On 9/19/19 3:30 AM, Matthias Apitz wrote:
Hello, Our software, a huge ILS, is running on Linux with DBS Sybase. To connect to the Sybase server (over the network, even on localhost), credentials must be known: a user (say 'sisis') and its password. For Sybase we have them stored on the disk of the system in a file syb.npw as: $ cat /opt/lib/sisis/etc/syb/syb.npw sisis:e53902b9923ab2fb sa:64406def48efca8c for the user 'sisis' and the administrator 'sa'. Our software has as shared library a blob which knows how to decrypt the password hash above shown as 'e53902b9923ab2fb' into clear text which is then used in the ESQL/C or Java layer to connect to the Sybase server. For PostgreSQL the password must be typed in (for pgsql) or can be provided in an environment variable PGPASSWORD=blabla Is there somehow an API in PG to use ciphered passwords and provide as a shared library the blob to decrypt it? If not, we will use the mechanism same as
There is not and I am not sure that would be much use even if it did exist. You would be right back at someone being able to grab the credentials from a file and feeding them to the database for access.
The system you currently have at least seems to limit access to a specific program external to Postgres.
we use for Sybase. Or any other idea to not make detectable the credentials? This was a request of our customers some years ago. matthias
-- Adrian Klaver adrian.klaver@xxxxxxxxxxx
