Re: mysql_config_editor feature suggestion

On 03/21/2017 03:03 PM, Tom Ekberg wrote:
> I have been working with MySQL a bit (yes, I know, heresy) and
> encountered a program called mysql_config_editor. In my opinion it does
> a better job of local password management than using a ~/.pgpass file.
> Instead of assuming that a mode of 600 will keep people from peeking at
> your password, it encrypts the password, but keeps the other parameters
> like host, port and user available for viewing as plaintext. You can
> read more about it here:
>
> https://dev.mysql.com/doc/refman/5.7/en/mysql-config-editor.html
>
> The host, user, password values are grouped into what are called login
> paths which are of the form:
>
> [some_login_path]
> host = localhost
> user = localuser
>
> Just like the config files you have no doubt seen before. The only way
> to set a password is to use the command:
>
> mysql_config_editor set --login-path=some_login_path --password
>
> which will prompt the user to enter the password for the specified login
> path. The password is never seen as plain text. There are other commands
> to set, remove, print and reset values for a login path. The print
> command that shows a password will display this instead:
>
> password = *****
>
> Adding a similar feature for PostgreSQL will also require a change to
> the psql program to specify and handle --login-path used for
> authentication. This may also be the case for some of the other pg_*
> utilities.

Something like this?:

https://www.postgresql.org/docs/9.6/static/libpq-pgservice.html

with:

https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=ba005f193d88a8404e81db3df223cf689d64d75e

https://www.postgresql.org/docs/devel/static/libpq-connect.html#libpq-connect-passfile

The only thing lacking is that the passwords are not actually encrypted
in the file. Though there are other methods available then the md5
password authentication:

https://www.postgresql.org/docs/devel/static/auth-methods.html

>
> I think adding a feature like mysql_config_editor to PostgreSQL is an
> easy way to set up multiple "personalities" for connecting to different
> PostgreSQL servers. The password protection will deter the curious user
> from gaining access to your data. It will not stop a determined hacker,
> but the idea is to make it more difficult.
>
> Other than this mailing list, is there a way to make a feature request
> for PostgreSQL?
>
> Tom Ekberg
> Senior Computer Specialist, Lab Medicine
> University of Washington Medical Center
> 1959 NE Pacific St, MS 357110
> Seattle WA 98195
> work: (206) 598-8544
> email: tekberg(at)uw(dot)edu
>
>
>
>

--
Adrian Klaver
adrian(dot)klaver(at)aklaver(dot)com