Re: Successor of MD5 authentication, let's use SCRAM

Stephen Frost wrote:
> * Josh Berkus (josh@agliodbs.com) wrote:
>> Problem is, the fact that setting up SSL correctly is hard is outside of
>> our control.
> 
> Agreed, though the packagers do make it easier..
> 
>> Unless we can give people a "run these three commands on each server and
>> you're now SSL authenticating" script, we can continue to expect the
>> majority of users not to use SSL.  And I don't think that level of
>> simplicity is even theoretically possible.
> 
> The Debian-based packages do quite a bit to ease this pain.  Do the
> other distributions do anything to set up SSL certificates, etc on
> install?  Perhaps they could be convinced to?

This has bit me.

At my work we started a project on Debian, using the 
http://packages.debian.org/squeeze-backports/ version of Postgres 9.1, and it 
included the SSL out of the box, just install that regular Postgres or Pg client 
package and SSL was ready to go.

And now we're migrating to Red Hat for the production launch, using the 
http://www.postgresql.org/download/linux/redhat/ packages for Postgres 9.1, and 
these do *not* include the SSL.

This change has been a pain, as we then disabled SSL when we otherwise would 
have used it.

(Though all database access would be over a private server-server network, so 
the situation isn't as bad as going over the public internet.)

How much trouble would it be to make the 
http://www.postgresql.org/download/linux/redhat/ packages include SSL?

-- Darren Duncan