Re: Is "trust" really a good default?

Peter Eisentraut <peter_e(at)gmx(dot)net> writes:
> Magnus Hagander wrote:
>> Certainly, I'm not saying it shuold change (I've given that up by
>> now). But the difference would be that if you used -W with initdb, it
>> would change the default *for that installation*.

> The fallacy with this line of thought is that it assumes that one
> authentication scheme applies to all ways of connecting.

I think Magnus misspoke by saying that the "default" auth method would
change; there is no default really, and should not be. What he was
proposing was that the initial contents of pg_hba.conf should specify
password rather than trust authentication for local access. This does
not imply anything about non-local access rules, since there are none
in the initial pg_hba.conf file.

I don't really see a problem with doing it that way. People who want to
use -W are presumably worried about the security of their local system,
otherwise they would just fire up the postmaster and set a password
later. So it seems reasonable to assume that they want password auth
on local connections and go ahead and set up the initial state of
pg_hba.conf to do that. (If that isn't what they wanted, they can just
edit pg_hba.conf; they're not any worse off than before.)

There are of course some questions about how to document this
effectively, so that it doesn't create more confusion than it avoids.
But in principle it sounds like reasonable behavior to me.

regards, tom lane