Re: How to fork pg_dump or psql w/o leaking secrets? - Mailing list pgsql-general

From David G. Johnston
Subject Re: How to fork pg_dump or psql w/o leaking secrets?
Date
Msg-id CAKFQuwYHKQrSV7rd74_C3Er_cYhWBtc9dVKazmi9BQ0uJp15hQ@mail.gmail.com
Whole thread Raw
In response to Re: How to fork pg_dump or psql w/o leaking secrets?  (Dominique Devienne <ddevienne@gmail.com>)
List pgsql-general
On Friday, September 22, 2023, Dominique Devienne <ddevienne@gmail.com> wrote:

Remember that I'm already connected in the "parent" process, to the DB.
There aught to be a way to obtain a token from the DB via a connection,
with a short duration, to supply to the exec'd PostgreSQL tools like psql or pg_dump,
to completely bypass passwords. The server would maintain per-DB secrets,
and sign a JWT token for example, valid for a few seconds, for that user/DB pair,
that the parent "process" could then utilize / pass to the "fork/exec"d tool.

Much safer than plain-text passwords floating around env-vars or temp-files. --DD

Sure, though maybe just some kind of “—password-on-stdin” option and then the next input read from stdin is interpreted as the password, would be more readily accomplished.  Scripts should be sent via “—file” in that usage but that seems desirable anyway.

David J.

pgsql-general by date:

Previous
From: Adrian Klaver
Date:
Subject: Re: Ubuntu 18 + PHP 8.2 + PDO: can't find drivers
Next
From: "Ray O'Donnell"
Date:
Subject: Re: Ubuntu 18 + PHP 8.2 + PDO: can't find drivers