BUG #16450: Recovery.conf file shows clear text password.
The following bug has been logged on the website:
Bug reference: 16450
Logged by: yi Ding
Email address: abcxiaod@126.com
PostgreSQL version: 10.12
Operating system: linux
Description:
cat recovery.conf
standby_mode = 'on'
primary_conninfo = 'host=2019::abcd:516 port=6755 user=test
application_name=sb2019abcd516 password=8d5s256fhHJ keepalives_idle=60
keepalives_interval=5 keepalives_count=5 sslmode=disable'
recovery_target_timeline = 'latest'
On Mon, May 18, 2020 at 11:41 AM PG Bug reporting form <
noreply@postgresql.org> wrote:
The following bug has been logged on the website:
Bug reference: 16450
Logged by: yi Ding
Email address: abcxiaod@126.com
PostgreSQL version: 10.12
Operating system: linux
Description:cat recovery.conf
standby_mode = 'on'
primary_conninfo = 'host=2019::abcd:516 port=6755 user=test
application_name=sb2019abcd516 password=8d5s256fhHJ keepalives_idle=60
keepalives_interval=5 keepalives_count=5 sslmode=disable'
recovery_target_timeline = 'latest'
As PostgreSQL needs the password to connect to a service requiring a
password, it has to be stored either in plantext or plaintext-equivalent.
You can avoid this by using an authentication method that does not require
a password to be stored, such as Kerberos/gssapi or certificate.
Nevertheless, the client side of the connection needs to store the
credentials for access *in some way*, but for example with certificate
authentication method you could use a smartcard or yubikey or similar to
store it.
--
Magnus Hagander
Me: https://www.hagander.net/ <http://www.hagander.net/>
Work: https://www.redpill-linpro.com/ <http://www.redpill-linpro.com/>