> I think the original point was that some people use the same or related
> passwords for psql as for their login password.
Well, you can't expect the pedestrians out here to remember to different
passwords. The fact that pgsql passwords are all lowercase makes this kind
of tough though. So, then you have the option of storing passwords in
plain readable to the db admin, which is unacceptable, or storing no
password at all which leaves you with ident.
Also, when you use things like PHP or run scripts/programs from cron, you
can't really have people enter a password. Hardcoding passwords seems to
be suggested by a lot of people, but that's ridiculous.
I think what many people discussed about separating the authentication
method into a compile-time option would be a good idea. Then the admin can
decide whether to use the current system, SSL, ssh(?), PAM, whatever.
Perhaps that would also take some load of the developers who would
probably much rather develop a DBMS than authentication systems.
I've posted this a while ago on one of the general lists, about whether
there is a PAM-enabling patch available, but evidently I got the answer
here. :(
--
Peter Eisentraut
PathWay Computing, Inc.