On Tue, Feb 5, 2013 at 11:53 AM, Joshua D. Drake <jd@commandprompt.com> wrote:
>
> On 02/05/2013 10:44 AM, Scott Marlowe wrote:
>>
>>
>> On Tue, Feb 5, 2013 at 10:15 AM, Shaun Thomas <sthomas@optionshouse.com>
>> wrote:
>>>
>>> Hey folks,
>>>
>>> We're wanting to implement a more secure password policy, and so have
>>> considered switching to LDAP/Active Directory for passwords. Normally,
>>> this
>>> would be fine, but for two things:
>>>
>>> 1. Tons of our devs use .pgpass files to connect everywhere.
>>> 2. Several devs have root access to various environments.
>>
>>
>> Stop. If you want secure setups you don't hand out root access to
>> lots of people. Trying to then make it secure is like closing the
>> barn door after the horse has left.
>
>
> I think this is a naive response Scott although I must admit it was my gut
> reaction as well. The reality is we shouldn't store a plain text password.
> At a minimum it should be hashed. That part of the problem is really on us,
> regardless if it is a bad idea to hand out root.
>
> Now it is true that if they can't trust their devs with this problem, those
> devs shouldn't have root but that is a business policy problem whereas ours
> is an actual security issue.
I wasn't arguing against his other points. I was making the point
that until he secures root any attempts at security are security
theatre. I agree with your points to an extent, but the whole
securing passwords thing is a really big issue. The real question to
ask is what attack vector are you trying to stop? If I've got root on
the db server or the server with the passwords I've already won.
