYAJf9Mz7DX0ByYo0yB6bjg NMoN1Af3mZT3zxYTP21UEH/FqkkHK3Dyzvxm0LEwazoFH5bhCAENCf0OriZkCBohZSbt fJVtQcjIOnEXuzVkJHYvg4QN36itG+heD171S0NcoH67HwDlnSZHZYZrFNOLNMf/d8i6 5Lig== X-Gm-Message-State: AOJu0Yx3ipwIs2qs/2e+G2LBqaS6sxThNXFvsOEcSNntIgPotRN0g845 B3vTqDCVNZHu1l5Oq/gT1c+BGXvErvnoo2lUXqcnxH0ey57xhmwC3HU8zXPWe8c/pWbch0fJRXj AEBBJrZDbnPOFObhwshMgdPpW/oqk53M= X-Gm-Gg: ASbGncujSwxTSBTlt9glrt4oGZei97nMnaqlglQmd7v3Lau+rNi6mlNJtnJsO6db3MS jjIFEXdWX6wlmoKKPaV5cmq+BVHKDk2D1gvEtiyD4tBkWKu+X781kaxbl4Fq3ZkRQzCUxlAyi3F N63Sy5wFiUxGJJY1oCH+6WAVeO8dfRjh2C6snbT5s2Q8EJBDy0evEvlTKm81oAyDYZT4PNPF5sP X6E X-Google-Smtp-Source: AGHT+IH0bLitEWxBOnkGmSN21DIC37yI5XgwCzPTxO7BIpmMmin4V3u1KK38gjWUzTwB22VyDD2J+wyKxFNutUed8oA= X-Received: by 2002:a05:6e02:378e:b0:3dc:7a9a:4529 with SMTP id e9e14a558f8ab-3e24400875cmr826635ab.16.1752073130857; Wed, 09 Jul 2025 07:58:50 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Greg Sabino Mullane Date: Wed, 9 Jul 2025 10:58:15 -0400 X-Gm-Features: Ac12FXyjfXVlq50INmw82BSaeExlg-Mn0JLJIG-2SCT1RucUqnkRB7frriN3OE4 Message-ID: Subject: Re: Password Encryption and Connection Issues To: =?UTF-8?Q?Alpaslan_AKDA=C4=9E?= Cc: "pgsql-general@lists.postgresql.org" Content-Type: multipart/alternative; boundary="00000000000095daa706398050a9" List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --00000000000095daa706398050a9 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Wed, Jul 9, 2025 at 9:57=E2=80=AFAM Alpaslan AKDA=C4=9E wrote: > Is it expected behavior that users created with scram-sha-256 passwords > can still connect via md5 in pg_hba.conf? Yes. From the docs: > To ease transition from the md5 method to the newer SCRAM method, if md5 = is > specified as a method in pg_hba.conf but the user's password on the > server is encrypted for SCRAM (see below), then SCRAM-based authenticatio= n > will automatically be chosen instead. You can think of "md5" inside pg_hba.conf as "md5 or better" As a result, some users are able to connect, while others cannot. Can you expand on this? Nothing you have done should be preventing logins, as far as I can tell. Best solution: Upgrade everyone to scram, then change md5 to scram in pg_hba.conf and never look back. --=20 Cheers, Greg -- Crunchy Data - https://www.crunchydata.com Enterprise Postgres Software Products & Tech Support --00000000000095daa706398050a9 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
On Wed, Jul 9, 2025 at 9:57=E2=80=AFAM Al= paslan AKDA=C4=9E <alpaslanak= dag@gmail.com> wrote:
Is it expected behavior that users created with scram-sha-= 256 passwords can still connect via md5 in pg_hba= .conf?

Yes. From the docs:=C2=A0
To ea= se transition from the=C2=A0md5=C2=A0method to the newer SCRAM metho= d, if=C2=A0md5=C2=A0is specified as a method in=C2=A0pg_hba.conf=C2=A0but the user's password on the server is encrypted for SCRAM = (see below), then SCRAM-based authentication will automatically be chosen i= nstead.

You can think of "md5&q= uot; inside pg_hba.conf as "md5 or better"=C2=A0

As a result, some use= rs are able to connect, while others cannot.

Can you expand on this? Nothing you have done should be preventing logins= , as far as I can tell.

Best solution: Upgrade eve= ryone to scram, then change md5 to scram in pg_hba.conf and never look back= .

--
=
Cheers,
Greg

--
Enterprise Postgres Software Products & Tech Support<= /div>

--00000000000095daa706398050a9--