Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1uVXG4-001kZ5-PU for pgsql-general@arkaria.postgresql.org; Sat, 28 Jun 2025 15:14:24 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1uVXG1-008Kg9-CF for pgsql-general@arkaria.postgresql.org; Sat, 28 Jun 2025 15:14:22 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1uVXG0-008Kfz-V7 for pgsql-general@lists.postgresql.org; Sat, 28 Jun 2025 15:14:21 +0000 Received: from mail-ot1-x335.google.com ([2607:f8b0:4864:20::335]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.96) (envelope-from ) id 1uVXFy-004aKw-2u for pgsql-general@lists.postgresql.org; Sat, 28 Jun 2025 15:14:21 +0000 Received: by mail-ot1-x335.google.com with SMTP id 46e09a7af769-72c09f8369cso931499a34.3 for ; Sat, 28 Jun 2025 08:14:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1751123656; x=1751728456; darn=lists.postgresql.org; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=c7sZoxmcLs+fNR3V0KuqE9qQEuEvLDxFKrKjYSErjfg=; b=R3zDGO/brPuRZi/arENfPn7YrghPP9emASgE3XoFrlC62QWRtuYSlto+ihE+Dxp26P RMGXloP4+Wqb+bZlj7oLztKvRw9HbpYdsxjfkfPmb63mPIbmqScvSw9zf5FNoOERN3vz mBWpa6HszMw0Z966k2tEv2HQ5gMkWGSz5D1/7Df3hBsBD8bsvGT9MuFKwx5szVS56v+C +EJFirEFNMSgXOWta0qupQQrEvhwGKYAkj+si1bOw32o9ixtrPZfshqJ8vSIPO1emJbb vtITMIWcyaQ2MEBn7dMSY/Mfxdu3nfk6Get3Y0vjllf1qQ+FZ8gR8dyatwzlG1UyMAgV w8UA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1751123656; x=1751728456; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=c7sZoxmcLs+fNR3V0KuqE9qQEuEvLDxFKrKjYSErjfg=; b=bJHyUB3eQx90SrO7lzzfWgh01/tozEZ+uTAnyBr5WLWABtIi2EXescMxHYvOWf3pgI GjLi5pHwZvmXSfZjLBmt0GDt4VZMtgM4NuY7XPWNp2bnI017DRfYtehjcks8t4dQHFPQ 065sOVGqQFwQL6yFFjDCjuORz4DaOMl+Y8HqxVHUNiCkkhaQ9zC4f4rJkZv3UblDbPWU wdJqGJYclGVBIwxU3aarFdGbw3SGGug/I6b+rnJicBgGQe1Q92OSDgobbpDaQAgXeTuC z1jEEfsfTV3MCr7GLqIu9DtkjVkeLpvAWVgJbL7pjh8I6zZN0CiN8eItY468Mu8ynfis OuzA== X-Gm-Message-State: AOJu0YwHqV4HCVPwtNGvMY3nyNp6AcCrmkvffh/GRU4gGDMTIjZ8OOzz hOgjJp8mXzUcSDSJUmOqCljt+Rg0qSTbBUweH+eCTVl74WcUa/F/Ho2KrH2126W0VrRr8zuCi+1 i82V7dZ+pTNVYDBA8GEL5CVkmALMSn66l+y/S X-Gm-Gg: ASbGnctIBSzgkzIc3xVjM4q2vk83F4dj0Vea/dcAXj6sEsW5tBa3WW1TPa7VVZhZ7Ba XqZWQb5a0a6NfUT3o086rHrg/YYAQVHI+GRVonIcwTQ49VeX4A2WEE2E8zvnikUkF0ZwS4Rmh53 b6oVdHDMT/jah2vdj/jNNVqW/hIdX/Nc9f1qbVr4sRg9lpNfq2YlrOQS6HOp2iOzaa0XGX5Q6g3 SPzcg== X-Google-Smtp-Source: AGHT+IHomx0ie+2ivnw67xYkV6mHCyJ/nuc3Q9gET88BOQrd0OJDiQAB0EskP25cWvCQY2RnafNLPRyyxGfW8LoexNY= X-Received: by 2002:a05:6871:33a1:b0:2e8:f5d4:6077 with SMTP id 586e51a60fabf-2efed78ced5mr4565136fac.38.1751123655818; Sat, 28 Jun 2025 08:14:15 -0700 (PDT) MIME-Version: 1.0 References: <65b65e9f-b4b0-4927-b872-d24dff11449b@crashdump.ch> <20250625115535.bd3lmsslyd36qsha@hjp.at> <7b27e37f-f775-4952-96f6-2604ee8259b9@crashdump.ch> <20250625153305.hmbzbpq5nadwvczo@hjp.at> <0344a9b2-bb6b-4d09-af54-2acb10b6a51a@crashdump.ch> <20250626122741.wkemjudz3lagw6zn@hjp.at> <31fd386e-8cff-4573-8cc7-f4e64c59dc85@crashdump.ch> <20250628135923.v2hrctnfjpqlcnqs@hjp.at> In-Reply-To: <20250628135923.v2hrctnfjpqlcnqs@hjp.at> From: Ron Johnson Date: Sat, 28 Jun 2025 11:14:04 -0400 X-Gm-Features: Ac12FXxDGVMpsle-_WemXTQ5H80SROcnUg8SUYHgcAoxso2-zqWVY5OobxxHNo8 Message-ID: Subject: Re: password rules To: pgsql-general@lists.postgresql.org Content-Type: multipart/alternative; boundary="0000000000007683490638a33f89" List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --0000000000007683490638a33f89 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Sat, Jun 28, 2025 at 9:59=E2=80=AFAM Peter J. Holzer = wrote: > On 2025-06-27 19:00:36 +0200, raphi wrote: > > > > > > Am 26.06.2025 um 14:27 schrieb Peter J. Holzer: > > > On 2025-06-25 17:55:12 +0200, raphi wrote: > > > > Am 25.06.2025 um 17:33 schrieb Peter J. Holzer: > > > > > On 2025-06-25 14:42:26 +0200, raphi wrote: > > > > > > That's not how the identiy principle works, at least not how it= 's > > > > > > implement in our company. A user in ldap has a direct relation = to > > > > > > one digital entity, either a token from an application or > > > > > > certificate from a physical person (maybe some AD shenanigans > > > > > > also). We don't have digital entities for teams, that's what's > > > > > > missing. For it to work they (security) would need to allow to > > > > > > weaken this principle and as you said, allow everyone who has a > > > > > > certain role to manage the associated user in LDAP, like settin= g > a > > > > > > new password. > > > > > That user shouldn't have a password, since nobody is > authenticating as > > > > > that user. It also doesn't have to exist in LDAP. It's just a rol= e > in > > > > > the database. > > > > hmm I don't follow, maybe I was doing it wrong? > > > I'm thinking of something like this: > > > > > > Roles assigned to people are in LDAP, and only they have passwords. > > > Application roles don't have to be in LDAP (maybe there are operation= al > > > reasons to have them there, but PostgreSQL doesn't need them) and don= 't > > > have passwords. > > Thank you very much for the detailed test. It will be useful for other > ideas > > I have but (I think) it does not solve our particular case. Maybe I > wasn't > > clear enough and I'm sorry for that, but our problem lies in the way ho= w > > applications connect. The passwords that devs are ordering via our self > > service is for the application that is connecting to the database, not > for > > themselfs. > > Ok. I misunderstood that. > > > It's the application's password that we want to ensure that it is > > complex and gets changed after we set an initial password for it. > > Why let a human change that at all? Couldn't you just create a suitable > random password at deployment time? (And then automatically every n > months if you want to rotate it.) > "openssl rand -base64 48" or a couple of random words from /usr/share/dict/words plus a random number. > But the more I think about it the more I like switching to > > certificates, after all we already have mechanisms in place to > > automatically get new officially trusted (not selfsigned) > > certificates, it could be adoptable for PG connects too. > > I agree. If you already have the infrastructure for that, that's a good > way to avoid some (but not all) of the problems with passwords. > > hjp > > -- > _ | Peter J. Holzer | Story must make more sense than reality. > |_|_) | | > | | | hjp@hjp.at | -- Charles Stross, "Creative writing > __/ | http://www.hjp.at/ | challenge!" > --=20 Death to , and butter sauce. Don't boil me, I'm still alive. lobster! --0000000000007683490638a33f89 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
On Sat, Jun 28, 2025 at 9:59=E2=80=AFAM P= eter J. Holzer <hjp-pgsql@hjp.at= > wrote:
On 2025-06-27 19:00:36 +0200, raph= i wrote:
>
>
> Am 26.06.2025 um 14:27 schrieb Peter J. Holzer:
> > On 2025-06-25 17:55:12 +0200, raphi wrote:
> > > Am 25.06.2025 um 17:33 schrieb Peter J. Holzer:
> > > > On 2025-06-25 14:42:26 +0200, raphi wrote:
> > > > > That's not how the identiy principle works, at= least not how it's
> > > > > implement in our company. A user in ldap has a dir= ect relation to
> > > > > one digital entity, either a token from an applica= tion or
> > > > > certificate from a physical person (maybe some AD = shenanigans
> > > > > also). We don't have digital entities for team= s, that's what's
> > > > > missing. For it to work they (security) would need= to allow to
> > > > > weaken this principle and as you said, allow every= one who has a
> > > > > certain role to manage the associated user in LDAP= , like setting a
> > > > > new password.
> > > > That user shouldn't have a password, since nobody i= s authenticating as
> > > > that user. It also doesn't have to exist in LDAP. I= t's just a role in
> > > > the database.
> > > hmm I don't follow, maybe I was doing it wrong?
> > I'm thinking of something like this:
> >
> > Roles assigned to people are in LDAP, and only they have password= s.
> > Application roles don't have to be in LDAP (maybe there are o= perational
> > reasons to have them there, but PostgreSQL doesn't need them)= and don't
> > have passwords.
> Thank you very much for the detailed test. It will be useful for other= ideas
> I have but (I think) it does not solve our particular case. Maybe I wa= sn't
> clear enough and I'm sorry for that, but our problem lies in the w= ay how
> applications connect. The passwords that devs are ordering via our sel= f
> service is for the application that is connecting to the database, not= for
> themselfs.

Ok. I misunderstood that.

> It's the application's password that we want to ensure that it= is
> complex and gets changed after we set an initial password for it.

Why let a human change that at all? Couldn't you just create a suitable=
random password at deployment time? (And then automatically every n
months if you want to rotate it.)

"= ;openssl rand -base64 48" or a couple of random words from=C2=A0/usr/s= hare/dict/words plus a random number.
=C2=A0

=
> But the more I think= about it the more I like switching to
> certificates, after all we already have mechanisms in place to
> automatically get new officially trusted (not selfsigned)
> certificates, it could be adoptable for PG connects too.

I agree. If you already have the infrastructure for that, that's a good=
way to avoid some (but not all) of the problems with passwords.

=C2=A0 =C2=A0 =C2=A0 =C2=A0 hjp

--
=C2=A0 =C2=A0_=C2=A0 | Peter J. Holzer=C2=A0 =C2=A0 | Story must make more = sense than reality.
|_|_) |=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 |
| |=C2=A0 =C2=A0| hjp@hjp.a= t=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0|=C2=A0 =C2=A0 -- Charles Stross, &q= uot;Creative writing
__/=C2=A0 =C2=A0| http://www.hjp.at/ |=C2=A0 =C2=A0 =C2=A0 =C2=A0challenge!&q= uot;


--
Death to <Redacted>, and butter sauce.Don't boil me, I'm still alive.
<Redacted> lobs= ter!
--0000000000007683490638a33f89--