Re: Password complexity/history - credcheck? - Mailing list pgsql-general

From Laurenz Albe
Subject Re: Password complexity/history - credcheck?
Date
Msg-id 430fce74e2461f26e01ba5ea7ae586b44365894d.camel@cybertec.at
Whole thread Raw
In response to Re: Password complexity/history - credcheck?  (Martin Goodson <kaemaril@googlemail.com>)
List pgsql-general
On Sun, 2024-06-23 at 14:14 +0100, Martin Goodson wrote:
> On 23/06/2024 11:49, Christoph Moench-Tegeder wrote:
> > My advice would be to not use secrets stored in the database -
> > that is, do not use scram-sha-256 - but use an external authentication
> > system, like Kerberos (might be AD) or LDAP (might also be AD) and have
> > that managed by the security team: that way all these compliance
>
> Crikey, that would be  quite a lot of  lot of SSL/TLS to set up. We have quite a
> few (massive understatement :( ... ) PostgreSQL database clusters spread over 
> quite a lot (another understatement) of VMs.
>
> The last time I suggested LDAP there was a lot of enthusiasm ... until they went
> down and looked at what might have to be done, after which it all became very quiet ...

Yes, LDAP is not perfect for that - for one, every connection to the database would
also hit the LDAP server.

Kerberos or certificate authentication is probably better.

For many PostgreSQL clusters and clients, that might be a lot of work.
But not all your PostgreSQL databases will contain equally sensitive data.
You could start with the important ones, try to automatize as much as possible,
and roll out the changes over time.

Yours,
Laurenz Albe



pgsql-general by date:

Previous
From: Kashif Zeeshan
Date:
Subject: Re: Stack Smashing Detected When Executing initdb
Next
From: Laurenz Albe
Date:
Subject: Re: Upgrade PG from 12 to latest