Postgres Pro
Downloads
Home   >   mailing lists

Re: .pgpass and root: a problem - Mailing list pgsql-general

From Scott Mead
Subject Re: .pgpass and root: a problem
Date
Msg-id CAKq0gvLCMGe7AuU1OHm2oukA__baLQVrHsurk+TpxOx4Gac2zg@mail.gmail.com
Whole thread Raw
In response to .pgpass and root: a problem  (Shaun Thomas <sthomas@optionshouse.com>)
Responses Re: .pgpass and root: a problem  (Michael Nolan <htfoot@gmail.com>)
List pgsql-general
Tree view 
On Tue, Feb 5, 2013 at 12:15 PM, Shaun Thomas <sthomas@optionshouse.com>wrote:

> Hey folks,
>
> We're wanting to implement a more secure password policy, and so have
> considered switching to LDAP/Active Directory for passwords. Normally, this
> would be fine, but for two things:
>
> 1. Tons of our devs use .pgpass files to connect everywhere.
> 2. Several devs have root access to various environments.
>

I would love to see pgpass storing encrypted stuff here, that'd be great...
in the meantime...

 Is there any way that you could move your 'root-fellas' to a 'sudo' model
so that they can have *most* of what they need, without allowing identity
switches ?  I was trying to come up with something clever, but if they're
root, they're root.

--Scott Mead
scottm@openscg.com
http://www.openscg.com



>
> So, by switching from database-stored passwords to LDAP, we open a
> security problem that currently only affects the database, to developers'
> personal LDAP password, which is the key to every service and machine they
> use in the company.
>
> Unfortunately I can't see any way around this at all. Ident won't really
> work on remote systems, .pgpass isn't encrypted, and you can't use
> encrypted/hashed password entries either.
>
> I agree that we should probably have our root access much more locked down
> than it is, but it's still a valid problem. I don't think I'd even want a
> restricted set of root users able to see my LDAP password in plain text.
>
> Has anyone put thought into combining LDAP and .pgpass, or has it simply
> been abandoned every time the issue has presented itself?
>
> Thanks in advance!
>
> --
> Shaun Thomas
> OptionsHouse | 141 W. Jackson Blvd. | Suite 500 | Chicago IL, 60604
> 312-676-8870
> sthomas@optionshouse.com
>
> ______________________________**________________
>
> See http://www.peak6.com/email_**disclaimer/<http://www.peak6.com/email_disclaimer/>for terms and conditions related
tothis email 
>
>
> --
> Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
> To make changes to your subscription:
> http://www.postgresql.org/**mailpref/pgsql-general<http://www.postgresql.org/mailpref/pgsql-general>
>

pgsql-general by date:

Previous
From: "Joshua D. Drake"
Date:
Subject: Re: .pgpass and root: a problem
Next
From: Scott Marlowe
Date:
Subject: Re: .pgpass and root: a problem