Re: Security with V9.3.3 standby servers

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, 26 Feb 2015 13:05:52 -0500, John Scalia wrote:
On 2/26/2015 12:56 PM, luis.sa@xxxxxxxxxxx wrote:
On Thu, 26 Feb 2015 11:15:51 -0500, John Scalia wrote:
Hi all,

An edict has been handed down here from on high that no script shall
ever contain any password in cleartext for any reason. Well this is
problem with a streaming replication standby server's recovery.conf
file as the line primary_conninfo = contains said replication user's password for that connection. Is there any sort of plan to allow this to be md5 or some such encoded? Or what else could I do in this case?

Thx,
Jay

Yes. Use ssh key to create a fingerprint.

Ex. "ssh-keygen" command to generate a fingerprint. And "ssh-copy-id postgres@slave" and "ssh-copy-id user@master" to copy the key to alow both machines communicated over ssh.

All systems already have ssh keys shared between them as it's used by
scp to transmit the WAL archive to both standby servers. How would I
indicate in the recovery.conf that the embedded password in the line
primary_conninfo is encrypted? That line only has "user=<the user>
password=<the password>" I was thinking that the "password=" could
have something like "md5:<the password>" in it. Or you could just
specify whichever encryption protocol that was used followed by the
colon.

Sorry, wrong answer. The password is for role user on postgres and not ssh.

Well, i don't know... but the security may be guaranteed for linux in permissions (chmod and chown)..


--
Sent via pgsql-admin mailing list (pgsql-admin@xxxxxxxxxxxxxx)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-admin




[Index of Archives]     [KVM ARM]     [KVM ia64]     [KVM ppc]     [Virtualization Tools]     [Spice Development]     [Libvirt]     [Libvirt Users]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite Questions]     [Linux Kernel]     [Linux SCSI]     [XFree86]

  Powered by Linux