Jeff Janes <[email protected]> writes:
> On Sun, Dec 20, 2020 at 7:58 PM Stephen Frost <[email protected]> wrote:
>> * Magnus Hagander ([email protected]) wrote:
>>> Maybe we should do the same for LDAP (and RADIUS)? This seems like a
>>> better place to put it than to log it at every time it's received?
>> A dollar short and a year late, but ... +1.
> I would suggest going further. I would make the change on the client side,
> and have libpq refuse to send unhashed passwords without having an
> environment variable set which allows it.
As noted, that would break LDAP and RADIUS auth methods; likely also PAM.
> What is the value of logging on the server side?
I do agree with this point, but mostly on the grounds of "nobody reads
the server log".
regards, tom lane
