Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1sLN3Z-00EZPa-Pk for pgsql-general@arkaria.postgresql.org; Sun, 23 Jun 2024 13:14:57 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1sLN3W-00BJVF-Hv for pgsql-general@arkaria.postgresql.org; Sun, 23 Jun 2024 13:14:54 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1sLN3W-00BJSo-40 for pgsql-general@lists.postgresql.org; Sun, 23 Jun 2024 13:14:54 +0000 Received: from mail-wm1-x336.google.com ([2a00:1450:4864:20::336]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1sLN3P-002j09-JU for pgsql-general@lists.postgresql.org; Sun, 23 Jun 2024 13:14:53 +0000 Received: by mail-wm1-x336.google.com with SMTP id 5b1f17b1804b1-42278f3aea4so29673355e9.1 for ; Sun, 23 Jun 2024 06:14:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20230601; t=1719148486; x=1719753286; darn=lists.postgresql.org; h=in-reply-to:from:content-language:references:cc:to:subject :user-agent:mime-version:date:message-id:from:to:cc:subject:date :message-id:reply-to; bh=2qzal28NDdJqSowD2+YHiopP25xgGClh6uKPmuS8/+w=; b=lB0s5hnNAjtu/cgnCDypfMq8loY/77Bnnk4xDgvCgE24YW4A1OrYEOw/r1E3c0mPvV 3X0v0md9QjLNBVK9Sx0T1VOf4RpSJsVmRR+aai+YfoZzM3wTBPDOwQOSFQlDrXJOgMlB X+C5qAf0Z/M7wI3GG4TNRDgtKbZc4p7E3Sq904dHUHNdarxgPDMUFxA3R8yeOuQs3t0e u0+ffklsKwWzuhLGSQ6xq0VlV2tDBmOmsIlDi3srbPDWQ3Uqpif2ko85D73L7IDVD94H QFCulByjtVD+o7NoVkCzVL98zZrxvjhzmTsoaK42EiMEPNY+YIFCpwjuwUW7ximBY+n9 UeuA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1719148486; x=1719753286; h=in-reply-to:from:content-language:references:cc:to:subject :user-agent:mime-version:date:message-id:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=2qzal28NDdJqSowD2+YHiopP25xgGClh6uKPmuS8/+w=; b=V6XR8ytd3LnNIo35krZCfDgoicBR9s087y7h4M/9ng17r0U1fW0wF22pL8faAGE9E8 CBt9UTRoD048xie0WaIiAZW4rB/hfqQCYpMx0/7y/cpz2EUbql2FIfctdH+IDlStB0a1 M/52HHpIKWIvww6MonJXtyqxQ2V2b/htf663+Nj9ryQGO2ks+tRl8EFNEvlm84tRv7md UQyN2jAjlJfNxVe3lrb6GVyJW8aLaqc6+AR7loOtw/3igk5Drxj9alxeq6lZ2xUZ3qD/ M9F8F49xi1nXjNNBweMxBfiqw6RY6HuVf4rFaKe4NpUULKoPxX9NvkxcFvzuuZ04P3f7 Np3g== X-Forwarded-Encrypted: i=1; AJvYcCVKcLmKfhBx6x2MG0rhknMAwRlupYbkW7TCUAko9M4XkBBxltiTUzS77Z+9yhuwXBH7WqTV2jG2ZLZjMWP84RoCS73hX2inav9jeGe4RgZIS8Vy X-Gm-Message-State: AOJu0YyGt5gRP8G0trDKqw1UmlAds9viVAkUZw5C4Jh6A5gmrPf6PH7a YqTZs7ZIfw8jpjIV+xhl8AUcgUNb8qlrVoIvgpL3J3prAHzMffA= X-Google-Smtp-Source: AGHT+IEAagP8zVkGwNOOWn+buWZ5TpnJzdVuvQ26WAZ4wVou3qxXR9fjM2+CY87ftU2MjXYHA/gOTQ== X-Received: by 2002:a05:600c:56cf:b0:423:6b7:55eb with SMTP id 5b1f17b1804b1-4248cc2b65cmr12294315e9.14.1719148485733; Sun, 23 Jun 2024 06:14:45 -0700 (PDT) Received: from ?IPV6:2a05:87c7:9021:7300:ac70:6a94:fb29:7c0? ([2a05:87c7:9021:7300:ac70:6a94:fb29:7c0]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-366387cf523sm7289190f8f.25.2024.06.23.06.14.44 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sun, 23 Jun 2024 06:14:45 -0700 (PDT) Content-Type: multipart/alternative; boundary="------------WS9p54zu0CBK0w9i9vnTVOo3" Message-ID: Date: Sun, 23 Jun 2024 14:14:43 +0100 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: Password complexity/history - credcheck? To: Christoph Moench-Tegeder Cc: Tom Lane , pgsql-general@lists.postgresql.org References: <79692c1a-190c-413e-9442-a14a45c1069d@googlemail.com> <834558.1719102188@sss.pgh.pa.us> <43826fbd-2d26-467b-afcf-7fde609f8da3@googlemail.com> Content-Language: en-GB From: Martin Goodson In-Reply-To: List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk This is a multi-part message in MIME format. --------------WS9p54zu0CBK0w9i9vnTVOo3 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit On 23/06/2024 11:49, Christoph Moench-Tegeder wrote: > My advice would be to not use secrets stored in the database - > that is, do not use scram-sha-256 - but use an external authentication > system, like Kerberos (might be AD) or LDAP (might also be AD) and have > that managed by the security team: that way all these compliance Crikey, that would be  quite a lot of  lot of SSL/TLS to set up. We have quite a few (massive understatement :( ... ) PostgreSQL database clusters spread over quite a lot (another understatement) of VMs. The last time I suggested LDAP there was a lot of enthusiasm ... until they went down and looked at what might have to be done, after which it all became very quiet ... Regards, Martin. --------------WS9p54zu0CBK0w9i9vnTVOo3 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: 8bit

On 23/06/2024 11:49, Christoph Moench-Tegeder wrote:

My advice would be to not use secrets stored in the database -
that is, do not use scram-sha-256 - but use an external authentication
system, like Kerberos (might be AD) or LDAP (might also be AD) and have
that managed by the security team: that way all these compliance

Crikey, that would be  quite a lot of  lot of SSL/TLS to set up. We have quite a few (massive understatement :( ... ) PostgreSQL database clusters spread over quite a lot (another understatement) of VMs.

The last time I suggested LDAP there was a lot of enthusiasm ... until they went down and looked at what might have to be done, after which it all became very quiet ...

Regards,

Martin.


--------------WS9p54zu0CBK0w9i9vnTVOo3--