On Friday, September 22, 2023, Dominique Devienne <
ddevienne@gmail.com> wrote:
Remember that I'm already connected in the "parent" process, to the DB.
There aught to be a way to obtain a token from the DB via a connection,
with a short duration, to supply to the exec'd PostgreSQL tools like psql or pg_dump,
to completely bypass passwords. The server would maintain per-DB secrets,
and sign a JWT token for example, valid for a few seconds, for that user/DB pair,
that the parent "process" could then utilize / pass to the "fork/exec"d tool.
Much safer than plain-text passwords floating around env-vars or temp-files. --DD
Sure, though maybe just some kind of “—password-on-stdin” option and then the next input read from stdin is interpreted as the password, would be more readily accomplished. Scripts should be sent via “—file” in that usage but that seems desirable anyway.
David J.
