Participants
John R Pierce
John R Pierce
Suresh Raja
Suresh Raja
Steve Midgley
Steve Midgley
Vick Khera
Vick Khera
Xavier Stevens
Xavier Stevens
Attachments
Show all attachments
Thread Outline
#1Suresh RajaSuresh Raja
Jul 08, 2015
#2...#4
John R PierceVick Khera
to Suresh Raja (#1)
Jul 08, 2015
#2John R PierceJohn R Pierceto Suresh Raja (#1)
Jul 08, 2015
#4Vick KheraVick Kherato John R Pierce (#2)
Jul 08, 2015
#3Steve MidgleySteve Midgleyto Suresh Raja (#1)
Jul 08, 2015
#5Xavier StevensXavier Stevensto Steve Midgley (#3)
Jul 08, 2015
#6John R PierceJohn R Pierceto Steve Midgley (#3)
Jul 08, 2015

encrypt psql password in unix script

Started by Suresh Rajaalmost 11 years ago6 messagesgeneral
Jump to latest
#1Suresh Raja
Suresh Raja
suresh.rajaabc@gmail.com

Hi:

I cannot use .pgpass as the password stored here is not encrypted.

can i use a encrypted password from unix shell script. has anybody ran
into same situation. Wht options do i have.

Thanks,
-SR

#2John R Pierce
John R Pierce
pierce@hogranch.com
In reply to: Suresh Raja (#1)
Re: encrypt psql password in unix script

On 7/8/2015 11:34 AM, Suresh Raja wrote:

I cannot use .pgpass as the password stored here is not encrypted.

can i use a encrypted password from unix shell script. has anybody
ran into same situation. Wht options do i have.

I believe anywhere you enter a password in postgres, it can be the hash
instead.

but what security does that gain you? if someone gets your
encrypted/hashed password, he can still log on. the pgpass file has to
be permissions 700, so only YOU (and root) can read it.

if these are LOCAL connections to a pg server on the same machine, you
can use 'ident' as your authentication, where your unix user is used as
the postgres username. or, you can use ssl certificates for
authentication, this is more complex to setup.

--
john r pierce, recycling bits in santa cruz

--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general

#3Steve Midgley
Steve Midgley
science@misuse.org
In reply to: Suresh Raja (#1)
Re: encrypt psql password in unix script

My suggestion is to put it in an environment variable and set that variable
from a shell startup script that is secured with permissions. (
http://www.postgresql.org/docs/9.4/static/libpq-envars.html)

If you can't do that, the only other method I've used is to setup Postgres
with Ansible, and store the Pg passwords in an ansible vault, which is
encrypted. Ansible asks for the decrypt key when it runs.

Steve

On Wed, Jul 8, 2015 at 11:34 AM, Suresh Raja <suresh.rajaabc@gmail.com>
wrote:

Show quoted text

Hi:

I cannot use .pgpass as the password stored here is not encrypted.

can i use a encrypted password from unix shell script. has anybody ran
into same situation. Wht options do i have.

Thanks,
-SR

#4Vick Khera
Vick Khera
vivek@khera.org
In reply to: John R Pierce (#2)
Re: encrypt psql password in unix script

On Wed, Jul 8, 2015 at 2:46 PM, John R Pierce <pierce@hogranch.com> wrote:

but what security does that gain you? if someone gets your
encrypted/hashed password, he can still log on. the pgpass file has to be
permissions 700, so only YOU (and root) can read it.

Exactly this. If you want a script to authenticate to postgres (or anything
else) then somewhere you need something to be in the clear, whether it be
the key to decrypt the password or a private key. If you can't trust the
local file system and users, then you can't do what you want.

#5Xavier Stevens
Xavier Stevens
xavier@simple.com
In reply to: Steve Midgley (#3)
Re: [SQL] encrypt psql password in unix script

I use envcrypt for things like this locally. Just encrypt the file with
your own PGP key.

https://github.com/whilp/envcrypt

On Wed, Jul 8, 2015 at 12:01 PM, Steve Midgley <science@misuse.org> wrote:

Show quoted text

My suggestion is to put it in an environment variable and set that
variable from a shell startup script that is secured with permissions. (
http://www.postgresql.org/docs/9.4/static/libpq-envars.html)

If you can't do that, the only other method I've used is to setup Postgres
with Ansible, and store the Pg passwords in an ansible vault, which is
encrypted. Ansible asks for the decrypt key when it runs.

Steve

On Wed, Jul 8, 2015 at 11:34 AM, Suresh Raja <suresh.rajaabc@gmail.com>
wrote:

Hi:

I cannot use .pgpass as the password stored here is not encrypted.

can i use a encrypted password from unix shell script. has anybody ran
into same situation. Wht options do i have.

Thanks,
-SR

#6John R Pierce
John R Pierce
pierce@hogranch.com
In reply to: Steve Midgley (#3)
Re: [SQL] encrypt psql password in unix script

On 7/8/2015 12:01 PM, Steve Midgley wrote:

My suggestion is to put it in an environment variable and set that
variable from a shell startup script that is secured with permissions.
(http://www.postgresql.org/docs/9.4/static/libpq-envars.html)

that just moves the problem, now the plaintext password is in a script
file somewhere, AND many OS's let other users see your environment.

If you can't do that, the only other method I've used is to setup
Postgres with Ansible, and store the Pg passwords in an ansible vault,
which is encrypted. Ansible asks for the decrypt key when it runs.

how would that work for unattended scripts, such as cron jobs ?

--
john r pierce, recycling bits in santa cruz

--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general

← Back to Topics