Re: initdb recommendations

On 4/8/19 8:25 AM, Peter Eisentraut wrote:
> On 2019-04-05 18:11, Jonathan S. Katz wrote:
>> + <para>
>> + We recommend using the <option>-W</option>, <option>--pwprompt</option>,
>> + or <option>--pwfile</option> flags to assign a password to the database
>> + superuser, and to override the <filename>pg_hba.conf</filename> default
>> + generation using <option>-auth-local peer</option> for local connections,
>> + and <option>-auth-host scram-sha-256</option> for remote connections. See
>> + <xref linkend="client-authentication"/> for more information on client
>> + authentication methods.
>> + </para>
>
> As discussed on hackers, we are not ready to support scram-sha-256 out
> of the box. So this advice, or any similar advice elsewhere, would need
> to recommend "md5" as the setting --- which would probably be embarrassing.

Well, it's less embarrassing than trust, and we currently state:

"Also, specify -A md5 or -A password so that the default trust
authentication mode is not used"[1]

We could also modify it to say :

"and <option>-auth-host scram-sha-256</option> for remote connections if
your client supports it, otherwise <option>-auth-host md5</option>"

Jonathan

[1] https://www.postgresql.org/docs/current/creating-cluster.html