| From: | Craig Ringer <craig(at)2ndquadrant(dot)com> |
|---|---|
| To: | Christopher Browne <cbbrowne(at)gmail(dot)com>, firoz e v <firoz(dot)ev(at)huawei(dot)com> |
| Cc: | PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Storing the password in .pgpass file in an encrypted format |
| Date: | 2014-02-21 16:49:17 |
| Message-ID: | 5307838D.9050805@2ndquadrant.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On 02/21/2014 11:52 PM, Christopher Browne wrote:
>
> The thing you could do instead that would *look* like it is encrypted is
> to use a certificate (e.g. - SSL). The certificate that you'd need to
> put on the client still needs to be in something that is effectively
> plain text (however much it looks like nonsensical encrypted text).
Yep, though the certificate private key may well be stored encrypted
with a passphrase that must be entered via direct user interaction.
It looks like doing it with OpenSSL for libpq you might be able to set a
passphrase callback routine to prompt the user to decrypt a client
certificate. With PgJDBC you use JSSE's keystore support.
Client certificates are a *much* stronger way to do this. Another good
option can be Kerberos. Either way, encrypting .pgpass seems utterly
pointless.
--
Craig Ringer http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Training & Services
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Florian Pflug | 2014-02-21 16:56:04 | Re: Uninterruptable regexp_replace in 9.3.1 ? |
| Previous Message | Craig Ringer | 2014-02-21 16:42:19 | Re: Storing the password in .pgpass file in an encrypted format |