Re: Can we stop defaulting to 'ident'?

public inbox for [email protected]  
help / color / mirror / Atom feed

From: Stephen Frost <[email protected]>
To: Christoph Berg <[email protected]>
To: Devrim Gündüz <[email protected]>
To: Craig Ringer <[email protected]>
To: pgsql-pkg-yum <[email protected]>
Subject: Re: Can we stop defaulting to 'ident'?
Date: Fri, 20 Dec 2019 10:06:44 -0500
Message-ID: <[email protected]> (raw)
In-Reply-To: <[email protected]>
References: <CAMsr+YFCuBGWh4=aM-K2LCsBEwcrqm=pphKKHEH09vHwXcspow@mail.gmail.com>
	<[email protected]>
	<[email protected]>

Greetings,

* Christoph Berg ([email protected]) wrote:
> Re: Devrim Gündüz 2019-12-20 <[email protected]>
> > > but I think it's pretty unhelpful. At least if we used 'md5' the user could
> > > set passwords and have them actually work.
> > 
> > IMHO the only alternative could be "trust", because I am not holding my breath
> > for the majority of our users to be able to setup a password that easily
> > (yeah). I'm also not inclined to setup a default password for RPM installations
> > (and also RPMs must not do any interactive work, like asking for a password)
> 
> Fwiw, the Debian packages have been using md5 forever, and do not set
> a password either. People seem to be able to set a password
> themselves. I've never heard any complaint about it. (Except for some
> poking that scram might be better.)

SCRAM is *definitely* better and I strongly support us moving to it,
provided it doesn't break anything existing (which it generally
shouldn't...  but maybe there's some weird edge cases, or possibly older
clients, but still, at some point, we need to move this default to be
SCRAM).

That said- we should be using peer for local unix sockets and SCRAM for
host-based password (local or not...), and ident needs to just die.

Thanks,

Stephen


Attachments:

  [application/pgp-signature] signature.asc (819B, 2-signature.asc)
  download

view thread (54+ messages)  latest in thread

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected], [email protected], [email protected], [email protected], [email protected]
  Subject: Re: Can we stop defaulting to 'ident'?
  In-Reply-To: <[email protected]>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox