Hi,
With the version 10, pgsql comes with a new auth method called
scram-sha-256.
https://www.postgresql.org/docs/10/static/auth-methods.html#AUTH-PASSWORD
I think we should advise users to pick that one rather than md5. In the
upgrade part, the user has to copy the pg_hba.conf and this file lists
the auth method. Luckily there's no need to sed it, because according
to the docs:
> To ease transition from the md5 method to the newer SCRAM method, if
> md5 is specified as a method in pg_hba.conf but the user's password
> on the server is encrypted for SCRAM (see below), then SCRAM-based
> authentication will automatically be chosen instead.
The other thing is that iiuc, the library has to support this new
auth method but this should affect only the superuser and the
superuser shouldn't be used by any application directly so I think it's
fine.
What do you think?
Cheers,
Daniel
Index: Makefile
===================================================================
RCS file: /cvs/ports/databases/postgresql/Makefile,v
retrieving revision 1.240
diff -u -p -r1.240 Makefile
--- Makefile 6 Sep 2018 19:08:59 -0000 1.240
+++ Makefile 15 Sep 2018 02:11:11 -0000
@@ -17,7 +17,7 @@ PKGNAME-contrib=postgresql-contrib-${VER
PKGNAME-plpython=postgresql-plpython-${VERSION}
PKGNAME-pg_upgrade=postgresql-pg_upgrade-${VERSION}
REVISION-main= 0
-REVISION-server=1
+REVISION-server=2
CATEGORIES= databases
SHARED_LIBS= ecpg 7.9 \
Index: pkg/README-server
===================================================================
RCS file: /cvs/ports/databases/postgresql/pkg/README-server,v
retrieving revision 1.24
diff -u -p -r1.24 README-server
--- pkg/README-server 4 Sep 2018 12:46:10 -0000 1.24
+++ pkg/README-server 15 Sep 2018 02:11:11 -0000
@@ -14,17 +14,17 @@ initialized using the initdb command.
If you are installing PostgreSQL for the first time, you have to create
a default database first. In the following example we install a database
-in /var/postgresql/data with a dba account 'postgres' and md5 authentication.
-We will be prompted for a password to protect the dba account:
+in /var/postgresql/data with a dba account 'postgres' and scram-sha-256
+authentication. We will be prompted for a password to protect the dba account:
# su - _postgresql
$ mkdir /var/postgresql/data
- $ initdb -D /var/postgresql/data -U postgres -A md5 -W
+ $ initdb -D /var/postgresql/data -U postgres -A scram-sha-256 -W
Please note that by default the cluster's encoding will be SQL_ASCII. If
you want to have another default encoding, use the option -E with initdb:
- $ initdb -D /var/postgresql/data -U postgres -E UTF8 -A md5 -W
+ $ initdb -D /var/postgresql/data -U postgres -E UTF8 -A scram-sha-256 -W
If your cluster is already created, you can specify another encoding when
you create a new database with this command:
@@ -129,7 +129,8 @@ to the current version.
5) Create a new data directory (adding -E UTF8 to the initdb line if needed):
# su _postgresql -c "mkdir /var/postgresql/data"
-# su _postgresql -c "initdb -D /var/postgresql/data -U postgres -A md5 -W"
+# su _postgresql -c \
+ "initdb -D /var/postgresql/data -U postgres -A scram-sha-256 -W"
6) Restore your old pg_hba.conf and (if used) SSL certificates
# su _postgresql -c \
@@ -151,7 +152,7 @@ Option 2: pg_upgrade
This will work for an upgrade from the previous major version of
PostgreSQL supported by OpenBSD to the current version, and should be
-faster than a dump and reload, especially for large databases.
+faster than a dump and reload, especially for large databases.
1) Shutdown the server:
# rcctl stop postgresql
@@ -164,7 +165,8 @@ faster than a dump and reload, especiall
4) Create a new data directory (adding -E UTF8 to the initdb line if needed):
# su _postgresql -c "mkdir /var/postgresql/data"
-# su _postgresql -c "initdb -D /var/postgresql/data -U postgres -A md5 -W"
+# su _postgresql -c \
+ "initdb -D /var/postgresql/data -U postgres -A scram-sha-256 -W"
5) Restore your old pg_hba.conf and (if used) SSL certificates
# su _postgresql -c \
