Re: Online documentation unclear about authentication defaults

bubblboy wrote:
> Hi,
>
> After following the postgresql tutorial for setting up a postgresql
> server [1] I noticed that I could log in without entering my password.
> The documentation did not tell me this (maybe I overlooked it),
> eventhough it does show you how to create roles with passwords. In my
> opinion it would be a good idea to include a warning like "the default
> installation trusts everybody that can make a connection to the
> database" because it could lead to some (problematic) confusions.
>
> I didn't check extensively in the docs to see if there actually was such
> a warning, particularly because I felt that if there was, it was
> probably not prominent enough (or I would have noticed). Sorry if there
> was indeed a big warning splattered over the tutorial somewhere.

The tutorial indeed neglects warning you about that, but initdb doesn't.
It outputs these lines

WARNING: enabling "trust" authentication for local connections
You can change this by editing pg_hba.conf or using the -A option the
next time you run initdb.


Maybe this is not strong enough, or not scary enough?

--
Alvaro Herrera                                http://www.CommandPrompt.com/
PostgreSQL Replication, Consulting, Custom Development, 24x7 support