Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1uZWQK-004jEa-6d
	for pgsql-general@arkaria.postgresql.org; Wed, 09 Jul 2025 15:09:28 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1uZWQH-000Bej-Gh
	for pgsql-general@arkaria.postgresql.org; Wed, 09 Jul 2025 15:09:26 +0000
Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29])
	by malur.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <ronljohnsonjr@gmail.com>)
	id 1uZWQH-000Beb-4T
	for pgsql-general@lists.postgresql.org; Wed, 09 Jul 2025 15:09:25 +0000
Received: from mail-oi1-x229.google.com ([2607:f8b0:4864:20::229])
	by magus.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
	(Exim 4.96)
	(envelope-from <ronljohnsonjr@gmail.com>)
	id 1uZWQF-006fxS-27
	for pgsql-general@lists.postgresql.org;
	Wed, 09 Jul 2025 15:09:25 +0000
Received: by mail-oi1-x229.google.com with SMTP id 5614622812f47-40af40aee93so37819b6e.0
        for <pgsql-general@lists.postgresql.org>; Wed, 09 Jul 2025 08:09:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1752073762; x=1752678562; darn=lists.postgresql.org;
        h=to:subject:message-id:date:from:in-reply-to:references:mime-version
         :from:to:cc:subject:date:message-id:reply-to;
        bh=HqAKFxjTqUOlpwptgsxnVh3Pfpe2ABOo52UhRC3ZYoo=;
        b=hEdjdLSw0/JUneWeDnaDf5YrVRifytFJLwUkqVWYP8392VKj+1vD6TLyWjWSFLvEAV
         N6IN0atO9zJ6/KFt2PpCLzuvkShjUBU1V3KFFTTy+oFCdTw8fHUmh1UrmRljmha0C8Uy
         hqDHowfYwMHwAE2etwx5UGFVDfmKZm6l5/vsJjFcWOBr9sMPyeh94fWxAFtYZEeV1Tcg
         DVY7xBAyjM3WUwF8ovQqEO/wky2kI7KY0M1c+0sv0Y2f8ws2hTQWVtlgRPfpqfjDmLC/
         DMArNXkn4accn/VasCo4k06SLI94lWXdR+BFAeMHvgDq8BfugS4L5KXjFiUvsqIRts03
         eaKg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1752073762; x=1752678562;
        h=to:subject:message-id:date:from:in-reply-to:references:mime-version
         :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=HqAKFxjTqUOlpwptgsxnVh3Pfpe2ABOo52UhRC3ZYoo=;
        b=l330/9sSBYSy04F/wKOOI+zMjOEkqrUTPEK3GekOjph2yiL/X2VemvtPEAnEDCwrdz
         bjAGpeCe39YxSy7rvQpcGJqMCQBv2/pedHJSaEh1WMA1gFFdu0UPxwD6nWI6aBoD9qAP
         ZAi3E/DoSoIox8vsr6TMwVwdJNQTD5qynvXKf1705gXU2nEwQzV0z5kO2zWXGqdTXJMl
         sTj+9yKAJQyU/RNW2gRWapwnv+OU5Lo9aIKjjp86t7gS0wIGHTb14Xg1+brD9mT3mGO2
         nbOxdY3Cu3VqB4dovK7GW8/a4c4/W50oGebYY60GhIccCG42NO5DeV5c1md69vttuTTO
         vyxA==
X-Gm-Message-State: AOJu0YzOK+sqg8Xklxuoio/71NO+8iTphvr8Ml7OEckNmT5bYXfPe3O2
	pzw7n1Ge//Tq6EAfF5yE2RWCfrkzGi/y7+iAVzS4zUHgU2QLQumekiK5jUFM3v/fdnZmfey1tPY
	e+0BL5YwLuN3x/7bkQC+2fkXUp39HgpqMrA==
X-Gm-Gg: ASbGnctbIGoErrlrTHNVhL7VqMuzgqDZM5OdgFXwrycUvurulo8nlM3BOp+fpVc6lo3
	+OjAf3Y4PBRFMnKGyKlGnVSG/XuqOH/JCyQijkUzxschsAZ52eQtX1JWBB35nVNQ+tv72l1ELhA
	nwOuwAfNIh8ESgTLbrnfmJZY42ruDOCWMsc5tsVhpDrrCr
X-Google-Smtp-Source: AGHT+IGdf2LQje7cqEHptOIiJnDaBzdSMpq/4m8gz+l0a2pjqSk8Yyf038NLVcms/SxzlUfmLj9QApf0ZyW4GzBLVxw=
X-Received: by 2002:a05:6808:8196:10b0:408:d05d:8915 with SMTP id
 5614622812f47-412bc76309dmr1688163b6e.22.1752073761754; Wed, 09 Jul 2025
 08:09:21 -0700 (PDT)
MIME-Version: 1.0
References: <CAHKeUX8D-c=Y8su6eFLZXJ09VOVLnSUHYD-649NoXW8cHdBPhg@mail.gmail.com>
 <CAKAnmmK9hQE-Cs2rVx_7brmubA1qCyNPmnOf=eA2HuxPwMy9=A@mail.gmail.com>
In-Reply-To: <CAKAnmmK9hQE-Cs2rVx_7brmubA1qCyNPmnOf=eA2HuxPwMy9=A@mail.gmail.com>
From: Ron Johnson <ronljohnsonjr@gmail.com>
Date: Wed, 9 Jul 2025 11:09:10 -0400
X-Gm-Features: Ac12FXz34o1wxJ7SNy61na6lq-hx-mZ8JPplNB5AkFPph3Cnjt_oTiqxjwVx8f0
Message-ID: <CANzqJaC2zgNWzizoXLHS6EOmKOOezq3Rnd9WvJZ2rB7-__=OEA@mail.gmail.com>
Subject: Re: Password Encryption and Connection Issues
To: "pgsql-general@lists.postgresql.org" <pgsql-general@lists.postgresql.org>
Content-Type: multipart/alternative; boundary="0000000000003090be0639807664"
List-Id: <pgsql-general.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-general@lists.postgresql.org>
List-Owner: <mailto:pgsql-general-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-general>
Archived-At: <https://www.postgresql.org/message-id/CANzqJaC2zgNWzizoXLHS6EOmKOOezq3Rnd9WvJZ2rB7-__%3DOEA%40mail.gmail.com>
Precedence: bulk

--0000000000003090be0639807664
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

On Wed, Jul 9, 2025 at 10:59=E2=80=AFAM Greg Sabino Mullane <htamfids@gmail=
.com>
wrote:

> On Wed, Jul 9, 2025 at 9:57=E2=80=AFAM Alpaslan AKDA=C4=9E <alpaslanakdag=
@gmail.com>
> wrote:
>
>> Is it expected behavior that users created with scram-sha-256 passwords
>> can still connect via md5 in pg_hba.conf?
>
>
> Yes. From the docs:
>
>> To ease transition from the md5 method to the newer SCRAM method, if md5=
 is
>> specified as a method in pg_hba.conf but the user's password on the
>> server is encrypted for SCRAM (see below), then SCRAM-based authenticati=
on
>> will automatically be chosen instead.
>
>
> You can think of "md5" inside pg_hba.conf as "md5 or better"
>
> As a result, some users are able to connect, while others cannot.
>
>
> Can you expand on this? Nothing you have done should be preventing logins=
,
> as far as I can tell.
>
> Best solution: Upgrade everyone to scram, then change md5 to scram in
> pg_hba.conf and never look back.
>

That requires setting the password to null and then recreating the
password, no?  Otherwise IIRC, changing an md5 password leaves the new
password also in md5 format.

--=20
Death to <Redacted>, and butter sauce.
Don't boil me, I'm still alive.
<Redacted> lobster!

--0000000000003090be0639807664
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div dir=3D"ltr">On Wed, Jul 9, 2025 at 10:59=E2=80=AFAM G=
reg Sabino Mullane &lt;<a href=3D"mailto:htamfids@gmail.com">htamfids@gmail=
.com</a>&gt; wrote:</div><div class=3D"gmail_quote gmail_quote_container"><=
blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-l=
eft:1px solid rgb(204,204,204);padding-left:1ex"><div dir=3D"ltr"><div dir=
=3D"ltr">On Wed, Jul 9, 2025 at 9:57=E2=80=AFAM Alpaslan AKDA=C4=9E &lt;<a =
href=3D"mailto:alpaslanakdag@gmail.com" target=3D"_blank">alpaslanakdag@gma=
il.com</a>&gt; wrote:</div><blockquote class=3D"gmail_quote" style=3D"margi=
n:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex=
">Is it expected behavior that users created with <code>scram-sha-256</code=
> passwords can still connect via <code>md5</code> in <code>pg_hba.conf</co=
de>?</blockquote><div><br></div><div>Yes. From the docs:=C2=A0</div><blockq=
uote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1p=
x solid rgb(204,204,204);padding-left:1ex"><span style=3D"color:rgb(0,0,0);=
font-family:&quot;Open Sans&quot;,sans-serif;font-size:18px">To ease transi=
tion from the=C2=A0</span><code style=3D"box-sizing:border-box;font-family:=
monospace,monospace;font-size:18px;color:rgb(0,0,0);background-color:rgb(24=
8,249,250);border-radius:0.25rem;margin:0.6rem 0px">md5</code><span style=
=3D"color:rgb(0,0,0);font-family:&quot;Open Sans&quot;,sans-serif;font-size=
:18px">=C2=A0method to the newer SCRAM method, if=C2=A0</span><code style=
=3D"box-sizing:border-box;font-family:monospace,monospace;font-size:18px;co=
lor:rgb(0,0,0);background-color:rgb(248,249,250);border-radius:0.25rem;marg=
in:0.6rem 0px">md5</code><span style=3D"color:rgb(0,0,0);font-family:&quot;=
Open Sans&quot;,sans-serif;font-size:18px">=C2=A0is specified as a method i=
n=C2=A0</span><code style=3D"box-sizing:border-box;font-family:monospace,mo=
nospace;font-size:18px;color:rgb(0,0,0);background-color:rgb(248,249,250);b=
order-radius:0.25rem;margin:0.6rem 0px">pg_hba.conf</code><span style=3D"co=
lor:rgb(0,0,0);font-family:&quot;Open Sans&quot;,sans-serif;font-size:18px"=
>=C2=A0but the user&#39;s password on the server is encrypted for SCRAM (se=
e below), then SCRAM-based authentication will automatically be chosen inst=
ead.</span></blockquote><div><br></div><div>You can think of &quot;md5&quot=
; inside pg_hba.conf as &quot;md5 or better&quot;=C2=A0</div><div><br></div=
><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border=
-left:1px solid rgb(204,204,204);padding-left:1ex">As a result, some users =
are able to connect, while others cannot.</blockquote><div><br></div><div>C=
an you expand on this? Nothing you have done should be preventing logins, a=
s far as I can tell.</div><div><br></div><div>Best solution: Upgrade everyo=
ne to scram, then change md5 to scram in pg_hba.conf and never look back.</=
div></div></blockquote><div><br></div><div>That requires setting the passwo=
rd to null and then recreating the password, no?=C2=A0 Otherwise IIRC, chan=
ging an md5 password leaves the new password also in md5 format.</div><div>=
</div></div><div><br></div><span class=3D"gmail_signature_prefix">-- </span=
><br><div dir=3D"ltr" class=3D"gmail_signature"><div dir=3D"ltr">Death to &=
lt;Redacted&gt;, and butter sauce.<div>Don&#39;t boil me, I&#39;m still ali=
ve.<br><div><div>&lt;Redacted&gt; lobster!</div></div></div></div></div></d=
iv>

--0000000000003090be0639807664--