From: | Magnus Hagander <magnus(at)hagander(dot)net> |
---|---|
To: | Alvaro Herrera <alvherre(at)2ndquadrant(dot)com> |
Cc: | Tim Cross <theophilusx(at)gmail(dot)com>, pgsql-admin(at)lists(dot)postgresql(dot)org |
Subject: | Re: scram-sha-256 encrypted password in pgpass |
Date: | 2020-06-23 07:37:38 |
Message-ID: | CABUevExPBT1wgv+mNxSyEiL_c1d4xvg6=723m6isP3CvzDZHww@mail.gmail.com |
Views: | Whole Thread | Raw Message | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-admin pgsql-general |
On Tue, Jun 23, 2020 at 3:53 AM Alvaro Herrera <alvherre(at)2ndquadrant(dot)com>
wrote:
> On 2020-Jun-23, Tim Cross wrote:
>
> > If you need to use a password in a command line scenario (i.e. with a
> > script), then one way to get around the issue of not storing plain text
> > passwords is to use GPG. The basic model is
> >
> > - Create a GPG key and store it in a secure place, such as a keystore
> > - Use that GPG key to encrypt your password in a file e.g. my-secret.gpg
> > - In your script, you can have something like
> >
> > PWD = `gpg -q --for-your-eyes-only --no-tty -d ~/.secure/my-secret.gpg`
>
> Perhaps the way to implement this is to have .pgpass be a named pipe,
> and you have a program that produces lines from encrypted input after
> requesting a passphrase from the user -- perhaps using gpg underneath.
> I have vague recollections of this being discussed in the past.
>
> For example, see this thread from 2013
>
> https://www.postgresql.org/message-id/CAAZKuFaJUfdDFp1_vGHbDfYRu0Sj6mSOVvKRp87aCQ53ov6iwA@mail.gmail.com
>
>
libpq in 13 adds PQsetSSLKeyPassHook_*() which allows a low level interface
for doing this for SSL. There is no fundamental reason not to have a
similar hook for regular passwords, to begin with. Then on top of that we
could provide built-in hooks and a way to activate them to use for example
a named pipe, calling a shell, reading from terminal etc -- but then to
make it possible to re-use that for both passwords and passphrases and
possibly more.
--
Magnus Hagander
Me: https://www.hagander.net/ <http://www.hagander.net/>
Work: https://www.redpill-linpro.com/ <http://www.redpill-linpro.com/>
From | Date | Subject | |
---|---|---|---|
Next Message | Amine Tengilimoglu | 2020-06-23 08:16:35 | Re: automatic switchover / switchback |
Previous Message | Sylvie HALAT | 2020-06-23 07:21:57 | Re: automatic switchover / switchback |
From | Date | Subject | |
---|---|---|---|
Next Message | Klaudie Willis | 2020-06-23 12:42:18 | n_distinct off by a factor of 1000 |
Previous Message | Alvaro Herrera | 2020-06-23 01:53:06 | Re: scram-sha-256 encrypted password in pgpass |