Re: Storing the password in .pgpass file in an encrypted format - Mailing list pgsql-hackers

From Tomas Vondra
Subject Re: Storing the password in .pgpass file in an encrypted format
Date
Msg-id 5307E738.6070004@fuzzy.cz
Whole thread Raw
In response to Re: Storing the password in .pgpass file in an encrypted format  (Josh Berkus <josh@agliodbs.com>)
List pgsql-hackers
On 22.2.2014 00:02, Josh Berkus wrote:
> On 02/21/2014 09:11 AM, Tomas Vondra wrote:
>> What I think might be useful and safe at the same time is encrypted
>> .pgpass with tools asking for the encryption key. Think of it as a simple
>> passord wallet - not really useful if you're connecting to a single
>> database, very useful if you have many as you only need to remember the
>> single password.
> 
> Sounds interesting, but probably better as an external utility than
> as part of PostgreSQL. Call it pgWallet.

Depends on how you define external utility. It certainly needs to be
somehow integrated with the tools using .pgpass. Do you have something
particular in mind?

While libsecret may look like a good choice, it kinda requires Gnome or
KDE (or some other desktop environment supporting it) running, as it's
just a proxy to the services provides by these environments. I'd bet
most server installations won't have that installed, and in such cases
it's pointless.

Maybe it can be forwarded to the original machine somehow (something
like what 'ssh -A' does), I'm not sure.

I would prefer something self-contained, not requiring a lot of other
stuff installed.

What I envisioned is a simple wallet (basically encrypted .pgpass) with
a simple management command-line tool. Let's call that 'pgpass', with
these options
  pgpass list  pgpass add  pgpass rm

I'm fully aware that writing a good / reliable / secure tool for storing
passwords is tricky, and if there's something implemented and usable,
let's use that.

I'm also wondering how well will the existing solutions support the
host/database/user/password model, with wildcards for some of the
fields. I'd guess most of them use simple username/password pairs.

regards
Tomas



pgsql-hackers by date:

Previous
From: Noah Misch
Date:
Subject: Re: Re: BUG #9210: PostgreSQL string store bug? not enforce check with correct characterSET/encoding
Next
From: Thom Brown
Date:
Subject: pg_stat_tmp files for dropped databases