Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA1:256)
	(Exim 4.89)
	(envelope-from <pgsql-pkg-yum-owner+archive@lists.postgresql.org>)
	id 1ihxbo-0005BX-C3
	for pgsql-pkg-yum@arkaria.postgresql.org; Thu, 19 Dec 2019 15:21:01 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.89)
	(envelope-from <pgsql-pkg-yum-owner+archive@lists.postgresql.org>)
	id 1ihxbn-0005pM-4r
	for pgsql-pkg-yum@arkaria.postgresql.org; Thu, 19 Dec 2019 15:20:59 +0000
Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29])
	by malur.postgresql.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA1:256)
	(Exim 4.89)
	(envelope-from <fedoraproject@cyberpear.com>)
	id 1ihxbl-0005p3-9U
	for pgsql-pkg-yum@lists.postgresql.org; Thu, 19 Dec 2019 15:20:58 +0000
Received: from wout3-smtp.messagingengine.com ([64.147.123.19])
	by magus.postgresql.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.92)
	(envelope-from <fedoraproject@cyberpear.com>)
	id 1ihxbg-00057q-P6
	for pgsql-pkg-yum@lists.postgresql.org; Thu, 19 Dec 2019 15:20:56 +0000
Received: from compute6.internal (compute6.nyi.internal [10.202.2.46])
	by mailout.west.internal (Postfix) with ESMTP id 166306FF;
	Thu, 19 Dec 2019 10:20:49 -0500 (EST)
Received: from imap22 ([10.202.2.72])
  by compute6.internal (MEProxy); Thu, 19 Dec 2019 10:20:49 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cyberpear.com;
	 h=mime-version:message-id:in-reply-to:references:date:from:to
	:subject:content-type; s=fm2; bh=2oiaCk9tlkHzVr/uLk60Xu3ahy5T+0K
	QLxTSQYXzJhg=; b=DOj+795vnnz0jT/Bkqve9jUmOGfSvF3Iq5LAv0HTA43htas
	K4ILHyuKqjQFscTwbKgQ0nADlcqd72l2nymX99qIiI4TXRvVg8d5TRRk78+9wAVh
	FzyQTceGpRNrTYiRe8DXZQLAEj0/Ya6pMzc+He4TMc8wii6Zk5x1X/NhjrwenJcV
	okXFuMoErLcwVtHzH2ry6RLmEdq64kB8CuUt60fcUgviaGmpzjrzdBM+VD6Vcesj
	Ah3hesdkHzca2edI7flwJYZTbTMfsKAKQs0QQnx7Zr/Qa8vliq4x0r9FNvk7ooGU
	ssfnEsr23+698iOcqbeflZvaCrPqpkqM+fYycBQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
	messagingengine.com; h=content-type:date:from:in-reply-to
	:message-id:mime-version:references:subject:to:x-me-proxy
	:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=2oiaCk
	9tlkHzVr/uLk60Xu3ahy5T+0KQLxTSQYXzJhg=; b=HivgZeDSeVu+zAtNxW7M9b
	bC4QjwEwZ4x+gP0ihPNt6chSZoPR45F4HgKJty2w2E3TjMohdYxLVGE0zMTYfls7
	mMrLab5oXR9UqzJlprfuBkDgMB0x5MJPIUxO4McDbl1BiRkcypplPJReFgCnt8a8
	g4edCQqAglOMc+Bc/85JQnWBd4RrLX6ZCGnrDGA4ctjFHHB8l/MylKfjoVklGuaR
	rB04VMXE14h6sflYEXOP+5ADrxD2PGGihzcKCj4uAgsoD3QcLv5Hvmx+JhK8ue0v
	sN9apVwmD6+H5n04dsxZ20Vt4p6zqeGGdwAvyy51f+E/oY+o2SLTD0VvP7+X1srg
	==
X-ME-Sender: <xms:UJX7XTMKkgu3IO3k8jY-sSeOVs1NNuBBw3nr-t_RMdAErZZAk1A4yQ>
X-ME-Proxy-Cause: 
 gggruggvucftvghtrhhoucdtuddrgedufedrvdduuddgjeegucetufdoteggodetrfdotf
    fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen
    uceurghilhhouhhtmecufedttdenucenucfjughrpefofgggkfgjfhffhffvufgtsehttd
    ertderredtnecuhfhrohhmpedflfgrmhgvshcuvegrshhsvghllhdfuceofhgvughorhgr
    phhrohhjvggtthestgihsggvrhhpvggrrhdrtghomheqnecurfgrrhgrmhepmhgrihhlfh
    hrohhmpehfvgguohhrrghprhhojhgvtghtsegthigsvghrphgvrghrrdgtohhmnecuvehl
    uhhsthgvrhfuihiivgeptd
X-ME-Proxy: <xmx:UJX7XTtvgq7K_uiR_PIo-ic5hz4UhDdihwkZNUwooSDQZt7YTK0-KQ>
    <xmx:UJX7XZH_CqdagGgfLBdN0EyE5UYG-f8sbcnXT_s5C03-haVzxCvjVA>
    <xmx:UJX7Xe6thxT9O9o0Z5OvrjJZKh4KOhAX7WJEZ62dx1VceSE1Pjk7Mw>
    <xmx:UJX7XSGN524WNIhOr0IKR6CT7_ZthP2ts0rU-DWloar44-IFWdCSkA>
Received: by mailuser.nyi.internal (Postfix, from userid 501)
	id 09E20668005F; Thu, 19 Dec 2019 10:20:47 -0500 (EST)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.1.7-694-gd5bab98-fmstable-20191218v1
Mime-Version: 1.0
Message-Id: <83bdce65-302f-49ef-828a-3831fe11d904@www.fastmail.com>
In-Reply-To: 
 <CAMsr+YFCuBGWh4=aM-K2LCsBEwcrqm=pphKKHEH09vHwXcspow@mail.gmail.com>
References: 
 <CAMsr+YFCuBGWh4=aM-K2LCsBEwcrqm=pphKKHEH09vHwXcspow@mail.gmail.com>
Date: Thu, 19 Dec 2019 10:20:27 -0500
From: "James Cassell" <fedoraproject@cyberpear.com>
To: "PostgreSQL Yum Package List" <pgsql-pkg-yum@lists.postgresql.org>
Subject: Re: Can we stop defaulting to 'ident'?
Content-Type: text/plain
List-Id: <pgsql-pkg-yum.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-pkg-yum@lists.postgresql.org>
List-Owner: <mailto:pgsql-pkg-yum-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-pkg-yum>
Precedence: bulk

On Wed, Dec 18, 2019, at 11:58 PM, Craig Ringer wrote:
> 'ident' doesn't work by default on any RPM disto.
> 
> It's not clear why the initdb wrapper for the rpm packages defaults to 
> generating 'host' entries with 'ident' auth, but I think it's pretty 
> unhelpful. At least if we used 'md5' the user could set passwords and 
> have them actually work.
> 
>  initdbcmd="$PGENGINE/initdb --pgdata='$PGDATA' --auth='ident'"
>  initdbcmd+=" $PGSETUP_INITDB_OPTIONS"
> 
> I know you can override it easily enough, but most people won't know to.
> 

For what it's worth, I am quite happy with the current default of ident.

To make it work, you can install the `authd` package, then enable the `auth.socket` systemd service.  I've made it listen only on localhost, and disabled the encryption part of authd because I didn't want to figure out how to give postgres the appropriate key.

All-in-all, it makes for a seamless auth of local users/services to their own postgres databases running on localhost.  Last I checked, ident auth was only specified for the localhost addreses in pg_hba.conf.  (RHEL 8 has marked the "authd" package as deprecated without any explanation, though... it still works fine and is still present.)


V/r,
James Cassell