Ron Snyder wrote:
> > OK, how do secondary passwords work in pg_hba.conf. It requires
> > clear-text 'password', right, because the password is already crypt-ed
> > in the file.
>
> I presume that you're referring to passwords being transmitted clear text?
Yes, is that your pg_hba.conf line? 'password' is insecure over
networks you don't trust.
> > One idea I had was to look for a colon in the username, and if I see
> > one, I assume everything after the colon is a password.
> > Would that work
> > for you?
>
> It would as long as there was an assumption (or method to specify) that the
> stuff after the colon is a crypt()ed password. Our method to generate the
It would be whatever password is specified on the pg_hba.conf line,
'password', 'crypt', or 'md5'.
> password file is to 'ypcat passwd > /db/etc/password; cat
> /db/etc/pg-only-passwords >> /db/etc/password'. We could very easily only
> pull only the fields we care about from our yp passwd file.
>
> I suppose I should also mention that we're not wedded to this method-- we've
> just found it convenient. If we needed to script something else up to
> connect to the databases and set passwords, we could do that too, it would
> just be a bit more work.
OK.
-- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610)
853-3000+ If your life is a hard drive, | 830 Blythe Avenue + Christ can be your backup. | Drexel Hill,
Pennsylvania19026