-----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 > Has anyone come up with a good solution for distributing a .pgpass file > that doesn't expose it to anyone who has access to the distribution > mechanism? No, you cannot easily keep it in version control/puppet securely. One way is to have an external script that does the jobs of puppet, e.g. for $server in @list do cp pgpass $server/... Alternatively, use gpg to encrypt the pgpass file, then put *that* into version control and distribute it. Then have a script on the server that decrypts it into place. Yes, you have to manually distribute the encryption key to the servers, but it is a one-time event, and you can push out changes to the pgpass file easily, and automate the decrypt-on-the-server bit, including by puppet itself. It's not clear what the exact threat model is here, but you could also simply not use pgpass, and find some other means to authenticate. - -- Greg Sabino Mullane greg@xxxxxxxxxxxx End Point Corporation http://www.endpoint.com/ PGP Key: 0x14964AC8 201210011859 http://biglumber.com/x/web?pk=2529DF6AB8F79407E94445B4BC9B906714964AC8 -----BEGIN PGP SIGNATURE----- iEYEAREDAAYFAlBqIOsACgkQvJuQZxSWSshUhgCgtRGVCRLs9F+KPu2RR+rmOVeq 7T8An1ZPdvlEkciRuLiioi2LbSJUTl2f =GEi7 -----END PGP SIGNATURE----- -- Sent via pgsql-general mailing list (pgsql-general@xxxxxxxxxxxxxx) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
