On 4/14/19 4:05 AM, Peter J. Holzer wrote:
On 2019-04-13 22:22:16 -0500, Ron wrote:
In our case, another looming Auditor requirement is to be able to instantly
kick off -- or at least send a warning email -- when certain roles log in
from unapproved IP addresses or programs. For example, service accounts
should only be able to log in from IP addresses and certain applications.
Humans logging in via service accounts using pgAdmin should, for example, be
instantly kicked off.
If you want to prevent a user from logging in (which is functionally
equivalent but a bit stronger than "instantly kick off"), then this is
definitely something that could and should be implemented via PAM (I'm
not sure what information is passed to PAM, so you might get the IP
address
Doesn't this require all Postgres roles to also be OS users?
but not the application name (the latter can't be trusted
anyway), for example).
--
Angular momentum makes the world go 'round.
