* Peter Eisentraut (peter.eisentraut@2ndquadrant.com) wrote:
> On 1/4/17 10:57 AM, Tom Lane wrote:
> > I still maintain that the existing solution for passphrases is useless,
> > but in the interest of removing objections to the current patch, I'll
> > go make that happen.
>
> Sounds good.
Agreed, thanks.
> Looking around briefly (e.g., Apache, nginx), the standard approach
> appears to be a configuration setting that gets the password from an
> external program or file. (Although the default still appears to be to
> get from tty.)
Right, the MIT Kerberos daemon will definitely prompt for the passphrase
for the master key on the terminal also. They might also have a way to
get it from a program now, not sure, it's been a while, but it was a
requirement from NIST 800-53 to not have unencrypted keys on the
filesystem and I had to address that for the MIT Kerberos master key and
the private keys for various SSL-using services.
> systemd has support for getting passwords to services without tty.
Oh, that's interesting, I wasn't aware of that.
> So if someone is interested, there is some room for enhancement here.
Agreed.
Thanks!
Stephen