Re: Can we stop defaulting to 'ident'?

Greetings,

* James Cassell (fedoraproject(at)cyberpear(dot)com) wrote:
> On Wed, Dec 18, 2019, at 11:58 PM, Craig Ringer wrote:
> > 'ident' doesn't work by default on any RPM disto.
> >
> > It's not clear why the initdb wrapper for the rpm packages defaults to
> > generating 'host' entries with 'ident' auth, but I think it's pretty
> > unhelpful. At least if we used 'md5' the user could set passwords and
> > have them actually work.
> >
> > initdbcmd="$PGENGINE/initdb --pgdata='$PGDATA' --auth='ident'"
> > initdbcmd+=" $PGSETUP_INITDB_OPTIONS"
> >
> > I know you can override it easily enough, but most people won't know to.
>
> For what it's worth, I am quite happy with the current default of ident.
>
> To make it work, you can install the `authd` package, then enable the `auth.socket` systemd service. I've made it listen only on localhost, and disabled the encryption part of authd because I didn't want to figure out how to give postgres the appropriate key.
>
> All-in-all, it makes for a seamless auth of local users/services to their own postgres databases running on localhost. Last I checked, ident auth was only specified for the localhost addreses in pg_hba.conf. (RHEL 8 has marked the "authd" package as deprecated without any explanation, though... it still works fine and is still present.)

Why in the world would you want that over just using peer..?

'host' with 'ident' should have been outright removed from PG, imv... I
actually thought it was but maybe it's only been deprecated.

Thanks,

Stephen