We use it. Do you have an alternative that doesn't lower security
besides Kerberos? Anti-ident arguments are straw man arguments - "If
you setup identd badly or don't trust remote root or your network,
ident sucks as an authentication mechanism".
Actually, you're trusting that nobody can add their own machine as a
node on your network. All someone has to do is plug their linux laptop
into a network cable in your office and they have free access to the
database.
Ident is great as you don't have to lower security by dealing with
keys on the client system (more management headaches == lower
security), or worry about those keys being reused by accounts that
shouldn't be reusing them. Please don't deprecate it unless there is
an alternative. And if you are a pg_pool or pgbouncer maintainer,
please consider adding support :)
I don't think anyone is talking about eliminating it, just
distinguishing ident-over-TCP from unix-socket-same-user, which are
really two different authentication mechanisms.
HOWEVER, I can't see any way of doing this which wouldn't cause a
significant amount of backwards-compatibility confusion. Given that
users can distinguish between local and TCP ident in pg_hba.conf already
(and the default pg_hba.conf does) it is worth the confusion it will cause?
--
-- Josh Berkus
PostgreSQL Experts Inc.
http://www.pgexperts.com
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
