Re: [GENERAL] mysql_config_editor feature suggestion
| От | Steve Atkins |
|---|---|
| Тема | Re: [GENERAL] mysql_config_editor feature suggestion |
| Дата | |
| Msg-id | AB2D9783-517D-4D9D-A699-21F4B9795BAF@blighty.com обсуждение исходный текст |
| Ответ на | [GENERAL] mysql_config_editor feature suggestion (Tom Ekberg <tekberg@uw.edu>) |
| Список | pgsql-general |
> On Mar 21, 2017, at 3:03 PM, Tom Ekberg <tekberg@uw.edu> wrote: > > I have been working with MySQL a bit (yes, I know, heresy) and encountered a program called mysql_config_editor. In myopinion it does a better job of local password management than using a ~/.pgpass file. Instead of assuming that a modeof 600 will keep people from peeking at your password, it encrypts the password, but keeps the other parameters likehost, port and user available for viewing as plaintext. You can read more about it here: > > https://dev.mysql.com/doc/refman/5.7/en/mysql-config-editor.html > > The host, user, password values are grouped into what are called login paths which are of the form: > > [some_login_path] > host = localhost > user = localuser Looks rather like a postgresql service file. :) > > Just like the config files you have no doubt seen before. The only way to set a password is to use the command: > > mysql_config_editor set --login-path=some_login_path --password > > which will prompt the user to enter the password for the specified login path. The password is never seen as plain text.There are other commands to set, remove, print and reset values for a login path. The print command that shows a passwordwill display this instead: > > password = ***** This seems like it'd give people a false sense of security. If someone can read that file, they can log in to that account.Obfuscating the password just makes naive users think they're secure when they're anything but, and means they'reless likely to be careful about making that file unreadable and avoiding checking it into revision control and soon. It'd protect against shoulder-surfing, but it's not like you're going to have .pg_pass open in an editor too often. A commandline tool for managing pgpass might be interesting, I guess. Though for local databases using peer authenticationis likely better than saving passwords in a file. > Adding a similar feature for PostgreSQL will also require a change to the psql program to specify and handle --login-pathused for authentication. This may also be the case for some of the other pg_* utilities. > > I think adding a feature like mysql_config_editor to PostgreSQL is an easy way to set up multiple "personalities" for connectingto different PostgreSQL servers. The password protection will deter the curious user from gaining access to yourdata. It will not stop a determined hacker, but the idea is to make it more difficult. > > Other than this mailing list, is there a way to make a feature request for PostgreSQL? Cheers, Steve
В списке pgsql-general по дате отправления: