Re: PGPASSWORD in crypted form, for example BlowFish or SHA-256

Hello,

On Thu, 2019-09-19 at 12:30 +0200, Matthias Apitz wrote:
> Hello,
> 
> Our software, a huge ILS, is running on Linux with DBS Sybase. To
> connect to the Sybase server (over the network, even on localhost),
> credentials must be known: a user (say 'sisis') and its password.
> 
> For Sybase we have them stored on the disk of the system in a file
> syb.npw as:
> 
> $ cat /opt/lib/sisis/etc/syb/syb.npw
> sisis:e53902b9923ab2fb
> sa:64406def48efca8c
> 
> for the user 'sisis' and the administrator 'sa'. Our software has as
> shared library a blob which knows how to decrypt the password hash
> above
> shown as 'e53902b9923ab2fb' into clear text which is then used in the
> ESQL/C or Java layer to connect to the Sybase server.
> 
> For PostgreSQL the password must be typed in (for pgsql) or can be
> provided in an environment variable PGPASSWORD=blabla
> 
> Is there somehow an API in PG to use ciphered passwords and provide
> as a
> shared library the blob to decrypt it? If not, we will use the
> mechanism same as
> we use for Sybase. Or any other idea to not make detectable the
> credentials? This was a request of our customers some years ago.
> 
>     matthias
> 
> 


https://www.postgresql.org/docs/11/auth-password.html

Chapters 20.5 and 20.6 may give you more information.

HTH,
Robert