Re: PGPASSWORD in crypted form, for example BlowFish or SHA-256

From: Matthias Apitz <guru(at)unixarea(dot)de>
To: pgsql-general(at)lists(dot)postgresql(dot)org
Subject: Re: PGPASSWORD in crypted form, for example BlowFish or SHA-256
Date: 2019-09-19 13:23:21
Message-ID: 20190919132321.GA403679@sh4-5.1blu.de
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

El día Thursday, September 19, 2019 a las 10:31:01PM +1000, rob stone escribió:

> Hello,
>
> On Thu, 2019-09-19 at 12:30 +0200, Matthias Apitz wrote:
> > Hello,
> >
> > Our software, a huge ILS, is running on Linux with DBS Sybase. To
> > connect to the Sybase server (over the network, even on localhost),
> > credentials must be known: a user (say 'sisis') and its password.
> >
> > For Sybase we have them stored on the disk of the system in a file
> > syb.npw as:
> >
> > $ cat /opt/lib/sisis/etc/syb/syb.npw
> > sisis:e53902b9923ab2fb
> > sa:64406def48efca8c
> >
> > for the user 'sisis' and the administrator 'sa'. Our software has as
> > shared library a blob which knows how to decrypt the password hash
> > above
> > shown as 'e53902b9923ab2fb' into clear text which is then used in the
> > ESQL/C or Java layer to connect to the Sybase server.
> >
> > For PostgreSQL the password must be typed in (for pgsql) or can be
> > provided in an environment variable PGPASSWORD=blabla
> >
> > Is there somehow an API in PG to use ciphered passwords and provide
> > as a
> > shared library the blob to decrypt it? If not, we will use the
> > mechanism same as
> > we use for Sybase. Or any other idea to not make detectable the
> > credentials? This was a request of our customers some years ago.
> >
>
>
> https://www.postgresql.org/docs/11/auth-password.html
>
> Chapters 20.5 and 20.6 may give you more information.

The form of the password hash store in the PG server or interchange over
the network is not my question. The question is more: When the Linux
server starts and with this the (ESQL/C written) application servers are
starting, they need the password to connect and this is not provided at
this moment from some keyboard or humanbeing. It must be stored on the
server and available in clear for the server, but not for other eyes on
the server, i.e. the place of the sorage must be ciphered.

matthias

--
Matthias Apitz, ✉ guru(at)unixarea(dot)de, http://www.unixarea.de/ +49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub
May, 9: Спаси́бо освободители! Thank you very much, Russian liberators!

In response to

Responses

Browse pgsql-general by date

  From Date Subject
Next Message Tom Lane 2019-09-19 14:09:57 Re: PGPASSWORD in crypted form, for example BlowFish or SHA-256
Previous Message Marco Ippolito 2019-09-19 13:17:35 Re: How to safely remove a corrupted cluster?