Re: postgres "on in the internet" - Mailing list pgsql-general

From Daniel Martini
Subject Re: postgres "on in the internet"
Date
Msg-id 1094203967.41383a3f63131@webmail.uni-hohenheim.de
Whole thread Raw
In response to postgres "on in the internet"  ("Po Eddie Lim" <eddiepo@ntsp.nec.co.jp>)
List pgsql-general
Hi,

Citing Paul Tillotson <pntil@shentel.net>:
> At my company we are looking at deploying clients for our client/server
> app outside our firewall, which will then require our postgres box to be
> internet-accessible.
>
> Does anyone out there have experience with this or recommended best
> practices?
> We have been looking at either
> (a) tunnelling everything over ssh, or

This, implementation of a VPN or using the builtin ssl-support in
postgresql is the way to go, because *everything* that goes through
the channel will be encrypted. With SSL you have the additional value
of being able to guarantee the identity of the server.
The information in the source code distribution in
src/backend/libpq/README.SSL
might prove useful to make your decision.

> (b) just making sure that users have "strong" passwords and
> requiring "md5" authentication in pg_hba.conf.

Too weak, IMHO. md5 is there to protect the password data stored
in the database, not the password transmission (someone already
mentioned tcp replay attacks).

Regards,
Daniel

pgsql-general by date:

Previous
From: Ron St-Pierre
Date:
Subject: Re: psql \o weirdness
Next
From: Paul Tillotson
Date:
Subject: Re: postgres "on in the internet"