From: | Stephen Frost <sfrost(at)snowman(dot)net> |
---|---|
To: | Peter Eisentraut <peter(dot)eisentraut(at)2ndquadrant(dot)com> |
Cc: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Andreas Karlsson <andreas(at)proxel(dot)se>, Magnus Hagander <magnus(at)hagander(dot)net>, Michael Paquier <michael(dot)paquier(at)gmail(dot)com>, Michael Banck <michael(dot)banck(at)credativ(dot)de>, Peter Geoghegan <pg(at)heroku(dot)com>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: [PATCH] Reload SSL certificates on SIGHUP |
Date: | 2017-01-04 16:49:58 |
Message-ID: | 20170104164958.GR18360@tamriel.snowman.net |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
* Peter Eisentraut (peter(dot)eisentraut(at)2ndquadrant(dot)com) wrote:
> On 1/4/17 10:57 AM, Tom Lane wrote:
> > I still maintain that the existing solution for passphrases is useless,
> > but in the interest of removing objections to the current patch, I'll
> > go make that happen.
>
> Sounds good.
Agreed, thanks.
> Looking around briefly (e.g., Apache, nginx), the standard approach
> appears to be a configuration setting that gets the password from an
> external program or file. (Although the default still appears to be to
> get from tty.)
Right, the MIT Kerberos daemon will definitely prompt for the passphrase
for the master key on the terminal also. They might also have a way to
get it from a program now, not sure, it's been a while, but it was a
requirement from NIST 800-53 to not have unencrypted keys on the
filesystem and I had to address that for the MIT Kerberos master key and
the private keys for various SSL-using services.
> systemd has support for getting passwords to services without tty.
Oh, that's interesting, I wasn't aware of that.
> So if someone is interested, there is some room for enhancement here.
Agreed.
Thanks!
Stephen
From | Date | Subject | |
---|---|---|---|
Next Message | Fabien COELHO | 2017-01-04 16:58:05 | Re: proposal: session server side variables |
Previous Message | Peter Eisentraut | 2017-01-04 16:37:54 | Re: [PATCH] Reload SSL certificates on SIGHUP |