manu@netbsd.org (Emmanuel Dreyfus) writes:
> I now need to store the
> PostgreSQL superuser password in cleartext in a shell script.
The new ~/.pgpass mechanism should help with that.
> I'm ready to work on patches to re-introduce the feature, would you
> accept them?
No. We are trying to get away from using crypt(), mainly because it's
not very portable (and not even very secure these days). And the
secondary-password-file mechanism was never anything more than a kluge
anyway. If you want your database users to be actual Unix system users,
why not just check them directly against /etc/passwd?
> I thought about implementing a PAM for this, since 7.3 supports
> PAM. What do you think about it?
The whole point of PAM is to allow installation-local authentication
methods, so you could easily set up something that checks a password
against /etc/passwd if you like. (There is surely such a PAM module
out there already, I'd expect, so look before you write.)
If your OS supports it, you might also want to consider using
Unix-socket-IDENT authentication, and forget passwords altogether.
regards, tom lane
