Re: Online documentation unclear about authentication defaults

[Alvaro Herrera <alvherre(at)commandprompt(dot)com>]

bubblboy wrote:
> Hi,
> 
> After following the postgresql tutorial for setting up a postgresql 
> server [1] I noticed that I could log in without entering my password. 
> The documentation did not tell me this (maybe I overlooked it), 
> eventhough it does show you how to create roles with passwords. In my 
> opinion it would be a good idea to include a warning like "the default 
> installation trusts everybody that can make a connection to the 
> database" because it could lead to some (problematic) confusions.
> 
> I didn't check extensively in the docs to see if there actually was such 
> a warning, particularly because I felt that if there was, it was 
> probably not prominent enough (or I would have noticed). Sorry if there 
> was indeed a big warning splattered over the tutorial somewhere.

The tutorial indeed neglects warning you about that, but initdb doesn't.
It outputs these lines

WARNING: enabling "trust" authentication for local connections
You can change this by editing pg_hba.conf or using the -A option the
next time you run initdb.


Maybe this is not strong enough, or not scary enough?

-- 
Alvaro Herrera                                http://www.CommandPrompt.com/
PostgreSQL Replication, Consulting, Custom Development, 24x7 support