Re: Help in vetting Switch from "MD5" to "scram-sha-256" - during DB Upgrade from EC2- PGS - Community Edn ver 13.X to 15.X

On 2/6/25 18:03, Bharani SV-forum wrote:
> Adrian
> TQ for your valuable input's.
> 
> *Additional Qsn*
> 
> Assume  DB ver = 15.X
> 
> By default encryption = scram-sha-256, Assume pg_hba.conf is quoted the 
> usage as MD5 for the
>   dbuserid "test_usr_1"
> 
> *e.g .)*
> *
> *
> hostssl   all test_usr_1 10.20.30.40  md5
> 
> i.e .)
> Assume if the respective db userid (e.g test_usr_1) is quoted for usage 
> md5,  in pg_hba.conf, No Need to Change, the respective *Role/Userid 
> password mandatorily.* DB System will allow to use existing password 
> with the old MD5 passwords still work, as long as the authentication 
> method in pg_hba.conf is set to md5

Yes.

It gives you time to switch the passwords to scram-sha-256 encryption 
after you do the migration. In other words you can have both md5 and 
scram-sha-256 passwords in use without changing the pg_hba.conf lines. 
Once the transition to scram-sha-256 is done then you can change the 
lines to scram-sha-256 and that will prevent use of m5 passwords going 
forward.

> 
> e.g.) hostssl     all         LOGS_USER_1 10.9.0.0/21    md5
> 
> Is their,  any security problem due to usage of md5 in the pg_hba.conf 
> file  with underlying db =15.X ?

You are currently using it, have there been any issues?

If not then moving to Postgres 15 won't change that.

> 
> I am Aware ,
> (a) *MD5 hash algorithm is nowadays no longer considered secure against 
> determined attacks.*
> *(a)  MD5 method cannot be used with the db_user_namespace feature.
> *
> 
> 
> 



-- 
Adrian Klaver
adrian.klaver@aklaver.com