On Sun, Dec 16, 2012 at 05:51:23PM +0100, Peter Bex wrote:
> The best solution I can come up with is not provide a web UI at all
> but let the user connect directly to the database using a secure
> method (e.g. SSL client certs, GSSAPI etc).
Speaking of which, a custom implementation of the GSSAPI might be
feasible. I don't have experience with the API, but presumably you
can accept a password once, generate a GSSAPI ticket and store *that*
in the user's session file or cookie. Any succesful attack will only
be able to get that one ticket. If the server is compromised you can
revoke all currently active tickets.
Assuming you're using HTTPS and store cookies with the "secure"
attribute, this could be a safe way to do things. It's probably not
easy or available out-of-the-box though!
I think the Postgres docs could use some improvement on how to
use GSSAPI; they're pretty terse! If I understand the Kerberos
section correctly, it's even possible to avoid passwords altogether
by using mod_auth_kerb and a browser extension that allows talking
to this module. That would be even better, but might not be acceptable
if you want to allow users to connect using vanilla webbrowsers.
Cheers,
Peter
--
http://sjamaan.ath.cx
--
"The process of preparing programs for a digital computer
is especially attractive, not only because it can be economically
and scientifically rewarding, but also because it can be an aesthetic
experience much like composing poetry or music."
-- Donald Knuth