On 4/14/19 4:05 AM, Peter J. Holzer wrote:
> On 2019-04-13 22:22:16 -0500, Ron wrote:
>> In our case, another looming Auditor requirement is to be able to instantly
>> kick off -- or at least send a warning email -- when certain roles log in
>> from unapproved IP addresses or programs. For example, service accounts
>> should only be able to log in from IP addresses and certain applications.
>> Humans logging in via service accounts using pgAdmin should, for example, be
>> instantly kicked off.
> If you want to prevent a user from logging in (which is functionally
> equivalent but a bit stronger than "instantly kick off"), then this is
> definitely something that could and should be implemented via PAM (I'm
> not sure what information is passed to PAM, so you might get the IP
> address
Doesn't this require all Postgres roles to also be OS users?
> but not the application name (the latter can't be trusted
> anyway), for example).
--
Angular momentum makes the world go 'round.