Postgres Pro
Downloads
Home   >   mailing lists

Re: Have an encrypted pgpass file - Mailing list pgsql-hackers

From Kyotaro HORIGUCHI
Subject Re: Have an encrypted pgpass file
Date
Msg-id 20180802.145938.125641041.horiguchi.kyotaro@lab.ntt.co.jp
Whole thread Raw
In response to Re: Have an encrypted pgpass file  (Marco van Eck <marco.vaneck@gmail.com>)
List pgsql-hackers
Tree view 
Hello.

I have had complaints several times on lack of this kind of
feature.

At Wed, 1 Aug 2018 17:33:39 +0200, Marco van Eck <marco.vaneck@gmail.com> wrote in
<CAE35ztPKvPE4xA7+jCGY+O5kL_9FtZ-owPDrUpXMvpU168pGgA@mail.gmail.com>
> After explaining the patch to a college we identified potentially execution
> of another user when it is defined in as a command parameter. To protect
> agains it I've removed the possibility to pass the 'passcommand'. With the
> result libpq only allows the PGPASSCOMMAND environment variable, which can
> only be defined by the executing user, and will be executed by the same
> user. It only reduces the need of unencrypted password's in a file.

Myabe we don't need the new environment variable by just allowing
.pgpass be a script. If we put faith in the security of .pgpass,
this won't be a problem, putting aside what the script actually
does.

> I think this solution is secure enough, shall we solve this feature-request?
> 
> 
> Regards, Marco
> 
> On Tue, Jul 24, 2018 at 4:00 PM Tom Lane <tgl@sss.pgh.pa.us> wrote:
> 
> > Marco van Eck <marco.vaneck@gmail.com> writes:
> > > Indeed having unencrypted password lying (.pgpass or PGPASSWORD or -W)
> > > around is making my auditors unhappy, and forcing me to enter the
> > password
> > > over and over again. With a simple test it seems the password entered by
> > > the user also stays in memory, since it is able to reset a broken
> > > connection. Finding the password in memory is not trivial, but prevention
> > > is always preferred.
> >
> > > It might be an idea to wipe the password after the login, and
> > decrypt/read
> > > it again if it needs to reconnect. Would this make the solution more
> > > secure? I had a quick look at the code and the patch would stay compact.
> > > Please let me know of doing this would make sense.
> >
> > We're basically not going to accept any added complication that's designed
> > to prevent memory-inspection attacks, because in general that's a waste
> > of effort.  All you're doing is (slightly) reducing the attack window.
> >
> >                         regards, tom lane

regards.

-- 
Kyotaro Horiguchi
NTT Open Source Software Center

pgsql-hackers by date:

Previous
From: "Yamaji, Ryo"
Date:
Subject: RE: [HACKERS] Cached plans and statement generalization
Next
From: Simon Riggs
Date:
Subject: Re: patch to ensure logical decoding errors early