From: | Adrian Klaver <adrian(dot)klaver(at)aklaver(dot)com> |
---|---|
To: | Stephen Frost <sfrost(at)snowman(dot)net>, Pavan Kumar <pavan(dot)dba27(at)gmail(dot)com> |
Cc: | "David G(dot) Johnston" <david(dot)g(dot)johnston(at)gmail(dot)com>, Pgsql-admin <pgsql-admin(at)lists(dot)postgresql(dot)org>, "pgsql-generallists(dot)postgresql(dot)org" <pgsql-general(at)lists(dot)postgresql(dot)org> |
Subject: | Re: scram-sha-256 encrypted password in pgpass |
Date: | 2020-06-23 00:19:22 |
Message-ID: | bd8bb482-11b7-6987-0a3c-bee5ba895019@aklaver.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-admin pgsql-general |
On 6/22/20 3:54 PM, Stephen Frost wrote:
> Greetings,
>
> * Pavan Kumar (pavan(dot)dba27(at)gmail(dot)com) wrote:
>>> What would be the point of storing the encrypted password instead of the
>>> plaintext one?
>> As per our organization security policies, we can 't keep any passwords in
>> plain text format.
>
> Then you need to *actually* encrypt the password in whatever file you'd
> like, and then decrypt it using a key from somewhere when you go to
> connect to PG and use it to connect to PG.
>
> Anything that doesn't involve some key from somewhere being used to
> decrypt it isn't actually meeting your organization's security policies,
> certainly not anything that's just dumping whatever into .pgpass and
> then allowing you to connect.
>
>> I am working on postgres + pgbouncer setup, tested pgbouncer 1.14 where we
>> have support to use encrypted password in userlist,txt file. I am
>> surprised why pgpass is not supporting encrypted passwords.
>
> I'm not sure what you mean here, but I'm pretty confident it's not
> actually what you think. If you can directly connect with it, without
> providing some kind of additional key, then it's, pretty much by
> definition, not encrypted.
The relevant section is:
http://www.pgbouncer.org/config.html#authentication-file-format
and it has quite a few caveats wrt SCRAM.
>
> Thanks,
>
> Stephen
>
--
Adrian Klaver
adrian(dot)klaver(at)aklaver(dot)com
From | Date | Subject | |
---|---|---|---|
Next Message | Tim Cross | 2020-06-23 00:26:08 | Re: scram-sha-256 encrypted password in pgpass |
Previous Message | Ravi Krishna | 2020-06-22 23:54:21 | Re: scram-sha-256 encrypted password in pgpass |
From | Date | Subject | |
---|---|---|---|
Next Message | Tim Cross | 2020-06-23 00:26:08 | Re: scram-sha-256 encrypted password in pgpass |
Previous Message | Ravi Krishna | 2020-06-22 23:54:21 | Re: scram-sha-256 encrypted password in pgpass |