On 4/8/19 8:25 AM, Peter Eisentraut wrote: > On 2019-04-05 18:11, Jonathan S. Katz wrote: >> + <para> >> + We recommend using the <option>-W</option>, >> <option>--pwprompt</option>, >> + or <option>--pwfile</option> flags to assign a password to the >> database >> + superuser, and to override the <filename>pg_hba.conf</filename> >> default >> + generation using <option>-auth-local peer</option> for local >> connections, >> + and <option>-auth-host scram-sha-256</option> for remote connections. >> See >> + <xref linkend="client-authentication"/> for more information on client >> + authentication methods. >> + </para> > > As discussed on hackers, we are not ready to support scram-sha-256 out > of the box. So this advice, or any similar advice elsewhere, would need > to recommend "md5" as the setting --- which would probably be embarrassing.
Well, it's less embarrassing than trust, and we currently state: "Also, specify -A md5 or -A password so that the default trust authentication mode is not used"[1] We could also modify it to say : "and <option>-auth-host scram-sha-256</option> for remote connections if your client supports it, otherwise <option>-auth-host md5</option>" Jonathan [1] https://www.postgresql.org/docs/current/creating-cluster.html
signature.asc
Description: OpenPGP digital signature
