Обсуждение: [GENERAL] Service configuration file and password security
Hello,
This might seem a pretty novice question but I can't find an answer.
Can the password be stored in an encrypted way inside a service configuration file?
This might seem a pretty novice question but I can't find an answer.
Can the password be stored in an encrypted way inside a service configuration file?
--
Jacoupy Jean-Philippe
Jacoupy Jean-Philippe
Sent from ProtonMail, encrypted email based in Switzerland.
On 02/16/2017 05:57 AM, JP Jacoupy wrote: > Hello, > > This might seem a pretty novice question but I can't find an answer. > > Can the password be stored in an encrypted way inside a service > configuration file? To be clear you are talking about this, correct?: https://www.postgresql.org/docs/9.6/static/libpq-pgservice.html If so then no as I understand it. Assuming you have password authentication set up to md5, libpq takes care of doing the md5-hash before sending it to the server. You do have the following options: 1) https://www.postgresql.org/docs/9.6/static/libpq-pgpass.html 2) https://www.postgresql.org/docs/9.6/static/libpq-envars.html PGPASSWORD behaves the same as the password connection parameter. Use of this environment variable is not recommended for security reasons, as some operating systems allow non-root users to see process environment variables via ps; instead consider using the ~/.pgpass file (see Section 32.15). PGPASSFILE specifies the name of the password file to use for lookups. If not set, it defaults to ~/.pgpass (see Section 32.15). 2) And coming in version 10: http://paquier.xyz/postgresql-2/postgres-10-pgpassfile-connection/ > > -- > Jacoupy Jean-Philippe > > > Sent from ProtonMail <https://protonmail.ch>, encrypted email based in > Switzerland. > > -- Adrian Klaver adrian.klaver@aklaver.com
On Thu, Feb 16, 2017 at 2:57 PM, JP Jacoupy <jpjacoupy@protonmail.com> wrote: > Can the password be stored in an encrypted way inside a service > configuration file? There is not Passwords are not stored in the ( sometimes shared, world readable ) service configuration file ( pg_sevice), but it the UNREADABLE FOR OTHERS password file. They need to be stored in a way which libpq and friends can use, so even if they were encrypted they could be extracted easily byjust debugging and setting a breakpoint in it. If you are looking at something like a password store with a master password at least in unix a user account with a .pgpass file works as it. You store every password in file readable by a user, .pgpass, and you use that user login credentials to get access to it. Francisco Olarte.