From: | domenico febbo <mimmopasticcio(at)gmail(dot)com> |
---|---|
To: | Adrian Klaver <adrian(dot)klaver(at)aklaver(dot)com> |
Cc: | Matthias Apitz <guru(at)unixarea(dot)de>, pgsql-general(at)lists(dot)postgresql(dot)org |
Subject: | Re: PGPASSWORD in crypted form, for example BlowFish or SHA-256 |
Date: | 2019-09-19 14:27:42 |
Message-ID: | CALqvQ1ORrnvu=X_MpNdxZ4jm6Nj4+uEm_mdpPk4jrfAtiP+6AQ@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-general |
Hi,
maybe you want to use [1] pgcrypto encrypt/decrypt function using "secret"
word stored outside database.
See F.25.4. Raw Encryption Functions
[1] https://www.postgresql.org/docs/11/pgcrypto.html
Regards,
Il giorno gio 19 set 2019 alle ore 16:19 Adrian Klaver <
adrian(dot)klaver(at)aklaver(dot)com> ha scritto:
> On 9/19/19 3:30 AM, Matthias Apitz wrote:
> >
> > Hello,
> >
> > Our software, a huge ILS, is running on Linux with DBS Sybase. To
> > connect to the Sybase server (over the network, even on localhost),
> > credentials must be known: a user (say 'sisis') and its password.
> >
> > For Sybase we have them stored on the disk of the system in a file
> > syb.npw as:
> >
> > $ cat /opt/lib/sisis/etc/syb/syb.npw
> > sisis:e53902b9923ab2fb
> > sa:64406def48efca8c
> >
> > for the user 'sisis' and the administrator 'sa'. Our software has as
> > shared library a blob which knows how to decrypt the password hash above
> > shown as 'e53902b9923ab2fb' into clear text which is then used in the
> > ESQL/C or Java layer to connect to the Sybase server.
> >
> > For PostgreSQL the password must be typed in (for pgsql) or can be
> > provided in an environment variable PGPASSWORD=blabla
> >
> > Is there somehow an API in PG to use ciphered passwords and provide as a
> > shared library the blob to decrypt it? If not, we will use the mechanism
> same as
>
> There is not and I am not sure that would be much use even if it did
> exist. You would be right back at someone being able to grab the
> credentials from a file and feeding them to the database for access.
>
> The system you currently have at least seems to limit access to a
> specific program external to Postgres.
>
> > we use for Sybase. Or any other idea to not make detectable the
> > credentials? This was a request of our customers some years ago.
> >
> > matthias
> >
> >
>
>
> --
> Adrian Klaver
> adrian(dot)klaver(at)aklaver(dot)com
>
>
>
From | Date | Subject | |
---|---|---|---|
Next Message | Ron | 2019-09-19 15:02:01 | Re: pgbackrest - question about restoring cluster to a new cluster on same server |
Previous Message | Adrian Klaver | 2019-09-19 14:19:30 | Re: PGPASSWORD in crypted form, for example BlowFish or SHA-256 |