Re: looking for a secure
| От | Fran Fabrizio |
|---|---|
| Тема | Re: looking for a secure |
| Дата | |
| Msg-id | 3B66FB71.721D02CB@mmrd.com обсуждение исходный текст |
| Ответ на | looking for a secure (Fran Fabrizio <ffabrizio@mmrd.com>) |
| Список | pgsql-general |
Well, after aggregating all the feedback here and talking to my boss (he knows more about SSL and the like) I think we've come up with a solution that fits... The first part will be implementing SSL. Apparently, he has managed to successfully compile OpenSSL on the SCO and AIX boxes that we will be having as clients. This means that if he compiles Pg with SSL support on them, he should be able to call for a SSL connection from the Pg library from his C client. (Side note: is there any way to get client libraries onto a given machine without having to install and compile all of Pg? I remember looking for a client-library-only type download for Pg, but I did not have success and I always have to install Pg even if I just want to use it as a client) In combination with SSL, we're considering putting a linux firewall in front of the database which will indeed query the database for the known hosts and configure it's rules accordingly. Then we can do one of two things: we can forward it such that the Pg database only sees the connections as coming from the firewall and so we can restrict it to allow just that one IP and associate a username/password with that one IP, or we can forward it with the original source IPs intact and have Pg contain an account for each client and their IP (this seems like a lot of work). Well, we appear to be on the right track. Thanks for all the insight, and if anyone can shoot holes through my plan or has additional recommendations for making it more secure, I'd love to hear it. Oh, one last thing...all of these clients need SSL certificates (for another aspect of our operation). It would be great if we could leverage that fact to use SSL not only for encryption but also for authentication via the certificates. However, I don't think there's any way to get the client to just serve up the cert to Pg nor for the Pg server to do anything with it. However, if I'm wrong on that or if you can think of another way to leverage that client cert, let me know! Thanks, Fran
В списке pgsql-general по дате отправления: