Re: Can we stop defaulting to 'ident'?

On Thu, Dec 19, 2019, at 11:57 AM, Stephen Frost wrote:
> Greetings,
> 
> * James Cassell wrote:
> > On Wed, Dec 18, 2019, at 11:58 PM, Craig Ringer wrote:
> > > 'ident' doesn't work by default on any RPM disto.
> > > 
> > > It's not clear why the initdb wrapper for the rpm packages defaults to 
> > > generating 'host' entries with 'ident' auth, but I think it's pretty 
> > > unhelpful. At least if we used 'md5' the user could set passwords and 
> > > have them actually work.
> > > 
> > >  initdbcmd="$PGENGINE/initdb --pgdata='$PGDATA' --auth='ident'"
> > >  initdbcmd+=" $PGSETUP_INITDB_OPTIONS"
> > > 
> > > I know you can override it easily enough, but most people won't know to.
> > 
> > For what it's worth, I am quite happy with the current default of ident.
> > 
> > To make it work, you can install the `authd` package, then enable the `auth.socket` systemd service.  I've made it
listenonly on localhost, and disabled the encryption part of authd because I didn't want to figure out how to give
postgresthe appropriate key.
 
> > 
> > All-in-all, it makes for a seamless auth of local users/services to their own postgres databases running on
localhost. Last I checked, ident auth was only specified for the localhost addreses in pg_hba.conf.  (RHEL 8 has marked
the"authd" package as deprecated without any explanation, though... it still works fine and is still present.)
 
> 
> Why in the world would you want that over just using peer..?
> 

Peer does not work with TCP connections, and I haven't figured how to get,e.g., third-party Java applications working
withoutTCP.
 

> 'host' with 'ident' should have been outright removed from PG, imv...  I
> actually thought it was but maybe it's only been deprecated.
> 

I guess I haven't paid close attention to deprecation notices. Was there a notice for it?

V/r,
James Cassell