Re: initdb recommendations

On 4/8/19 8:25 AM, Peter Eisentraut wrote:
> On 2019-04-05 18:11, Jonathan S. Katz wrote:
>> +    <para>
>> +      We recommend using the <option>-W</option>, <option>--pwprompt</option>,
>> +      or <option>--pwfile</option> flags to assign a password to the database
>> +      superuser, and to override the <filename>pg_hba.conf</filename> default
>> +      generation using <option>-auth-local peer</option> for local connections,
>> +      and <option>-auth-host scram-sha-256</option> for remote connections. See
>> +      <xref linkend="client-authentication"/> for more information on client
>> +      authentication methods.
>> +    </para>
>
> As discussed on hackers, we are not ready to support scram-sha-256 out
> of the box.  So this advice, or any similar advice elsewhere, would need
> to recommend "md5" as the setting --- which would probably be embarrassing.

Well, it's less embarrassing than trust, and we currently state:

"Also, specify -A md5 or -A password so that the default trust
authentication mode is not used"[1]

We could also modify it to say :

"and <option>-auth-host scram-sha-256</option> for remote connections if
 your client supports it, otherwise <option>-auth-host md5</option>"

Jonathan

[1] https://www.postgresql.org/docs/current/creating-cluster.html