Re: Changing Passwords as Encrypted not Clear-Text - Mailing list pgsql-general

From MURAT KOÇ
Subject Re: Changing Passwords as Encrypted not Clear-Text
Date
Msg-id CAA4y46zDW03S3hvVpjc8G02gDB7_9V8sqwr2OBVo9nPB4yixEA@mail.gmail.com
Whole thread Raw
In response to Re: Changing Passwords as Encrypted not Clear-Text  (Alban Hertroys <haramrae@gmail.com>)
Responses Re: Changing Passwords as Encrypted not Clear-Text
List pgsql-general
Hi,
 
My answers are written under your comments.
 
Best Regards
Murat KOC

2011/12/19 Alban Hertroys <haramrae@gmail.com>
On 19 December 2011 16:26, MURAT KOÇ <m.koc21@gmail.com> wrote:
> Hi Adrian,
>
> I wrote a desktop application on Windows by using "Npgsql.dll". So, I send
> SQL statement to database from this application code. I can't use psql
> command line (I know "\password" command changes password encrypted text).
>
> Because of this, I have to use "ALTER USER" statement from application code.
> Or what could you give another advice?

Apparently psql doesn't send a plain ALTER ROLE statement. It probably
uses the binary protocol. Perhaps your application can do the same.
 
Although my application uses the binary protocol, it has to send "ALTER USER " statement to PostgreSQL Database to change DB user password.

Alternatively, you can secure your (apparently insecure) connection to
the DB using SSL or an ssh tunnel or somesuch.

Problem is not secure connection to DB, problem is that PostgreSQL logs include changing passwords on clear-text not encrypted.

### Server Logs ###
2011-12-19 14:35:31 EET--postgres--postgres--[local]--psql--idle--00000LOG:  statement: alter user mkoc password 'dummy';
2011-12-19 14:35:41 EET--postgres--postgres--[local]--psql--idle--00000LOG:  statement: alter user mkoc with password 'dummy';

That said, if you are having issues with a fellow DBA, you should
create a policy that you don't use each others' login credentials when
it matters. You're DBA's, there is no security measure that will stop
you from obtaining private data from the databases you manage. Access
to the log files is only a small part of that.

Of course, we could create login credentials, login configuration options for every DBA colleagues. But, as I said previous that big problem is "PostgreSQL logs include changing passwords on clear-text not encrypted"

--
If you can't see the forest for the trees,
Cut the trees and you'll see there is no forest.

pgsql-general by date:

Previous
From: Havasvölgyi Ottó
Date:
Subject: fsync on ext4 does not work
Next
From: "Tomas Vondra"
Date:
Subject: Re: fsync on ext4 does not work