On Thu, 26 Feb 2015 13:05:52 -0500, John Scalia wrote:
On 2/26/2015 12:56 PM, luis.sa@xxxxxxxxxxx wrote:
On Thu, 26 Feb 2015 11:15:51 -0500, John Scalia wrote:
Hi all,
An edict has been handed down here from on high that no script
shall
ever contain any password in cleartext for any reason. Well this is
problem with a streaming replication standby server's recovery.conf
file as the line primary_conninfo = contains said replication
user's
password for that connection. Is there any sort of plan to allow
this
to be md5 or some such encoded? Or what else could I do in this
case?
Thx,
Jay
Yes. Use ssh key to create a fingerprint.
Ex. "ssh-keygen" command to generate a fingerprint. And "ssh-copy-id
postgres@slave" and "ssh-copy-id user@master" to copy the key to alow
both machines communicated over ssh.
All systems already have ssh keys shared between them as it's used by
scp to transmit the WAL archive to both standby servers. How would I
indicate in the recovery.conf that the embedded password in the line
primary_conninfo is encrypted? That line only has "user=<the user>
password=<the password>" I was thinking that the "password=" could
have something like "md5:<the password>" in it. Or you could just
specify whichever encryption protocol that was used followed by the
colon.
Sorry, wrong answer. The password is for role user on postgres and not
ssh.
Well, i don't know... but the security may be guaranteed for linux in
permissions (chmod and chown)..
--
Sent via pgsql-admin mailing list (pgsql-admin@xxxxxxxxxxxxxx)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-admin
