> > This has been hanging around for a while. I guess the reason it hasn't > > got much attention is that on its own it's not terribly useful. > > However, when you consider that it's a sensible prelude to setting a > > more secure default for auth in initdb (I'd strongly advocate > > SCRAM-SHA-256 for that) it takes on much more significance. > > I'm all for improving the default for auth in initdb, but why wouldn't > that be peer auth first, followed by SCRAM..? If that's what you're > suggesting then great, but that wasn't very clear from the email text, > at least.
What this is suggesting is in effect, for the db owner only and only on a Unix domain socket, peer auth falling back to whatever is in the hba file. That makes setting something like scram-sha-256 as the default more practicable. If we don't do something like this then changing the default could cause far more disruption than our users might like. > I've not done more than glanced at the patch. That might pay dividends :-) cheers andrew -- Andrew Dunstan https://www.2ndQuadrant.com PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
