On 2013-02-05, Scott Mead wrote:
> I would love to see pgpass storing encrypted stuff here, that'd be great...
> in the meantime...
whatever it stores will, of necessity, be sufficient to grant access to the
postgres database, libpq could be modified to use MD5 hashed passwords
in that file salt
* Shaun Thomas (stho...@optionshouse.com) wrote:
> On 02/05/2013 03:40 PM, Stephen Frost wrote:
> >You need to register the server w/ AD by creating a principal for it and
> >then exporting the princ (shared secret between the KDC and the server)
> >and then loading it on the server.
>
> That look
On 02/05/2013 03:40 PM, Stephen Frost wrote:
You need to register the server w/ AD by creating a principal for it and
then exporting the princ (shared secret between the KDC and the server)
and then loading it on the server.
That looks like something our Windows admins will have to do since th
* Shaun Thomas (stho...@optionshouse.com) wrote:
> psql: GSSAPI continuation error: Unspecified GSS failure. Minor
> code may provide more information
> GSSAPI continuation error: Server not found in Kerberos database
>
> Not extremely useful.
You need to register the server w/ AD by creating a
On 02/05/2013 02:58 PM, Scott Marlowe wrote:
Why are you using LDAP and passing passwords for access to insecure
systems?
We're trying not to. That's kind of my point. Now, I'd love to spend
another few days learning yet another auth mechanism (kerberos) but I
was trying to avoid it.
As it
On Tue, Feb 5, 2013 at 12:07 PM, Shaun Thomas wrote:
> On 02/05/2013 12:44 PM, Scott Marlowe wrote:
>
>> Stop. If you want secure setups you don't hand out root access to
>> lots of people. Trying to then make it secure is like closing the
>> barn door after the horse has left.
>
>
> I guess you
Shaun,
* Shaun Thomas (stho...@optionshouse.com) wrote:
> We're wanting to implement a more secure password policy, and so
> have considered switching to LDAP/Active Directory for passwords.
Don't use the LDAP side of AD, use the Kerberos side. Using LDAP for
auth against AD is terrible and is o
On Tue, Feb 5, 2013 at 1:57 PM, Scott Mead wrote:
>
>
> I would love to see pgpass storing encrypted stuff here, that'd be
> great... in the meantime...
>
>
I would suggest going one step further, and making encrypted pgpass
authorization something that has to be specifically enabled in pg_hba.co
On 02/05/2013 12:44 PM, Scott Marlowe wrote:
Stop. If you want secure setups you don't hand out root access to
lots of people. Trying to then make it secure is like closing the
barn door after the horse has left.
I guess you missed the part where I said I thought we should lock root
down be
On Tue, Feb 5, 2013 at 11:53 AM, Joshua D. Drake wrote:
>
> On 02/05/2013 10:44 AM, Scott Marlowe wrote:
>>
>>
>> On Tue, Feb 5, 2013 at 10:15 AM, Shaun Thomas
>> wrote:
>>>
>>> Hey folks,
>>>
>>> We're wanting to implement a more secure password policy, and so have
>>> considered switching to LD
On Tue, Feb 5, 2013 at 12:15 PM, Shaun Thomas wrote:
> Hey folks,
>
> We're wanting to implement a more secure password policy, and so have
> considered switching to LDAP/Active Directory for passwords. Normally, this
> would be fine, but for two things:
>
> 1. Tons of our devs use .pgpass files t
On 02/05/2013 10:44 AM, Scott Marlowe wrote:
On Tue, Feb 5, 2013 at 10:15 AM, Shaun Thomas wrote:
Hey folks,
We're wanting to implement a more secure password policy, and so have
considered switching to LDAP/Active Directory for passwords. Normally, this
would be fine, but for two things:
1
On Tue, Feb 5, 2013 at 10:15 AM, Shaun Thomas wrote:
> Hey folks,
>
> We're wanting to implement a more secure password policy, and so have
> considered switching to LDAP/Active Directory for passwords. Normally, this
> would be fine, but for two things:
>
> 1. Tons of our devs use .pgpass files t
Hey folks,
We're wanting to implement a more secure password policy, and so have
considered switching to LDAP/Active Directory for passwords. Normally,
this would be fine, but for two things:
1. Tons of our devs use .pgpass files to connect everywhere.
2. Several devs have root access to vari
14 matches
Mail list logo
