Re: Password complexity/history - credcheck?

public inbox for [email protected]  
help / color / mirror / Atom feed

From: Laurenz Albe <[email protected]>
To: Martin Goodson <[email protected]>
To: Christoph Moench-Tegeder <[email protected]>
Cc: Tom Lane <[email protected]>
Cc: [email protected]
Subject: Re: Password complexity/history - credcheck?
Date: Mon, 24 Jun 2024 10:20:56 +0200
Message-ID: <[email protected]> (raw)
In-Reply-To: <[email protected]>
References: <[email protected]>
	<[email protected]>
	<[email protected]>
	<[email protected]>
	<[email protected]>

On Sun, 2024-06-23 at 14:14 +0100, Martin Goodson wrote:
> On 23/06/2024 11:49, Christoph Moench-Tegeder wrote:
> > My advice would be to not use secrets stored in the database -
> > that is, do not use scram-sha-256 - but use an external authentication
> > system, like Kerberos (might be AD) or LDAP (might also be AD) and have
> > that managed by the security team: that way all these compliance
> 
> Crikey, that would be  quite a lot of  lot of SSL/TLS to set up. We have quite a
> few (massive understatement :( ... ) PostgreSQL database clusters spread over 
> quite a lot (another understatement) of VMs.
> 
> The last time I suggested LDAP there was a lot of enthusiasm ... until they went
> down and looked at what might have to be done, after which it all became very quiet ...

Yes, LDAP is not perfect for that - for one, every connection to the database would
also hit the LDAP server.

Kerberos or certificate authentication is probably better.

For many PostgreSQL clusters and clients, that might be a lot of work.
But not all your PostgreSQL databases will contain equally sensitive data.
You could start with the important ones, try to automatize as much as possible,
and roll out the changes over time.

Yours,
Laurenz Albe

view thread (9+ messages)  latest in thread

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected], [email protected], [email protected], [email protected], [email protected]
  Subject: Re: Password complexity/history - credcheck?
  In-Reply-To: <[email protected]>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox