Hi,
On 21 Únor 2014, 16:52, Christopher Browne wrote:
> On Fri, Feb 21, 2014 at 7:49 AM, firoz e v <firoz.ev@huawei.com> wrote:
>
>> Hi,
>>
>>
>>
>> Is there a way to store the password in ".pgpass" file in an encrypted
>> format (for example, to be used by pg_dump).
>>
>>
>>
>> Even though, there are ways to set the permissions on .pgpass, to
>> disallow
>> any access to world or group, the security rules of many organizations
>> disallow to hold any kind of passwords, as plain text.
>>
>>
>>
>> If there is no existing way to do this, shall we take up this, as a
>> patch?
>>
>
> As observed by others, storing the password in encrypted form in .pgpass
> merely means that you need to store the password to decrypt .pgpass in
> still another file that would, again, run afoul of such security policies.
> There is no appetite in the community to do implementation work that is
> provably useless as it cannot accomplish what people imagine to
> accomplish.
Sure. If you want to log-in without any user interaction, then the
password needs to be stored is a form equal to cleartext (e.g. with a
key). It's mostly security by obscurity.
What I think might be useful and safe at the same time is encrypted
.pgpass with tools asking for the encryption key. Think of it as a simple
passord wallet - not really useful if you're connecting to a single
database, very useful if you have many as you only need to remember the
single password.
If the encrypted passwords were stored in a separate file (say
.pgpass.wallet) then this should not break the current tools. The tools
would do this:
1) exists .pgpass? 1.a) read .pgpass -> is there a matching record? (yes -> stop)
2) exists .pgpass.wallet? 2.a) ask for encryption key 2.b) read .pgpass using the decryption key 2.c) is there a
matchingrecord? (yes -> stop)
3) ask for connection info directly
BTW yes, I know what kerberos is, but many of us are dealing with
companies that don't use it.
regards
Tomas
