Re: BUG #16450: Recovery.conf file shows clear text password.

From: Magnus Hagander <magnus(at)hagander(dot)net>
To: abcxiaod(at)126(dot)com, PostgreSQL mailing lists <pgsql-bugs(at)lists(dot)postgresql(dot)org>
Subject: Re: BUG #16450: Recovery.conf file shows clear text password.
Date: 2020-05-18 09:47:39
Message-ID: CABUevExhD-aU8++xn40Z4R6EX7fvN541t+wZTx-JMZQz=9AAGA@mail.gmail.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-bugs

On Mon, May 18, 2020 at 11:41 AM PG Bug reporting form <
noreply(at)postgresql(dot)org> wrote:

> The following bug has been logged on the website:
>
> Bug reference: 16450
> Logged by: yi Ding
> Email address: abcxiaod(at)126(dot)com
> PostgreSQL version: 10.12
> Operating system: linux
> Description:
>
> cat recovery.conf
>
> standby_mode = 'on'
> primary_conninfo = 'host=2019::abcd:516 port=6755 user=test
> application_name=sb2019abcd516 password=8d5s256fhHJ keepalives_idle=60
> keepalives_interval=5 keepalives_count=5 sslmode=disable'
> recovery_target_timeline = 'latest'
>
>
As PostgreSQL needs the password to connect to a service requiring a
password, it has to be stored either in plantext or plaintext-equivalent.

You can avoid this by using an authentication method that does not require
a password to be stored, such as Kerberos/gssapi or certificate.
Nevertheless, the client side of the connection needs to store the
credentials for access *in some way*, but for example with certificate
authentication method you could use a smartcard or yubikey or similar to
store it.

--
Magnus Hagander
Me: https://www.hagander.net/ <http://www.hagander.net/>
Work: https://www.redpill-linpro.com/ <http://www.redpill-linpro.com/>

In response to

Browse pgsql-bugs by date

  From Date Subject
Next Message Heikki Linnakangas 2020-05-18 09:49:51 Re: BUG #16448: Remote code execution vulnerability
Previous Message Magnus Hagander 2020-05-18 09:46:22 Re: BUG #16451: .psql_history file shows clear text password.