On Tue, Feb 5, 2013 at 12:15 PM, Shaun Thomas <stho...@optionshouse.com>wrote:
> Hey folks, > > We're wanting to implement a more secure password policy, and so have > considered switching to LDAP/Active Directory for passwords. Normally, this > would be fine, but for two things: > > 1. Tons of our devs use .pgpass files to connect everywhere. > 2. Several devs have root access to various environments. > I would love to see pgpass storing encrypted stuff here, that'd be great... in the meantime... Is there any way that you could move your 'root-fellas' to a 'sudo' model so that they can have *most* of what they need, without allowing identity switches ? I was trying to come up with something clever, but if they're root, they're root. --Scott Mead sco...@openscg.com http://www.openscg.com > > So, by switching from database-stored passwords to LDAP, we open a > security problem that currently only affects the database, to developers' > personal LDAP password, which is the key to every service and machine they > use in the company. > > Unfortunately I can't see any way around this at all. Ident won't really > work on remote systems, .pgpass isn't encrypted, and you can't use > encrypted/hashed password entries either. > > I agree that we should probably have our root access much more locked down > than it is, but it's still a valid problem. I don't think I'd even want a > restricted set of root users able to see my LDAP password in plain text. > > Has anyone put thought into combining LDAP and .pgpass, or has it simply > been abandoned every time the issue has presented itself? > > Thanks in advance! > > -- > Shaun Thomas > OptionsHouse | 141 W. Jackson Blvd. | Suite 500 | Chicago IL, 60604 > 312-676-8870 > stho...@optionshouse.com > > ______________________________**________________ > > See > http://www.peak6.com/email_**disclaimer/<http://www.peak6.com/email_disclaimer/>for > terms and conditions related to this email > > > -- > Sent via pgsql-general mailing list (pgsql-general@postgresql.org) > To make changes to your subscription: > http://www.postgresql.org/**mailpref/pgsql-general<http://www.postgresql.org/mailpref/pgsql-general> >
