Date: Thu, 19 Dec 2019 11:57:20 -0500
From: Stephen Frost <sfrost@snowman.net>
To: James Cassell <fedoraproject@cyberpear.com>
Cc: PostgreSQL Yum Package List <pgsql-pkg-yum@lists.postgresql.org>
Subject: Re: Can we stop defaulting to 'ident'?
Message-ID: <20191219165719.GC3195@tamriel.snowman.net>
References: 
 <CAMsr+YFCuBGWh4=aM-K2LCsBEwcrqm=pphKKHEH09vHwXcspow@mail.gmail.com>
 <83bdce65-302f-49ef-828a-3831fe11d904@www.fastmail.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
	protocol="application/pgp-signature"; boundary="5tP+uu4DqNOLJklJ"
Content-Disposition: inline
In-Reply-To: <83bdce65-302f-49ef-828a-3831fe11d904@www.fastmail.com>
User-Agent: Mutt/1.5.24 (2015-08-30)
Precedence: bulk


--5tP+uu4DqNOLJklJ
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Greetings,

* James Cassell (fedoraproject@cyberpear.com) wrote:
> On Wed, Dec 18, 2019, at 11:58 PM, Craig Ringer wrote:
> > 'ident' doesn't work by default on any RPM disto.
> >=20
> > It's not clear why the initdb wrapper for the rpm packages defaults to=
=20
> > generating 'host' entries with 'ident' auth, but I think it's pretty=20
> > unhelpful. At least if we used 'md5' the user could set passwords and=
=20
> > have them actually work.
> >=20
> >  initdbcmd=3D"$PGENGINE/initdb --pgdata=3D'$PGDATA' --auth=3D'ident'"
> >  initdbcmd+=3D" $PGSETUP_INITDB_OPTIONS"
> >=20
> > I know you can override it easily enough, but most people won't know to.
>=20
> For what it's worth, I am quite happy with the current default of ident.
>=20
> To make it work, you can install the `authd` package, then enable the `au=
th.socket` systemd service.  I've made it listen only on localhost, and dis=
abled the encryption part of authd because I didn't want to figure out how =
to give postgres the appropriate key.
>=20
> All-in-all, it makes for a seamless auth of local users/services to their=
 own postgres databases running on localhost.  Last I checked, ident auth w=
as only specified for the localhost addreses in pg_hba.conf.  (RHEL 8 has m=
arked the "authd" package as deprecated without any explanation, though... =
it still works fine and is still present.)

Why in the world would you want that over just using peer..?

'host' with 'ident' should have been outright removed from PG, imv...  I
actually thought it was but maybe it's only been deprecated.

Thanks,

Stephen

--5tP+uu4DqNOLJklJ
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJd+6vvAAoJEO1sijiDR2RVMDAQAKGISOZluekgy+gxRHtSzhrb
LUmD7HdyYkhJvDaq0Acrwabkrbc0ofNNLnsuVaKT0Lo0irGbLgw9HBs7NLt4OTAs
sS+MVXLh6HKM2FgeyKVZejLJwv3L3hmUXp6UyXsw4CG8TCgVi02kyp+QfM8JRPnd
9YLwtbydxE/zzin+3EtjALXUpGJGgbkV5VsQtWnVao1GeuqEFmJDUW1i/47/rIC3
rPNB1Zv1E+aklO7ZaWpKsxmn/T3cIbGB6ai/A6+jz+aW+nM5hLZt4ykSLH8qAVFa
jZMynu/O0ZTQ+TxxmcjwQpeQAZEOrv03cW7uJXPLEVFb579c3iBmOHbusTUtFSp2
Gx027tZD8sl/N1L4Ma4Zkbm3nOUV2BOcZ3LPO7qHTImIPFPdqo5QHC06oKsYxPuq
8BNHWnfT9mLRlQCzz6g54HCeSzV86yo4FlNkxYIH1NOh8XXasK0/uBF/HgPVcEgv
n+ForpjaNUMZPoszbrcVVvqiEmPNLpNxmVa41Taq0PCxDV7+z5owQrrALevwyBPk
K/u/azj+SUuJJL0puvk2H63jLQlglvKUXYxpoUlX8GagPIIKom0Lrza90Rr5aA5Q
XeYThuGGvgyb0hKIJfI+WnK59DM0lSG5DnY31iaEKdAq9YjaIjQ0lXXRukvwEDtL
WJLQtw8WlvLIRpTKysk3
=2eP/
-----END PGP SIGNATURE-----

--5tP+uu4DqNOLJklJ--