Re: scram-sha-256 encrypted password in pgpass

On 6/22/20 3:54 PM, Stephen Frost wrote:
> Greetings,
>
> * Pavan Kumar (pavan(dot)dba27(at)gmail(dot)com) wrote:
>>> What would be the point of storing the encrypted password instead of the
>>> plaintext one?
>> As per our organization security policies, we can 't keep any passwords in
>> plain text format.
>
> Then you need to *actually* encrypt the password in whatever file you'd
> like, and then decrypt it using a key from somewhere when you go to
> connect to PG and use it to connect to PG.
>
> Anything that doesn't involve some key from somewhere being used to
> decrypt it isn't actually meeting your organization's security policies,
> certainly not anything that's just dumping whatever into .pgpass and
> then allowing you to connect.
>
>> I am working on postgres + pgbouncer setup, tested pgbouncer 1.14 where we
>> have support to use encrypted password in userlist,txt file. I am
>> surprised why pgpass is not supporting encrypted passwords.
>
> I'm not sure what you mean here, but I'm pretty confident it's not
> actually what you think. If you can directly connect with it, without
> providing some kind of additional key, then it's, pretty much by
> definition, not encrypted.

The relevant section is:

http://www.pgbouncer.org/config.html#authentication-file-format

and it has quite a few caveats wrt SCRAM.

>
> Thanks,
>
> Stephen
>

--
Adrian Klaver
adrian(dot)klaver(at)aklaver(dot)com