Stephen Frost: Advanced Authentication and Encrypted Connections (PGConf.EU 2023)

Advanced Authentication and Encrypted Connections in PostgreSQL: Learn best practices for secure SSL/TLS connections, client-side certificates, GSS API, SCRAM, and PGHBA configuration to protect your database.

Key takeaways

Require Off option is available in pg16, which allows for explicit control over SSL/TLS connections
Client-side certificates can be used for two-factor authentication, and are recommended over other methods
Using VerifyFull is recommended for SSL/TLS connections, and is the default in pg16
GSS API (General Security Service) is a secure authentication method that uses Kerberos
SSL/TLS connections should use AES-256 encryption
Intermediate CA certificates should be used in certificate chains
Revocation lists should be regularly updated and maintained
Certificates should be verified using a trusted root CA
SSL/TLS connections should use VerifyFull or Require Off explicitly
GSS API connections should use GSS ENC mode to require encryption
PGHBA configuration can be used to specify authentication methods and control
Client certificates should be signed by an intermediate CA
Server certificates should be signed by a root CA
Certificate authorities should be regularly updated and maintained
SSL/TLS connections should use VerifyFull to prevent clear text passwords
GSS API connections should use Require Off to prevent clear text passwords
SCRAM (Salted Challenge Response Authentication Mechanism) is a secure authentication method that uses hashing algorithms
Passwords should never be sent in clear text
Kerberos principles can be used for authentication with Active Directory
SSL/TLS connections should use VerifyFull to prevent impersonation
GSS API connections should use GSS ENC mode to require encryption
Certificates should be verified using a trusted root CA
Revocation lists should be regularly updated and maintained

Stephen Frost: Advanced Authentication and Encrypted Connections (PGConf.EU 2023)

More talks