From: | "James Cassell" <fedoraproject(at)cyberpear(dot)com> |
---|---|
To: | "PostgreSQL Yum Package List" <pgsql-pkg-yum(at)lists(dot)postgresql(dot)org> |
Subject: | Re: Can we stop defaulting to 'ident'? |
Date: | 2019-12-19 15:20:27 |
Message-ID: | 83bdce65-302f-49ef-828a-3831fe11d904@www.fastmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-pkg-debian pgsql-pkg-yum |
On Wed, Dec 18, 2019, at 11:58 PM, Craig Ringer wrote:
> 'ident' doesn't work by default on any RPM disto.
>
> It's not clear why the initdb wrapper for the rpm packages defaults to
> generating 'host' entries with 'ident' auth, but I think it's pretty
> unhelpful. At least if we used 'md5' the user could set passwords and
> have them actually work.
>
> initdbcmd="$PGENGINE/initdb --pgdata='$PGDATA' --auth='ident'"
> initdbcmd+=" $PGSETUP_INITDB_OPTIONS"
>
> I know you can override it easily enough, but most people won't know to.
>
For what it's worth, I am quite happy with the current default of ident.
To make it work, you can install the `authd` package, then enable the `auth.socket` systemd service. I've made it listen only on localhost, and disabled the encryption part of authd because I didn't want to figure out how to give postgres the appropriate key.
All-in-all, it makes for a seamless auth of local users/services to their own postgres databases running on localhost. Last I checked, ident auth was only specified for the localhost addreses in pg_hba.conf. (RHEL 8 has marked the "authd" package as deprecated without any explanation, though... it still works fine and is still present.)
V/r,
James Cassell
From | Date | Subject | |
---|---|---|---|
Next Message | Stephen Frost | 2019-12-19 16:57:20 | Re: Can we stop defaulting to 'ident'? |
Previous Message | Craig Ringer | 2019-12-19 04:58:59 | Can we stop defaulting to 'ident'? |
From | Date | Subject | |
---|---|---|---|
Next Message | Stephen Frost | 2019-12-19 16:57:20 | Re: Can we stop defaulting to 'ident'? |
Previous Message | Craig Ringer | 2019-12-19 04:58:59 | Can we stop defaulting to 'ident'? |