From: | "Jonathan S(dot) Katz" <jkatz(at)postgresql(dot)org> |
---|---|
To: | Magnus Hagander <magnus(at)hagander(dot)net> |
Cc: | Peter Eisentraut <peter(dot)eisentraut(at)2ndquadrant(dot)com>, Pg Docs <pgsql-docs(at)lists(dot)postgresql(dot)org> |
Subject: | Re: initdb recommendations |
Date: | 2019-04-08 12:46:00 |
Message-ID: | 7b0096cc-e285-65f8-5535-ba11dbddeda6@postgresql.org |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-docs pgsql-hackers |
On 4/8/19 8:44 AM, Magnus Hagander wrote:
> On Mon, Apr 8, 2019 at 2:41 PM Jonathan S. Katz <jkatz(at)postgresql(dot)org
> <mailto:jkatz(at)postgresql(dot)org>> wrote:
>
> On 4/8/19 8:25 AM, Peter Eisentraut wrote:
> > On 2019-04-05 18:11, Jonathan S. Katz wrote:
> >> + <para>
> >> + We recommend using the <option>-W</option>,
> <option>--pwprompt</option>,
> >> + or <option>--pwfile</option> flags to assign a password to
> the database
> >> + superuser, and to override the
> <filename>pg_hba.conf</filename> default
> >> + generation using <option>-auth-local peer</option> for
> local connections,
> >> + and <option>-auth-host scram-sha-256</option> for remote
> connections. See
> >> + <xref linkend="client-authentication"/> for more
> information on client
> >> + authentication methods.
> >> + </para>
> >
> > As discussed on hackers, we are not ready to support scram-sha-256 out
> > of the box. So this advice, or any similar advice elsewhere,
> would need
> > to recommend "md5" as the setting --- which would probably be
> embarrassing.
>
> Well, it's less embarrassing than trust, and we currently state:
>
>
> Yes. Much less.
>
>
> "Also, specify -A md5 or -A password so that the default trust
> authentication mode is not used"[1]
>
> We could also modify it to say :
>
> "and <option>-auth-host scram-sha-256</option> for remote connections if
> your client supports it, otherwise <option>-auth-host md5</option>"
>
>
> That would be the best from a correctness, but if of course also makes
> things sound more complicated. I'm not sure where the right balance is
> there.
We could link here[1] from the docs on the line for "client supports it"
Jonathan
From | Date | Subject | |
---|---|---|---|
Next Message | Peter Eisentraut | 2019-04-08 20:09:07 | Re: Update to equivalent SQL in 8.1.4. Serial Types |
Previous Message | Magnus Hagander | 2019-04-08 12:44:03 | Re: initdb recommendations |
From | Date | Subject | |
---|---|---|---|
Next Message | Magnus Hagander | 2019-04-08 12:49:05 | Re: change password_encryption default to scram-sha-256? |
Previous Message | Magnus Hagander | 2019-04-08 12:44:03 | Re: initdb recommendations |