Re: initdb recommendations
| От | Magnus Hagander |
|---|---|
| Тема | Re: initdb recommendations |
| Дата | |
| Msg-id | CABUevEwAyLrcc9-9WVEN=YgHO+knJ-osL0WeoBHenbor7S8+UA@mail.gmail.com обсуждение исходный текст |
| Ответ на | Re: initdb recommendations ("Jonathan S. Katz" <jkatz@postgresql.org>) |
| Ответы |
Re: initdb recommendations
|
| Список | pgsql-docs |
On Mon, Apr 8, 2019 at 2:41 PM Jonathan S. Katz <jkatz@postgresql.org> wrote:
On 4/8/19 8:25 AM, Peter Eisentraut wrote:
> On 2019-04-05 18:11, Jonathan S. Katz wrote:
>> + <para>
>> + We recommend using the <option>-W</option>, <option>--pwprompt</option>,
>> + or <option>--pwfile</option> flags to assign a password to the database
>> + superuser, and to override the <filename>pg_hba.conf</filename> default
>> + generation using <option>-auth-local peer</option> for local connections,
>> + and <option>-auth-host scram-sha-256</option> for remote connections. See
>> + <xref linkend="client-authentication"/> for more information on client
>> + authentication methods.
>> + </para>
>
> As discussed on hackers, we are not ready to support scram-sha-256 out
> of the box. So this advice, or any similar advice elsewhere, would need
> to recommend "md5" as the setting --- which would probably be embarrassing.
Well, it's less embarrassing than trust, and we currently state:
Yes. Much less.
"Also, specify -A md5 or -A password so that the default trust
authentication mode is not used"[1]
We could also modify it to say :
"and <option>-auth-host scram-sha-256</option> for remote connections if
your client supports it, otherwise <option>-auth-host md5</option>"
That would be the best from a correctness, but if of course also makes things sound more complicated. I'm not sure where the right balance is there.
В списке pgsql-docs по дате отправления: