FrameworkBenchmarks icon indicating copy to clipboard operation
FrameworkBenchmarks copied to clipboard
verified publisher icon TechEmpower

Should we drop md5 auth in PostgreSQL ? We are in 2023 !!!

Open joanhey opened this issue 2 years ago • 6 comments

With the new PostgreSQL official docker image, we have again the problem with md5 auth. I can fix it, but is it realistic to use md5 auth in 2023 ?

Some frameworks that fail, they had the time and energy to patch libpq for performance. So they can use some time to add the new scram (sha-256) auth in their frameworks.

More info: #7557 #8002

Give your feedback.

joanhey avatar Mar 23 '23 12:03 joanhey

@joanhey How many frameworks are failing because of this? Do you know offhand and can ping the contributors here?

NateBrady23 avatar Mar 23 '23 13:03 NateBrady23

It should be default to sasl auth at this point. But there are some points I consider worth to mention:

  1. It is still realistic to use md5. Do note that sasl auth can still happen on plain TCP connection which make it not any more safer realistically speaking. I believe most people use plain TCP in trusted local network anyway. (or unix socket)
  2. Some if not most frameworks fail to do sasl auth are not using libpq. They are likely to use their language native db client which cause the problem(lack of feature) and it's considerable more work to write a native db driver than fork and patch libpq.

fakeshadow avatar Mar 23 '23 22:03 fakeshadow

@fafhrd91 Maybe it worth to implement sasl auth in ntex postgres.

fakeshadow avatar Mar 23 '23 22:03 fakeshadow

I think that fail for the auth ~30 frameworks permutations.

joanhey avatar Mar 29 '23 15:03 joanhey