Bruce Momjian <pgman@candle.pha.pa.us> writes:
> If they supply a password to initdb, shouldn't we then require a
> password in pg_hba.conf.
We could, but I'm a bit disturbed about the issues of documenting two
fundamentally different out-of-the-box behaviors. The ensuing confusion
might be worse than the existing problem. (For instance, I can see
people expecting that if they assign the superuser a password later,
they should magically arrive at the same security state as if they'd
done it at initdb time.)
We'd also have some issues with the distributions that override the
default local auth method to be IDENT --- how would this interact
with that choice? (Note that the RPMs have completely failed to
document this change, which doesn't make me any happier.)
The bottom line to my mind is that if there were a one-size-fits-all
authentication solution, we'd not have so many to choose from. I don't
think we are doing DBAs any service by pretending that they might not
need to think about their choice of auth method. I could make a good
case that the initial entry ought to be REJECT, so that you get nothing
at all until you've adjusted pg_hba.conf ...
regards, tom lane