Re: password is no required, authentication is overridden

Dave Page wrote:

> 
>
>  
>
>>-----Original Message-----
>>From: pgsql-hackers-owner@postgresql.org 
>>[mailto:pgsql-hackers-owner@postgresql.org] On Behalf Of 
>>Andrew Dunstan
>>Sent: 19 July 2006 13:55
>>To: Hiroshi Saito
>>Cc: Thomas Bley; pgsql-hackers@postgresql.org
>>Subject: Re: [HACKERS] password is no required, 
>>authentication is overridden
>>
>>
>>I don't understand what you are saying here. The problem is 
>>that it is 
>>not clear (at least to the original user, and maybe to 
>>others) that when 
>>pgadmin3 saves a password it saves it where it will be found by all 
>>libpq clients, not just by pgadmin3. 
>>    
>>
>
>From: http://www.pgadmin.org/docs/1.4/connect.html
>
>If you select "store password", pgAdmin stores passwords you enter in
>the ~/.pgpass file under *nix or %APPDATA%\postgresql\pgpass.conf under
>Win32 for later reuse. For details, see pgpass documentation. It will be
>used for all libpq based tools. If you want the password removed, you
>can select the server's properties and uncheck the selection any time.
>
>  
>

OK, although I am not sure I think that is sensible - it is at least 
documented. Does the dialog box also carry similar info?

>  
>
>>How is that optimal? If pgadmin3 
>>were to save it in a non-standard location and then set PGPASSFILE to 
>>point to that location that would solve the problem. Or maybe 
>>it should 
>>offer a choice. Either way, how would a malicious user affect that? 
>>PGPASSFILE only contains a location, not the contents of the file, so 
>>exposing it is not any great security issue, as long as the 
>>location is 
>>itself protected.
>>    
>>
>
>We have no sensible way of determining whether or not the libpq we are
>running with supports PGPASSFILE.
>
>
>  
>

Well, this answer is better. The lack of an API to tell you the library 
version is possibly worrying, though.

cheers

andrew