Re: PGPASSWORD in crypted form, for example BlowFish or SHA-256 - Mailing list pgsql-general

From Matthias Apitz
Subject Re: PGPASSWORD in crypted form, for example BlowFish or SHA-256
Date
Msg-id 20190919132321.GA403679@sh4-5.1blu.de
Whole thread Raw
In response to Re: PGPASSWORD in crypted form, for example BlowFish or SHA-256  (rob stone <floriparob@gmail.com>)
Responses Re: PGPASSWORD in crypted form, for example BlowFish or SHA-256
List pgsql-general
El día Thursday, September 19, 2019 a las 10:31:01PM +1000, rob stone escribió:

> Hello,
> 
> On Thu, 2019-09-19 at 12:30 +0200, Matthias Apitz wrote:
> > Hello,
> > 
> > Our software, a huge ILS, is running on Linux with DBS Sybase. To
> > connect to the Sybase server (over the network, even on localhost),
> > credentials must be known: a user (say 'sisis') and its password.
> > 
> > For Sybase we have them stored on the disk of the system in a file
> > syb.npw as:
> > 
> > $ cat /opt/lib/sisis/etc/syb/syb.npw
> > sisis:e53902b9923ab2fb
> > sa:64406def48efca8c
> > 
> > for the user 'sisis' and the administrator 'sa'. Our software has as
> > shared library a blob which knows how to decrypt the password hash
> > above
> > shown as 'e53902b9923ab2fb' into clear text which is then used in the
> > ESQL/C or Java layer to connect to the Sybase server.
> > 
> > For PostgreSQL the password must be typed in (for pgsql) or can be
> > provided in an environment variable PGPASSWORD=blabla
> > 
> > Is there somehow an API in PG to use ciphered passwords and provide
> > as a
> > shared library the blob to decrypt it? If not, we will use the
> > mechanism same as
> > we use for Sybase. Or any other idea to not make detectable the
> > credentials? This was a request of our customers some years ago.
> > 
> 
> 
> https://www.postgresql.org/docs/11/auth-password.html
> 
> Chapters 20.5 and 20.6 may give you more information.

The form of the password hash store in the PG server or interchange over
the network is not my question. The question is more: When the Linux
server starts and with this the (ESQL/C written) application servers are
starting, they need the password to connect and this is not provided at
this moment from some keyboard or humanbeing. It must be stored on the
server and available in clear for the server, but not for other eyes on
the server, i.e. the place of the sorage must be ciphered.

    matthias

-- 
Matthias Apitz, ✉ guru@unixarea.de, http://www.unixarea.de/ +49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub
May, 9: Спаси́бо освободители! Thank you very much, Russian liberators!



pgsql-general by date:

Previous
From: Marco Ippolito
Date:
Subject: Re: How to safely remove a corrupted cluster?
Next
From: Tom Lane
Date:
Subject: Re: PGPASSWORD in crypted form, for example BlowFish or SHA-256