| From: | mbork(at)mbork(dot)pl |
|---|---|
| To: | pgsql-general(at)postgresql(dot)org |
| Subject: | What are best practices wrt passwords? |
| Date: | 2024-10-16 09:35:46 |
| Message-ID: | 87o73kgzkd.fsf@mbork.pl |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Hello all,
I'd like to be able to use psql without typing passwords again and
again. I know about `.pgpass` and PGPASSFILE, but I specifically do not
want to use it - I have the password in the `.env` file, and having it
in _two_ places comes with its own set of problems, like how to make
sure they don't get out of sync.
I understand why giving the password on the command line or in an
environment variable is a security risk (because of `ps`), but I do not
understand why `psql` doesn't have an option like `--password-command`
accepting a command which then prints the password on stdout. For
example, I could then use `pass` (https://www.passwordstore.org/) with
gpg-agent.
Is there any risk associated with this usage pattern? What is the
recommended practice in my case other than using `.pgpass`?
Thanks in advance,
P.S. Please CC me in replies, since I'm not subscribed to the list.
Thanks.
--
Marcin Borkowski
https://mbork.pl
https://crimsonelevendelightpetrichor.net/
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Richards, Nina | 2024-10-16 11:57:14 | Re: Support for dates before 4713 BC |
| Previous Message | Vijaykumar Jain | 2024-10-16 07:02:18 | Re: how to know if the sql will run a seq scan |