Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.89) (envelope-from ) id 1ihzW5-0001Xq-6u for pgsql-pkg-yum@arkaria.postgresql.org; Thu, 19 Dec 2019 17:23:13 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.89) (envelope-from ) id 1ihzW1-0007JC-Oo for pgsql-pkg-yum@arkaria.postgresql.org; Thu, 19 Dec 2019 17:23:09 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.89) (envelope-from ) id 1ihzVz-0007J5-KM for pgsql-pkg-yum@lists.postgresql.org; Thu, 19 Dec 2019 17:23:09 +0000 Received: from [64.147.123.21] (helo=wout5-smtp.messagingengine.com) by makus.postgresql.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1ihzVw-00055e-N8 for pgsql-pkg-yum@lists.postgresql.org; Thu, 19 Dec 2019 17:23:06 +0000 Received: from compute6.internal (compute6.nyi.internal [10.202.2.46]) by mailout.west.internal (Postfix) with ESMTP id 57B04301; Thu, 19 Dec 2019 12:22:53 -0500 (EST) Received: from imap22 ([10.202.2.72]) by compute6.internal (MEProxy); Thu, 19 Dec 2019 12:22:53 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cyberpear.com; h=mime-version:message-id:in-reply-to:references:date:from:to :subject:content-type; s=fm2; bh=zYkmPNdxmXkg+JRj8w7r/glCh6gmYKq XyljkQCxohc0=; b=wPGjMG0R6958OnUFbK3Am/mXksijMz87AK6w1pB3d1M9e7q OOJuuzgyO2Mm1Ait5O29bI52YjrjZO/VrsazDFwtej37UbhXz7d5QR+hyaBxUZ2l 7kSD/TtMspWvyr+e8UI2lpZxR0Y2iCfH8WE5MgDjUXIkHnXh09KadT0LJoi3TLuV 0zsM4/oqVaGOHrAPQc7NlaYz98W3cdRHUiRVKHla6kbobr3+I+hXsjusll/XRhfT CUKtFbi/QQXQSnm8FZ5hU/qoWP7jhQvycO7UPY/2C0iLfcJhu3u2eSuZhkgJgHlc XqF/hXncJoRH2sBD1Xs30Aeg/YyXd4ciWgSpD9w== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=zYkmPN dxmXkg+JRj8w7r/glCh6gmYKqXyljkQCxohc0=; b=KaBsQKyJ37pWAtrED506SG MnJo8RMaTIU5O7azTLsP4cwQ6sNac37RdF4y+OCukPILvUz6sQ3ZA23f4v+1PdNv sd1uNW5r+gWFR9TrSp3f4xAPE7QaP31f5qvtsAkodlRiQejIG9qSSwJWT2LpXyHe 64AqM1a0G73tBPasYR+68acRldnhMNywSFizKOp+BmIRhcNo2voS/wbhuLdqFUX3 IPAs9jQ4e0OjqTYPTirFqAJcRje7qaedSXbOiVXlys2WOP+F+r1PZcO6aSgpjdU/ VutR6MHJ8HDNvvJpGNe6SWt/+khr1fypenkdSzuLS73p1RqGaKtkee4t+joL/OrA == X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedufedrvdduuddgleelucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefofgggkfgjfhffhffvufgtsehttd ertderredtnecuhfhrohhmpedflfgrmhgvshcuvegrshhsvghllhdfuceofhgvughorhgr phhrohhjvggtthestgihsggvrhhpvggrrhdrtghomheqnecurfgrrhgrmhepmhgrihhlfh hrohhmpehfvgguohhrrghprhhojhgvtghtsegthigsvghrphgvrghrrdgtohhmnecuvehl uhhsthgvrhfuihiivgeptd X-ME-Proxy: Received: by mailuser.nyi.internal (Postfix, from userid 501) id 9D5F8668005F; Thu, 19 Dec 2019 12:22:52 -0500 (EST) X-Mailer: MessagingEngine.com Webmail Interface User-Agent: Cyrus-JMAP/3.1.7-694-gd5bab98-fmstable-20191218v1 Mime-Version: 1.0 Message-Id: <02c6c7de-e2e2-48cd-94e7-7d65b7196ca5@www.fastmail.com> In-Reply-To: <20191219165719.GC3195@tamriel.snowman.net> References: <83bdce65-302f-49ef-828a-3831fe11d904@www.fastmail.com> <20191219165719.GC3195@tamriel.snowman.net> Date: Thu, 19 Dec 2019 12:22:30 -0500 From: "James Cassell" To: "PostgreSQL Yum Package List" Subject: Re: Can we stop defaulting to 'ident'? Content-Type: text/plain X-Host-Lookup-Failed: Reverse DNS lookup failed for 64.147.123.21 (deferred) List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Precedence: bulk On Thu, Dec 19, 2019, at 11:57 AM, Stephen Frost wrote: > Greetings, > > * James Cassell wrote: > > On Wed, Dec 18, 2019, at 11:58 PM, Craig Ringer wrote: > > > 'ident' doesn't work by default on any RPM disto. > > > > > > It's not clear why the initdb wrapper for the rpm packages defaults to > > > generating 'host' entries with 'ident' auth, but I think it's pretty > > > unhelpful. At least if we used 'md5' the user could set passwords and > > > have them actually work. > > > > > > initdbcmd="$PGENGINE/initdb --pgdata='$PGDATA' --auth='ident'" > > > initdbcmd+=" $PGSETUP_INITDB_OPTIONS" > > > > > > I know you can override it easily enough, but most people won't know to. > > > > For what it's worth, I am quite happy with the current default of ident. > > > > To make it work, you can install the `authd` package, then enable the `auth.socket` systemd service. I've made it listen only on localhost, and disabled the encryption part of authd because I didn't want to figure out how to give postgres the appropriate key. > > > > All-in-all, it makes for a seamless auth of local users/services to their own postgres databases running on localhost. Last I checked, ident auth was only specified for the localhost addreses in pg_hba.conf. (RHEL 8 has marked the "authd" package as deprecated without any explanation, though... it still works fine and is still present.) > > Why in the world would you want that over just using peer..? > Peer does not work with TCP connections, and I haven't figured how to get,e.g., third-party Java applications working without TCP. > 'host' with 'ident' should have been outright removed from PG, imv... I > actually thought it was but maybe it's only been deprecated. > I guess I haven't paid close attention to deprecation notices. Was there a notice for it? V/r, James Cassell