Jeff Janes <jeff.ja...@gmail.com> writes:
> On Sun, Dec 20, 2020 at 7:58 PM Stephen Frost <sfr...@snowman.net> wrote:
>> * Magnus Hagander (mag...@hagander.net) wrote:
>>> Maybe we should do the same for LDAP (and RADIUS)? This seems like a
>>> better place to put it than to log it at every time it's received?
>> A dollar short and a year late, but ... +1.
> I would suggest going further. I would make the change on the client side,
> and have libpq refuse to send unhashed passwords without having an
> environment variable set which allows it.
As noted, that would break LDAP and RADIUS auth methods; likely also PAM.
> What is the value of logging on the server side?
I do agree with this point, but mostly on the grounds of "nobody reads
the server log".
regards, tom lane
