Re: Record last password change

On Wed, Dec 12, 2018 at 07:30:18AM -0700, Bear Giles wrote:
> BTW another solution is SSO, e.g., Kerberos. I still need to submit a patch to
> pgsql to handle it better(*) but with postgresql itself you sign into the
> system and then the database server will just know who you are. You don't have
> to worry about remembering a new password for postgresql. X.509 (digital certs)
> are another possibility and I know you can tie them to a smart card but again I
> don't know how well we could integrate it into pgsql.

(Good to talk to you again.)  I recently wrote a blog entry about
putting the certificate and its private key on removable media:

    https://momjian.us/main/blogs/pgblog/2019.html#January_16_2019

and mentioned the value of PIV over removable media:

    https://momjian.us/main/blogs/pgblog/2019.html#January_14_2019

I can't think of a way to access a smart card for authentication, though 
I did wrote a presentation on how to use PIV devices for server-side and
client-side encryption:

    https://momjian.us/main/writings/crypto_hw_use.pdf

-- 
  Bruce Momjian  <bruce@momjian.us>        http://momjian.us
  EnterpriseDB                             http://enterprisedb.com

+ As you are, so once was I.  As I am, so you will be. +
+                      Ancient Roman grave inscription +