Steven,
* Steven Siebert (smsiebe@gmail.com) wrote:
> > If you don't want the server to see the user's password, don't use LDAP
> > authentication. A much better approach is Kerberos or client-side SSL
> > certificates.
>=20
> Sadly, all other authentication options will not work for us.
>=20
> I'm not seeing the user password in the log, I'm seeing the bind
> password (ldapbindpasswd) that in the pg_hba.conf file. There is a
> line in auth.c that, on every failed attempt, prints the full (raw)
> configuration line to the log at all log levels. So, this isn't just
> a problem with LDAP (with ldapbindpasswd) but also the RADIUS method
> (radiussecret).
Ah, ok. Kerberos and SSL certs aren't immune to that problem, though
the secrets don't ever end up in the logs- but they still must be
visible to the server process in order. Of course, if you already
have access to the server process, there shouldn't be much to gain
=66rom the Kerberos secret, the RADIUS secret, the SSL private key, or
the LDAP bind password..
> I've submitted a patch and we're discussing the problem further on the
> pgsql-hackers distro. Really, I think it all comes down to finding
> the right balance of security and convenience of the administrator.
> I'm hopeful we'll come up with the right answer soon and I can submit
> a new patch.
Oh, yeah, I saw that discussion but hadn't quite put it together with
this bug report (somehow I saw the bug report after the hackers
discussion...).
Thanks,
Stephen