| From: | Stephen Frost <sfrost(at)snowman(dot)net> |
|---|---|
| To: | dlo(at)isam(dot)kiwi |
| Cc: | pgsql-bugs(at)postgresql(dot)org |
| Subject: | Re: BUG #10250: pgAdmin III 1.16.1 stores unescaped plaintext password |
| Date: | 2014-05-07 15:44:31 |
| Message-ID: | 20140507154431.GW2556@tamriel.snowman.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgadmin-hackers pgsql-bugs |
Ben,
* dlo(at)isam(dot)kiwi (dlo(at)isam(dot)kiwi) wrote:
> When storing credentials for connections into ~/.pgpass the credentials is
> stored in delimited plaintext form. Not only is this practise a security
> risk,
This isn't a bug, it's intentional, and if it goes against your security
requirements then simply don't do it. Storing it in .pgpass encrypted
would require a password to either be provided (in which case, just
don't have the password in the pgpass file..) or for the key to be
stored in plain-text somewhere, which would be the same situation.
Perhaps there is a feature request in here somewhere to have an
ssh-agent like daemon, but there simply hasn't been demand for it.
> but when the credential contains the delimiter (colon) it fails to be
> read back out and app responds with "invalid credentials".
>
> x.x.x.x:5432:*:username:password:with:colons
Per the fine documentation, you need to escape any such usage with a
backslash. Please review:
http://www.postgresql.org/docs/9.3/static/libpq-pgpass.html
Thanks,
Stephen
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Guillaume Lelarge | 2014-05-07 18:10:29 | New columns in 9.4 pg_stat_activity |
| Previous Message | dlo | 2014-05-07 04:32:48 | BUG #10250: pgAdmin III 1.16.1 stores unescaped plaintext password |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Leif Jensen | 2014-05-07 15:46:40 | Re: Server process crash - Segmentation fault |
| Previous Message | christopher.hamel | 2014-05-07 15:24:36 | BUG #10254: Joined Constraints not invoked on date ranges |