Обсуждение: encrypt psql password in unix script
Hi:
I cannot use .pgpass as the password stored here is not encrypted.
can i use a encrypted password from unix shell script. has anybody ran into same situation. Wht options do i have.
Thanks,
-SR
On 7/8/2015 11:34 AM, Suresh Raja wrote: > I cannot use .pgpass as the password stored here is not encrypted. > > can i use a encrypted password from unix shell script. has anybody > ran into same situation. Wht options do i have. I believe anywhere you enter a password in postgres, it can be the hash instead. but what security does that gain you? if someone gets your encrypted/hashed password, he can still log on. the pgpass file has to be permissions 700, so only YOU (and root) can read it. if these are LOCAL connections to a pg server on the same machine, you can use 'ident' as your authentication, where your unix user is used as the postgres username. or, you can use ssl certificates for authentication, this is more complex to setup. -- john r pierce, recycling bits in santa cruz
My suggestion is to put it in an environment variable and set that variable from a shell startup script that is secured with permissions. (http://www.postgresql.org/docs/9.4/static/libpq-envars.html)
If you can't do that, the only other method I've used is to setup Postgres with Ansible, and store the Pg passwords in an ansible vault, which is encrypted. Ansible asks for the decrypt key when it runs.
Steve
On Wed, Jul 8, 2015 at 11:34 AM, Suresh Raja <suresh.rajaabc@gmail.com> wrote:
Hi:I cannot use .pgpass as the password stored here is not encrypted.can i use a encrypted password from unix shell script. has anybody ran into same situation. Wht options do i have.Thanks,-SR
On Wed, Jul 8, 2015 at 2:46 PM, John R Pierce <pierce@hogranch.com> wrote:
but what security does that gain you? if someone gets your encrypted/hashed password, he can still log on. the pgpass file has to be permissions 700, so only YOU (and root) can read it.
Exactly this. If you want a script to authenticate to postgres (or anything else) then somewhere you need something to be in the clear, whether it be the key to decrypt the password or a private key. If you can't trust the local file system and users, then you can't do what you want.
I use envcrypt for things like this locally. Just encrypt the file with your own PGP key.
On Wed, Jul 8, 2015 at 12:01 PM, Steve Midgley <science@misuse.org> wrote:
My suggestion is to put it in an environment variable and set that variable from a shell startup script that is secured with permissions. (http://www.postgresql.org/docs/9.4/static/libpq-envars.html)If you can't do that, the only other method I've used is to setup Postgres with Ansible, and store the Pg passwords in an ansible vault, which is encrypted. Ansible asks for the decrypt key when it runs.SteveOn Wed, Jul 8, 2015 at 11:34 AM, Suresh Raja <suresh.rajaabc@gmail.com> wrote:Hi:I cannot use .pgpass as the password stored here is not encrypted.can i use a encrypted password from unix shell script. has anybody ran into same situation. Wht options do i have.Thanks,-SR
On 7/8/2015 12:01 PM, Steve Midgley wrote: > My suggestion is to put it in an environment variable and set that > variable from a shell startup script that is secured with permissions. > (http://www.postgresql.org/docs/9.4/static/libpq-envars.html) > that just moves the problem, now the plaintext password is in a script file somewhere, AND many OS's let other users see your environment. > If you can't do that, the only other method I've used is to setup > Postgres with Ansible, and store the Pg passwords in an ansible vault, > which is encrypted. Ansible asks for the decrypt key when it runs. > how would that work for unattended scripts, such as cron jobs ? -- john r pierce, recycling bits in santa cruz