Re: GSSAPI, SSPI - include_realm default

Bruce, all,

* Bruce Momjian (bruce(at)momjian(dot)us) wrote:
> On Tue, Dec 9, 2014 at 05:38:25PM -0500, Stephen Frost wrote:
> > > My comment that include_realm is supported back to 8.4 was because there
> > > is an expectation that a pg_hba.conf file can be used unchanged across
> > > several major releases. So when 9.5 comes out and people update their
> > > pg_hba.conf files for 9.5, those files will still work in old releases.
> > > But the time to do those updates is then, not now.
> >
> > The back-branches are being patched to discourage using the default
> > because it's not a secure approach. New users start using PG all the
> > time and so changing the existing documentation is worthwhile to ensure
> > those new users understand. A note in the release notes for whichever
> > minor release the change to the documentation shows up in would be a
> > good way to make existing users aware of the change and hopefully
> > encourage them to review their configuration.
> >
> > If we don't agree that the change should be made then we can discuss
> > that, but everyone commenting so far has agreed on the change.
>
> Where are we on this?

Patches for master and 9.4 attached. The 9.4 patch should cherry-pick
down to the other current releases just fine. Please provide any
comments or suggestions for changes. If all looks good, I'll push this
to change the default for 9.5 to be include_realm=1 and the
documentation updates to recommend it in back-branches.

Thanks!

Stephen