Re: scripting & psql issues

On Wed, Aug 18, 2004 at 04:20:55PM -0400, Christopher Browne wrote:

> Check the docs for information on the "care and feeding" of .pgpass.
> You can put authentication information into $HOME/.pgpass and anything
> running using libpq will automatically look there.
>
> The passwords sit there in plain text form; it might be nice to use
> some encoded form (similar to the way Apache handles authentication).

Not sure what you mean here.  Apache handles the server-side
authentication by storing a hashed version of the password (I take it
you are talking about the .htpasswd files).  However .pgpass is for
client-side password storage.  Do you know of a better way to store the
password than the plain text version?

I know CVS stores a mangled version, but it's trivial to go from the
stored password to the cleartext password, so a cracker can still get
the password easily, and it would be a PITA for the users to have to
process the password before storing if they are not going to get any
extra security.  Other ideas?

The problem here is that the password can't be stored one-way-hash
digested, because the cleartext version is needed to be sent to the
server.

--
Alvaro Herrera (<alvherre[a]dcc.uchile.cl>)
"Ellos andaban todos desnudos como su madre los parió, y también las mujeres,
aunque no vi más que una, harto moza, y todos los que yo vi eran todos
mancebos, que ninguno vi de edad de más de XXX años" (Cristóbal Colón)