Re: What are best practices wrt passwords?

From: felix(dot)quintgz(at)yahoo(dot)com
To: pgsql-general(at)postgresql(dot)org
Subject: Re: What are best practices wrt passwords?
Date: 2024-10-16 14:16:45
Message-ID: 48574746.2559694.1729088205609@mail.yahoo.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

Use the PGPASSWORD environment variable.
Example:

SET PGPASSWORD=P0stgres
psql -h localhost -p 5432 -U postgres -d postgres -c "SELECT 1;'"

https://www.postgresql.org/docs/current/libpq-envars.html

On Wednesday, October 16, 2024 at 08:26:05 AM GMT-4, <mbork(at)mbork(dot)pl> wrote:

Hello all,

I'd like to be able to use psql without typing passwords again and
again.  I know about `.pgpass` and PGPASSFILE, but I specifically do not
want to use it - I have the password in the `.env` file, and having it
in _two_ places comes with its own set of problems, like how to make
sure they don't get out of sync.

I understand why giving the password on the command line or in an
environment variable is a security risk (because of `ps`), but I do not
understand why `psql` doesn't have an option like `--password-command`
accepting a command which then prints the password on stdout.  For
example, I could then use `pass` (https://www.passwordstore.org/) with
gpg-agent.

Is there any risk associated with this usage pattern?  What is the
recommended practice in my case other than using `.pgpass`?

Thanks in advance,

P.S. Please CC me in replies, since I'm not subscribed to the list.
Thanks.

--
Marcin Borkowski
https://mbork.pl
https://crimsonelevendelightpetrichor.net/

In response to

Browse pgsql-general by date

  From Date Subject
Next Message Alvaro Herrera 2024-10-16 14:37:11 Re: What are best practices wrt passwords?
Previous Message Dominique Devienne 2024-10-16 12:41:47 Re: What are best practices wrt passwords?