Re: scram-sha-256 encrypted password in pgpass
| От | Adrian Klaver |
|---|---|
| Тема | Re: scram-sha-256 encrypted password in pgpass |
| Дата | |
| Msg-id | bd8bb482-11b7-6987-0a3c-bee5ba895019@aklaver.com обсуждение исходный текст |
| Ответ на | Re: scram-sha-256 encrypted password in pgpass (Stephen Frost <sfrost@snowman.net>) |
| Список | pgsql-admin |
On 6/22/20 3:54 PM, Stephen Frost wrote: > Greetings, > > * Pavan Kumar (pavan.dba27@gmail.com) wrote: >>> What would be the point of storing the encrypted password instead of the >>> plaintext one? >> As per our organization security policies, we can 't keep any passwords in >> plain text format. > > Then you need to *actually* encrypt the password in whatever file you'd > like, and then decrypt it using a key from somewhere when you go to > connect to PG and use it to connect to PG. > > Anything that doesn't involve some key from somewhere being used to > decrypt it isn't actually meeting your organization's security policies, > certainly not anything that's just dumping whatever into .pgpass and > then allowing you to connect. > >> I am working on postgres + pgbouncer setup, tested pgbouncer 1.14 where we >> have support to use encrypted password in userlist,txt file. I am >> surprised why pgpass is not supporting encrypted passwords. > > I'm not sure what you mean here, but I'm pretty confident it's not > actually what you think. If you can directly connect with it, without > providing some kind of additional key, then it's, pretty much by > definition, not encrypted. The relevant section is: http://www.pgbouncer.org/config.html#authentication-file-format and it has quite a few caveats wrt SCRAM. > > Thanks, > > Stephen > -- Adrian Klaver adrian.klaver@aklaver.com
В списке pgsql-admin по дате отправления: