Quick Links

Re: .pgpass and root: a problem

From:	Scott Mead <scottm(at)openscg(dot)com>
To:	sthomas(at)optionshouse(dot)com
Cc:	PostgreSQL General <pgsql-general(at)postgresql(dot)org>
Subject:	Re: .pgpass and root: a problem
Date:	2013-02-05 18:57:02
Message-ID:	CAKq0gvLCMGe7AuU1OHm2oukA__baLQVrHsurk+TpxOx4Gac2zg@mail.gmail.com
Views:	Raw Message \| Whole Thread \| Download mbox \| Resend email
Thread:
Lists:	pgsql-general

On Tue, Feb 5, 2013 at 12:15 PM, Shaun Thomas <sthomas(at)optionshouse(dot)com>wrote:

> Hey folks,
>
> We're wanting to implement a more secure password policy, and so have
> considered switching to LDAP/Active Directory for passwords. Normally, this
> would be fine, but for two things:
>
> 1. Tons of our devs use .pgpass files to connect everywhere.
> 2. Several devs have root access to various environments.
>

I would love to see pgpass storing encrypted stuff here, that'd be great...
in the meantime...

Is there any way that you could move your 'root-fellas' to a 'sudo' model
so that they can have *most* of what they need, without allowing identity
switches ? I was trying to come up with something clever, but if they're
root, they're root.

--Scott Mead
scottm(at)openscg(dot)com
http://www.openscg.com

>
> So, by switching from database-stored passwords to LDAP, we open a
> security problem that currently only affects the database, to developers'
> personal LDAP password, which is the key to every service and machine they
> use in the company.
>
> Unfortunately I can't see any way around this at all. Ident won't really
> work on remote systems, .pgpass isn't encrypted, and you can't use
> encrypted/hashed password entries either.
>
> I agree that we should probably have our root access much more locked down
> than it is, but it's still a valid problem. I don't think I'd even want a
> restricted set of root users able to see my LDAP password in plain text.
>
> Has anyone put thought into combining LDAP and .pgpass, or has it simply
> been abandoned every time the issue has presented itself?
>
> Thanks in advance!
>
> --
> Shaun Thomas
> OptionsHouse | 141 W. Jackson Blvd. | Suite 500 | Chicago IL, 60604
> 312-676-8870
> sthomas(at)optionshouse(dot)com
>
> ______________________________**________________
>
> See http://www.peak6.com/email_**disclaimer/<http://www.peak6.com/email_disclaimer/>for terms and conditions related to this email
>
>
> --
> Sent via pgsql-general mailing list (pgsql-general(at)postgresql(dot)org)
> To make changes to your subscription:
> http://www.postgresql.org/**mailpref/pgsql-general<http://www.postgresql.org/mailpref/pgsql-general>
>

In response to

.pgpass and root: a problem at 2013-02-05 17:15:32 from Shaun Thomas

Responses

Re: .pgpass and root: a problem at 2013-02-05 19:12:34 from Michael Nolan
Re: .pgpass and root: a problem at 2013-02-06 04:51:38 from Jasen Betts

Browse pgsql-general by date

	From	Date	Subject
Next Message	Scott Marlowe	2013-02-05 18:57:16	Re: .pgpass and root: a problem
Previous Message	Joshua D. Drake	2013-02-05 18:53:02	Re: .pgpass and root: a problem