Thread: BUG #10250: pgAdmin III 1.16.1 stores unescaped plaintext password

The following bug has been logged on the website:

Bug reference:      10250
Logged by:          Ben Walter
Email address:      dlo@isam.kiwi
PostgreSQL version: Unsupported/Unknown
Operating system:   openSUSE 13.1 (Bottle) (x86_64)
Description:

When storing credentials for connections into ~/.pgpass the credentials is
stored in delimited plaintext form. Not only is this practise a security
risk, but when the credential contains the delimiter (colon) it fails to be
read back out and app responds with "invalid credentials".

x.x.x.x:5432:*:username:password:with:colons

Ben,

* dlo@isam.kiwi (dlo@isam.kiwi) wrote:
> When storing credentials for connections into ~/.pgpass the credentials is
> stored in delimited plaintext form. Not only is this practise a security
> risk,=20

This isn't a bug, it's intentional, and if it goes against your security
requirements then simply don't do it.  Storing it in .pgpass encrypted
would require a password to either be provided (in which case, just
don't have the password in the pgpass file..) or for the key to be
stored in plain-text somewhere, which would be the same situation.

Perhaps there is a feature request in here somewhere to have an
ssh-agent like daemon, but there simply hasn't been demand for it.

> but when the credential contains the delimiter (colon) it fails to be
> read back out and app responds with "invalid credentials".
>=20
> x.x.x.x:5432:*:username:password:with:colons

Per the fine documentation, you need to escape any such usage with a
backslash.  Please review:

http://www.postgresql.org/docs/9.3/static/libpq-pgpass.html

    Thanks,

        Stephen

(forwarding to pgadmin-hackers)

On 05/07/2014 06:44 PM, Stephen Frost wrote:
> * dlo@isam.kiwi (dlo@isam.kiwi) wrote:
>> but when the credential contains the delimiter (colon) it fails to be
>> read back out and app responds with "invalid credentials".
>>
>> x.x.x.x:5432:*:username:password:with:colons
>
> Per the fine documentation, you need to escape any such usage with a
> backslash.  Please review:

Stephen, you missed the context. pgadmin3 saves .pgpass, when you check
the "store password" checkbox in the connection dialog. And apparantly
pgadmin3 doesn't do that escaping properly.

- Heikki

* Heikki Linnakangas (hlinnakangas@vmware.com) wrote:
> (forwarding to pgadmin-hackers)

Ah.

> On 05/07/2014 06:44 PM, Stephen Frost wrote:
> >* dlo@isam.kiwi (dlo@isam.kiwi) wrote:
> >>but when the credential contains the delimiter (colon) it fails to be
> >>read back out and app responds with "invalid credentials".
> >>
> >>x.x.x.x:5432:*:username:password:with:colons
> >
> >Per the fine documentation, you need to escape any such usage with a
> >backslash.  Please review:
>
> Stephen, you missed the context. pgadmin3 saves .pgpass, when you
> check the "store password" checkbox in the connection dialog. And
> apparantly pgadmin3 doesn't do that escaping properly.

Wow, that's pretty rough.  Hopefully they'll be able to fix it soon. :)

    Thanks,

        Stephen

Akshay, can you look into the quoting problem please.

On Thu, May 8, 2014 at 1:07 AM, Stephen Frost <sfrost@snowman.net> wrote:
> * Heikki Linnakangas (hlinnakangas@vmware.com) wrote:
>> (forwarding to pgadmin-hackers)
>
> Ah.
>
>> On 05/07/2014 06:44 PM, Stephen Frost wrote:
>> >* dlo@isam.kiwi (dlo@isam.kiwi) wrote:
>> >>but when the credential contains the delimiter (colon) it fails to be
>> >>read back out and app responds with "invalid credentials".
>> >>
>> >>x.x.x.x:5432:*:username:password:with:colons
>> >
>> >Per the fine documentation, you need to escape any such usage with a
>> >backslash.  Please review:
>>
>> Stephen, you missed the context. pgadmin3 saves .pgpass, when you
>> check the "store password" checkbox in the connection dialog. And
>> apparantly pgadmin3 doesn't do that escaping properly.
>
> Wow, that's pretty rough.  Hopefully they'll be able to fix it soon. :)
>
>         Thanks,
>
>                 Stephen



--
Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnake

EnterpriseDB UK: http://www.enterprisedb.com
The Enterprise PostgreSQL Company