Re: libpq sslpassword parameter and callback function
| От | Andrew Dunstan |
|---|---|
| Тема | Re: libpq sslpassword parameter and callback function |
| Дата | |
| Msg-id | 87b1e36b-e36a-add5-1a9b-9fa34914a256@2ndQuadrant.com обсуждение исходный текст |
| Ответ на | libpq sslpassword parameter and callback function (Andrew Dunstan <andrew.dunstan@2ndquadrant.com>) |
| Ответы |
Re: libpq sslpassword parameter and callback function
|
| Список | pgsql-hackers |
This time with attachment. On 10/31/19 6:33 PM, Andrew Dunstan wrote: > This patch provides for an sslpassword parameter for libpq, and a hook > that a client can fill in for a callback function to set the password. > > > This provides similar facilities to those already available in the JDBC > driver. > > > There is also a function to fetch the sslpassword from the connection > parameters, in the same way that other settings can be fetched. > > > This is mostly the excellent work of my colleague Craig Ringer, with a > few embellishments from me. > > > Here are his notes: > > > Allow libpq to non-interactively decrypt client certificates that > are stored > encrypted by adding a new "sslpassword" connection option. > > The sslpassword option offers a middle ground between a cleartext > key and > setting up advanced key mangement via openssl engines, PKCS#11, USB > crypto > offload and key escrow, etc. > > Previously use of encrypted client certificate keys only worked if > the user > could enter the key's password interactively on stdin, in response > to openssl's > default prompt callback: > > Enter PEM passhprase: > > That's infesible in many situations, especially things like use from > postgres_fdw. > > This change also allows admins to prevent libpq from ever prompting > for a > password by calling: > > PQsetSSLKeyPassHook(PQdefaultSSLKeyPassHook); > > which is useful since OpenSSL likes to open /dev/tty to prompt for a > password, > so even closing stdin won't stop it blocking if there's no user > input available. > Applications may also override or extend SSL password fetching with > their own > callback. > > There is deliberately no environment variable equivalent for the > sslpassword > option. > > > cheers > > > andrew > > -- Andrew Dunstan https://www.2ndQuadrant.com PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
Вложения
В списке pgsql-hackers по дате отправления: