On 6/22/20 3:54 PM, Stephen Frost wrote:
Greetings,
* Pavan Kumar (pavan.dba27@xxxxxxxxx) wrote:
What would be the point of storing the encrypted password instead of the
plaintext one?
As per our organization security policies, we can 't keep any passwords in
plain text format.
Then you need to *actually* encrypt the password in whatever file you'd
like, and then decrypt it using a key from somewhere when you go to
connect to PG and use it to connect to PG.
Anything that doesn't involve some key from somewhere being used to
decrypt it isn't actually meeting your organization's security policies,
certainly not anything that's just dumping whatever into .pgpass and
then allowing you to connect.
I am working on postgres + pgbouncer setup, tested pgbouncer 1.14 where we
have support to use encrypted password in userlist,txt file. I am
surprised why pgpass is not supporting encrypted passwords.
I'm not sure what you mean here, but I'm pretty confident it's not
actually what you think. If you can directly connect with it, without
providing some kind of additional key, then it's, pretty much by
definition, not encrypted.
The relevant section is:
http://www.pgbouncer.org/config.html#authentication-file-format
and it has quite a few caveats wrt SCRAM.
Thanks,
Stephen
--
Adrian Klaver
adrian.klaver@xxxxxxxxxxx
