diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml index 20dbcaeb3ee..f670e2d4c31 100644 --- a/doc/src/sgml/config.sgml +++ b/doc/src/sgml/config.sgml @@ -1188,7 +1188,8 @@ include_dir 'conf.d' Controls whether a WARNING about MD5 password - deprecation is produced when a CREATE ROLE or + deprecation is produced upon successful MD5 password authentication or + when a CREATE ROLE or ALTER ROLE statement sets an MD5-encrypted password. The default value is on. diff --git a/src/backend/libpq/crypt.c b/src/backend/libpq/crypt.c index dbdd0e40f41..37ccec355c7 100644 --- a/src/backend/libpq/crypt.c +++ b/src/backend/libpq/crypt.c @@ -294,7 +294,24 @@ md5_crypt_verify(const char *role, const char *shadow_pass, } if (strcmp(client_pass, crypt_pwd) == 0) + { retval = STATUS_OK; + + if (md5_password_warnings) + { + MemoryContext oldcontext; + char *warning; + char *detail; + + oldcontext = MemoryContextSwitchTo(TopMemoryContext); + + warning = pstrdup(_("authenticated with an MD5-encrypted password")); + detail = pstrdup(_("MD5 password support is deprecated and will be removed in a future release of PostgreSQL.")); + StoreConnectionWarning(warning, detail); + + MemoryContextSwitchTo(oldcontext); + } + } else { *logdetail = psprintf(_("Password does not match for user \"%s\"."), diff --git a/src/test/authentication/t/001_password.pl b/src/test/authentication/t/001_password.pl index 0ec9aa9f4e8..a4b11673c26 100644 --- a/src/test/authentication/t/001_password.pl +++ b/src/test/authentication/t/001_password.pl @@ -499,6 +499,8 @@ SKIP: { skip "MD5 not supported" unless $md5_works; test_conn($node, 'user=md5_role', 'md5', 0, + expected_stderr => + qr/authenticated with an MD5-encrypted password/, log_like => [qr/connection authenticated: identity="md5_role" method=md5/]); }