Hi, On 21 Únor 2014, 16:52, Christopher Browne wrote: > On Fri, Feb 21, 2014 at 7:49 AM, firoz e v <firoz...@huawei.com> wrote: > >> Hi, >> >> >> >> Is there a way to store the password in ".pgpass" file in an encrypted >> format (for example, to be used by pg_dump). >> >> >> >> Even though, there are ways to set the permissions on .pgpass, to >> disallow >> any access to world or group, the security rules of many organizations >> disallow to hold any kind of passwords, as plain text. >> >> >> >> If there is no existing way to do this, shall we take up this, as a >> patch? >> > > As observed by others, storing the password in encrypted form in .pgpass > merely means that you need to store the password to decrypt .pgpass in > still another file that would, again, run afoul of such security policies. > There is no appetite in the community to do implementation work that is > provably useless as it cannot accomplish what people imagine to > accomplish.
Sure. If you want to log-in without any user interaction, then the password needs to be stored is a form equal to cleartext (e.g. with a key). It's mostly security by obscurity. What I think might be useful and safe at the same time is encrypted .pgpass with tools asking for the encryption key. Think of it as a simple passord wallet - not really useful if you're connecting to a single database, very useful if you have many as you only need to remember the single password. If the encrypted passwords were stored in a separate file (say .pgpass.wallet) then this should not break the current tools. The tools would do this: 1) exists .pgpass? 1.a) read .pgpass -> is there a matching record? (yes -> stop) 2) exists .pgpass.wallet? 2.a) ask for encryption key 2.b) read .pgpass using the decryption key 2.c) is there a matching record? (yes -> stop) 3) ask for connection info directly BTW yes, I know what kerberos is, but many of us are dealing with companies that don't use it. regards Tomas -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
