Hey folks,
We're wanting to implement a more secure password policy, and so have
considered switching to LDAP/Active Directory for passwords. Normally,
this would be fine, but for two things:
1. Tons of our devs use .pgpass files to connect everywhere.
2. Several devs have root access to various environments.
So, by switching from database-stored passwords to LDAP, we open a
security problem that currently only affects the database, to
developers' personal LDAP password, which is the key to every service
and machine they use in the company.
Unfortunately I can't see any way around this at all. Ident won't really
work on remote systems, .pgpass isn't encrypted, and you can't use
encrypted/hashed password entries either.
I agree that we should probably have our root access much more locked
down than it is, but it's still a valid problem. I don't think I'd even
want a restricted set of root users able to see my LDAP password in
plain text.
Has anyone put thought into combining LDAP and .pgpass, or has it simply
been abandoned every time the issue has presented itself?
Thanks in advance!
--
Shaun Thomas
OptionsHouse | 141 W. Jackson Blvd. | Suite 500 | Chicago IL, 60604
312-676-8870
sthomas@optionshouse.com
______________________________________________
See http://www.peak6.com/email_disclaimer/ for terms and conditions related to this email