On Wed, Dec 12, 2018 at 07:30:18AM -0700, Bear Giles wrote:
> BTW another solution is SSO, e.g., Kerberos. I still need to submit a patch to
> pgsql to handle it better(*) but with postgresql itself you sign into the
> system and then the database server will just know who you are. You don't have
> to worry about remembering a new password for postgresql. X.509 (digital certs)
> are another possibility and I know you can tie them to a smart card but again I
> don't know how well we could integrate it into pgsql.
(Good to talk to you again.) I recently wrote a blog entry about
putting the certificate and its private key on removable media:
https://momjian.us/main/blogs/pgblog/2019.html#January_16_2019
and mentioned the value of PIV over removable media:
https://momjian.us/main/blogs/pgblog/2019.html#January_14_2019
I can't think of a way to access a smart card for authentication, though
I did wrote a presentation on how to use PIV devices for server-side and
client-side encryption:
https://momjian.us/main/writings/crypto_hw_use.pdf
--
Bruce Momjian <bruce@momjian.us> http://momjian.us
EnterpriseDB http://enterprisedb.com
+ As you are, so once was I. As I am, so you will be. +
+ Ancient Roman grave inscription +