Thread: BUG #16450: Recovery.conf file shows clear text password.
The following bug has been logged on the website: Bug reference: 16450 Logged by: yi Ding Email address: abcxiaod@126.com PostgreSQL version: 10.12 Operating system: linux Description: cat recovery.conf standby_mode = 'on' primary_conninfo = 'host=2019::abcd:516 port=6755 user=test application_name=sb2019abcd516 password=8d5s256fhHJ keepalives_idle=60 keepalives_interval=5 keepalives_count=5 sslmode=disable' recovery_target_timeline = 'latest'
On Mon, May 18, 2020 at 11:41 AM PG Bug reporting form <noreply@postgresql.org> wrote:
The following bug has been logged on the website:
Bug reference: 16450
Logged by: yi Ding
Email address: abcxiaod@126.com
PostgreSQL version: 10.12
Operating system: linux
Description:
cat recovery.conf
standby_mode = 'on'
primary_conninfo = 'host=2019::abcd:516 port=6755 user=test
application_name=sb2019abcd516 password=8d5s256fhHJ keepalives_idle=60
keepalives_interval=5 keepalives_count=5 sslmode=disable'
recovery_target_timeline = 'latest'
As PostgreSQL needs the password to connect to a service requiring a password, it has to be stored either in plantext or plaintext-equivalent.
You can avoid this by using an authentication method that does not require a password to be stored, such as Kerberos/gssapi or certificate. Nevertheless, the client side of the connection needs to store the credentials for access *in some way*, but for example with certificate authentication method you could use a smartcard or yubikey or similar to store it.