Re: Can we stop defaulting to 'ident'?

Greetings,

* Christoph Berg (myon@debian.org) wrote:
> Re: Devrim Gündüz 2019-12-20 <77df509da61adaebca6c5f0451f1c1616f1faa45.camel@gunduz.org>
> > > but I think it's pretty unhelpful. At least if we used 'md5' the user could
> > > set passwords and have them actually work.
> >
> > IMHO the only alternative could be "trust", because I am not holding my breath
> > for the majority of our users to be able to setup a password that easily
> > (yeah). I'm also not inclined to setup a default password for RPM installations
> > (and also RPMs must not do any interactive work, like asking for a password)
>
> Fwiw, the Debian packages have been using md5 forever, and do not set
> a password either. People seem to be able to set a password
> themselves. I've never heard any complaint about it. (Except for some
> poking that scram might be better.)

SCRAM is *definitely* better and I strongly support us moving to it,
provided it doesn't break anything existing (which it generally
shouldn't...  but maybe there's some weird edge cases, or possibly older
clients, but still, at some point, we need to move this default to be
SCRAM).

That said- we should be using peer for local unix sockets and SCRAM for
host-based password (local or not...), and ident needs to just die.

Thanks,

Stephen