Re: Rejecting weak passwords

Ron Mayer <rm_pg@cheapcomplexdevices.com>

From: Ron Mayer <rm_pg@cheapcomplexdevices.com>
To: Dave Page <dpage@pgadmin.org>
Cc: Mark Mielke <mark@mark.mielke.cc>, Robert Haas <robertmhaas@gmail.com>, Tom Lane <tgl@sss.pgh.pa.us>, Kevin Grittner <Kevin.Grittner@wicourts.gov>, Andrew Dunstan <andrew@dunslane.net>, Marko Kreen <markokr@gmail.com>, Magnus Hagander <magnus@hagander.net>, Greg Stark <gsstark@mit.edu>, Bruce Momjian <bruce@momjian.us>, pgsql-hackers <pgsql-hackers@postgresql.org>, mlortiz <mlortiz@uci.cu>, Albe Laurenz <laurenz.albe@wien.gv.at>
Date: 2009-10-15T21:40:16Z
Lists: pgsql-hackers
Dave Page wrote:
> I never said it wasn't - in fact I said from the outset it was about
> box-checking, and that anyone doing things properly will use
> LDAP/SSPI/Kerberos etc.

I don't understand why the box-checkers can't already check that
box; with the explanation stating "Yes - by using LDAP or GSSAPI
or PAM configured accordingly".

Or do checkbox-lists specifically say
"can postgres do XYZ with all OS security features disabled".

> Anyway, as noted in the message you quoted, the current proposal will
> allow my colleagues to check boxes, and will be implemented in a
> sensible way on the server side. And it's entirely confined to a
> plugin, so if you trust all your users, there's no need for you to
> load it at all.

Note that I'm not horribly against the feature (though I wouldn't
use it) --- just that ISTM we're checkbox-compliant already by
working with the OS, and it's perhaps more a documentation issue
than coding issue to get those boxes checked.