Re: Proposed patch for key managment - Mailing list pgsql-hackers

From Bruce Momjian
Subject Re: Proposed patch for key managment
Date
Msg-id 20201211182121.GF13515@momjian.us
Whole thread Raw
In response to Re: Proposed patch for key managment  (Bruce Momjian <bruce@momjian.us>)
List pgsql-hackers
On Fri, Dec 11, 2020 at 01:01:14PM -0500, Bruce Momjian wrote:
> On Wed, Dec  9, 2020 at 08:40:50PM -0500, Bruce Momjian wrote:
> > My next task is to write a script for Yubikey authentication.
> 
> I know Craig Ringer wanted Yubikey support, which allows two-factor
> authentication, so I have added it to the most recent patch by adding a
> cluster_passphrase_command %d/directory parameter:
> 
>     https://github.com/postgres/postgres/compare/master...bmomjian:key.diff
> 
> You can also store the PIN in a file, so you don't need a PIN to be
> entered by the user for each server start.

Here is the output without requiring a PIN;  attached is the script used:

    ++ initdb -K 256 -R -c '/u/postgres/tmp/pass_yubi_nopin.sh "%d"'
    The files belonging to this database system will be owned by user "postgres".
    This user must also own the server process.
    
    The database cluster will be initialized with locale "en_US.UTF-8".
    The default database encoding has accordingly been set to "UTF8".
    The default text search configuration will be set to "english".
    
    Data page checksums are disabled.
    Cluster file encryption is enabled.
    
    fixing permissions on existing directory /u/pgsql/data ... ok
    creating subdirectories ... ok
    selecting dynamic shared memory implementation ... posix
    selecting default max_connections ... 100
    selecting default shared_buffers ... 128MB
    selecting default time zone ... America/New_York
    creating configuration files ... ok
    running bootstrap script ... engine "pkcs11" set.
    
    WARNING:  The Yubikey can be locked and require a reset if too many pin
    attempts fail.  It is recommended to run this command manually and save
    the passphrase in a secure location for possible recovery.
    engine "pkcs11" set.
    ok
    performing post-bootstrap initialization ... engine "pkcs11" set.
    ok
    syncing data to disk ... ok
    
    initdb: warning: enabling "trust" authentication for local connections
    You can change this by editing pg_hba.conf or using the option -A, or
    --auth-local and --auth-host, the next time you run initdb.
    
    Success. You can now start the database server using:
    
        pg_ctl -D /u/pgsql/data -l logfile start
    
    ++ pg_ctl -R -l /u/pg/server.log start
    waiting for server to start... done
    server started
    ++ pg_altercpass -R '/u/postgres/tmp/pass_yubi_nopin.sh "%d"' '/u/postgres/tmp/pass_yubi_nopin.sh "%d"'
    engine "pkcs11" set.
    engine "pkcs11" set.
    
    WARNING:  The Yubikey can be locked and require a reset if too many pin
    attempts fail.  It is recommended to run this command manually and save
    the passphrase in a secure location for possible recovery.
    engine "pkcs11" set.

-- 
  Bruce Momjian  <bruce@momjian.us>        https://momjian.us
  EnterpriseDB                             https://enterprisedb.com

  The usefulness of a cup is in its emptiness, Bruce Lee


Attachment

pgsql-hackers by date:

Previous
From: Peter Eisentraut
Date:
Subject: Re: Allow CLUSTER, VACUUM FULL and REINDEX to change tablespace on the fly
Next
From: Pavel Stehule
Date:
Subject: Re: Rethinking plpgsql's assignment implementation