public inbox for [email protected]
help / color / mirror / Atom feedFrom: raphi <[email protected]>
To: Greg Sabino Mullane <[email protected]>
Cc: Tom Lane <[email protected]>
Cc: [email protected]
Subject: Re: password rules
Date: Wed, 25 Jun 2025 08:14:48 +0200
Message-ID: <[email protected]> (raw)
In-Reply-To: <CAKAnmmLXLZT=UcTkHrU51Xm65ceQrT7ZCNXNHSRJS10zr7JRrw@mail.gmail.com>
References: <[email protected]>
<[email protected]>
<[email protected]>
<CAKAnmmLXLZT=UcTkHrU51Xm65ceQrT7ZCNXNHSRJS10zr7JRrw@mail.gmail.com>
Am 25.06.2025 um 01:20 schrieb Greg Sabino Mullane:
> On Mon, Jun 23, 2025 at 2:45 PM raphi <[email protected]> wrote:
>
> As of now though we cannot use PG for any PCI/DSS certified
> application
> because we can't enforce either complexity nor regular password
> changes,
>
>
> You can, and many, many companies do, but you need a modern auth
> system like Kerberos. Even if we were to put something into Postgres
> today (and given the MFA and re-use requirements, it's near
> impossible), PCI DSS keeps evolving and getting stricter, so keeping
> up with it would get harder with each release.
>
> Can I do something to help bringing these feature into PG? My C
> knowledge is very limited so I won't be able to provide a patch
> but I'd be more than happy to test it.
>
>
> Your energy would be much better used in bringing Kerberos into your
> organization. :)
>
Well as said, we have LDAP and IAM widely in use for everything except
database access. It's the IAM part that's making it difficult for us to
implement it for PG application/user roles, this wouldn't change by
using Kerberos instead of LDAP. I thought we'll get the exception from
our security to use IAM roles instead of physical persons defined as the
owner of the PG accounts but now they are against it. Main reason is
because they are looking into a completely different solution with
Vault, which would fix some other issues and make it more robust towards
PCI, and they prefer a solution for everything rather than making
another exception. But we are speaking about years here, 2027 earliest
and they haven't even talked to us yet how this would work with PG, only
other DB products.
have fun,
raphi
view thread (3+ messages)
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected], [email protected], [email protected]
Subject: Re: password rules
In-Reply-To: <[email protected]>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox