| From: | MURAT KOÇ <m(dot)koc21(at)gmail(dot)com> |
|---|---|
| To: | Alban Hertroys <haramrae(at)gmail(dot)com> |
| Cc: | Adrian Klaver <adrian(dot)klaver(at)gmail(dot)com>, pgsql-general(at)postgresql(dot)org |
| Subject: | Re: Changing Passwords as Encrypted not Clear-Text |
| Date: | 2011-12-19 15:52:50 |
| Message-ID: | CAA4y46zDW03S3hvVpjc8G02gDB7_9V8sqwr2OBVo9nPB4yixEA@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Hi,
My answers are written under your comments.
Best Regards
Murat KOC
2011/12/19 Alban Hertroys <haramrae(at)gmail(dot)com>
> On 19 December 2011 16:26, MURAT KOÇ <m(dot)koc21(at)gmail(dot)com> wrote:
> > Hi Adrian,
> >
> > I wrote a desktop application on Windows by using "Npgsql.dll". So, I
> send
> > SQL statement to database from this application code. I can't use psql
> > command line (I know "\password" command changes password encrypted
> text).
> >
> > Because of this, I have to use "ALTER USER" statement from application
> code.
> > Or what could you give another advice?
>
> Apparently psql doesn't send a plain ALTER ROLE statement. It probably
> uses the binary protocol. Perhaps your application can do the same.
>
Although my application uses the binary protocol, it has to send "ALTER
USER " statement to PostgreSQL Database to change DB user password.
>
> Alternatively, you can secure your (apparently insecure) connection to
> the DB using SSL or an ssh tunnel or somesuch.
>
Problem is not secure connection to DB, problem is that PostgreSQL logs
include changing passwords on clear-text not encrypted.
### Server Logs ###
2011-12-19 14:35:31
EET--postgres--postgres--[local]--psql--idle--00000LOG: statement: alter
user mkoc password 'dummy';
2011-12-19 14:35:41
EET--postgres--postgres--[local]--psql--idle--00000LOG: statement: alter
user mkoc with password 'dummy';
>
> That said, if you are having issues with a fellow DBA, you should
> create a policy that you don't use each others' login credentials when
> it matters. You're DBA's, there is no security measure that will stop
> you from obtaining private data from the databases you manage. Access
> to the log files is only a small part of that.
>
Of course, we could create login credentials, login configuration options
for every DBA colleagues. But, as I said previous that big problem is
*"PostgreSQL
logs include changing passwords on clear-text not encrypted"*
>
> --
> If you can't see the forest for the trees,
> Cut the trees and you'll see there is no forest.
>
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tomas Vondra | 2011-12-19 16:00:07 | Re: fsync on ext4 does not work |
| Previous Message | Havasvölgyi Ottó | 2011-12-19 15:52:15 | fsync on ext4 does not work |