From: | "Albe Laurenz" <all(at)adv(dot)magwien(dot)gv(dot)at> |
---|---|
To: | "James B(dot) Byrne *EXTERN*" <byrnejb(at)harte-lyne(dot)ca>, "Joshua D(dot) Drake" <jd(at)commandprompt(dot)com> |
Cc: | <pgsql-general(at)postgresql(dot)org> |
Subject: | Re: ssl connections to postgresql |
Date: | 2007-07-27 08:20:44 |
Message-ID: | AFCCBB403D7E7A4581E48F20AF3E5DB204007751@EXADV1.host.magwien.gv.at |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-general |
James B. Byrne wrote:
> On Tue, July 24, 2007 18:29, Joshua D. Drake wrote:
>> just enforce hostssl in your pg_hba.conf and nothing else.
>> If you can connect, you are good :)
>
> Thanks, I will probably end up doing this.
>
> What I am really looking for is an audit trail for all DBM host
> connections to show the security compliance team that the
> network links are in fact secured.
This is more a philosophical question.
If you only allow hostssl connections in pg_hba.conf AND forbid
all host connections (with one last 'reject' line), PostgreSQL
will reject all connections that are not via SSL.
If your "security compliance team" does not trust PostgreSQL to
enforce that, they'll probably have a very bad feeling about PostgreSQL
in general - why then should they trust a log entry that PostgreSQL
writes?
But I guess you're more after something that "looks good" to
make your security guys happy, which I can understand...
> What is the process to make a suggestion to the pg
> maintainers to add a configurable logging option like this?
Write to this group, as you did, I guess.
This would in fact be interesting for database servers that are
configured to use SSL, but do not enforce it. You can then see
which incoming connections are encrypted and which not.
Yours,
Laurenz Albe
From | Date | Subject | |
---|---|---|---|
Next Message | gazzag | 2007-07-27 08:55:55 | Re: Question about Postgres |
Previous Message | Albe Laurenz | 2007-07-27 08:08:36 | Re: NOTICE Acepted as Error After Upgrade |