Re: Storing the password in .pgpass file in an encrypted format

From: Tomas Vondra <tv(at)fuzzy(dot)cz>
To: pgsql-hackers(at)postgresql(dot)org
Subject: Re: Storing the password in .pgpass file in an encrypted format
Date: 2014-02-21 23:54:32
Message-ID: 5307E738.6070004@fuzzy.cz
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

On 22.2.2014 00:02, Josh Berkus wrote:
> On 02/21/2014 09:11 AM, Tomas Vondra wrote:
>> What I think might be useful and safe at the same time is encrypted
>> .pgpass with tools asking for the encryption key. Think of it as a simple
>> passord wallet - not really useful if you're connecting to a single
>> database, very useful if you have many as you only need to remember the
>> single password.
>
> Sounds interesting, but probably better as an external utility than
> as part of PostgreSQL. Call it pgWallet.

Depends on how you define external utility. It certainly needs to be
somehow integrated with the tools using .pgpass. Do you have something
particular in mind?

While libsecret may look like a good choice, it kinda requires Gnome or
KDE (or some other desktop environment supporting it) running, as it's
just a proxy to the services provides by these environments. I'd bet
most server installations won't have that installed, and in such cases
it's pointless.

Maybe it can be forwarded to the original machine somehow (something
like what 'ssh -A' does), I'm not sure.

I would prefer something self-contained, not requiring a lot of other
stuff installed.

What I envisioned is a simple wallet (basically encrypted .pgpass) with
a simple management command-line tool. Let's call that 'pgpass', with
these options

pgpass list
pgpass add
pgpass rm

I'm fully aware that writing a good / reliable / secure tool for storing
passwords is tricky, and if there's something implemented and usable,
let's use that.

I'm also wondering how well will the existing solutions support the
host/database/user/password model, with wildcards for some of the
fields. I'd guess most of them use simple username/password pairs.

regards
Tomas

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Thom Brown 2014-02-22 00:13:18 pg_stat_tmp files for dropped databases
Previous Message Noah Misch 2014-02-21 23:43:32 Re: [HACKERS] Re: BUG #9210: PostgreSQL string store bug? not enforce check with correct characterSET/encoding