Re: Storing the password in .pgpass file in an encrypted format - Mailing list pgsql-hackers

From Alvaro Herrera
Subject Re: Storing the password in .pgpass file in an encrypted format
Date
Msg-id 20140221150447.GK4759@eldon.alvh.no-ip.org
Whole thread Raw
In response to Re: Storing the password in .pgpass file in an encrypted format  (Euler Taveira <euler@timbira.com.br>)
Responses Re: Storing the password in .pgpass file in an encrypted format
Re: Storing the password in .pgpass file in an encrypted format
List pgsql-hackers
Euler Taveira wrote:
> On 21-02-2014 09:49, firoz e v wrote:
> > Even though, there are ways to set the permissions on .pgpass, to disallow any access to world or group, the
securityrules of many organizations disallow to hold any kind of passwords, as plain text.
 
> > 
> Is your goal hiding the password in .pgpass? You could add support to
> accept md5... storage format as password.

How would that work?  libpq needs the straight password to send to the
server, not an encrypted one.  If you were to have a mechanism by which
libpq can store an md5'd password (or whatever hash) and send that md5
to the server and have the server accept it to grant a connection, then
the md5 has, in effect, become the unencrypted password which others can
capture from the file, and you're back at square one.

You could instead try to have an authentication agent that stores an
encrypted password or certificate and asks the user to supply the key to
decrypt it when trying to establish a connection; but that would force
you to require user intervention, which in many cases you don't want.

If there's policy that disallows storage of plain-text passwords, your
only choice appears to be not to use .pgpass in the first place.

-- 
Álvaro Herrera                http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Training & Services



pgsql-hackers by date:

Previous
From: Tom Lane
Date:
Subject: Re: Cost estimation in foreign data wrappers
Next
From: Andres Freund
Date:
Subject: Re: Storing the password in .pgpass file in an encrypted format