Re: PGPASSWORD in crypted form, for example BlowFish or SHA-256

On 9/19/19 3:30 AM, Matthias Apitz wrote:
> 
> Hello,
> 
> Our software, a huge ILS, is running on Linux with DBS Sybase. To
> connect to the Sybase server (over the network, even on localhost),
> credentials must be known: a user (say 'sisis') and its password.
> 
> For Sybase we have them stored on the disk of the system in a file
> syb.npw as:
> 
> $ cat /opt/lib/sisis/etc/syb/syb.npw
> sisis:e53902b9923ab2fb
> sa:64406def48efca8c
> 
> for the user 'sisis' and the administrator 'sa'. Our software has as
> shared library a blob which knows how to decrypt the password hash above
> shown as 'e53902b9923ab2fb' into clear text which is then used in the
> ESQL/C or Java layer to connect to the Sybase server.
> 
> For PostgreSQL the password must be typed in (for pgsql) or can be
> provided in an environment variable PGPASSWORD=blabla
> 
> Is there somehow an API in PG to use ciphered passwords and provide as a
> shared library the blob to decrypt it? If not, we will use the mechanism same as

There is not and I am not sure that would be much use even if it did 
exist. You would be right back at someone being able to grab the 
credentials from a file and feeding them to the database for access.

The system you currently have at least seems to limit access to a 
specific program external to Postgres.

> we use for Sybase. Or any other idea to not make detectable the
> credentials? This was a request of our customers some years ago.
> 
>     matthias
> 
> 


-- 
Adrian Klaver
adrian.klaver@aklaver.com