Re: Log of CREATE USER statement

On Sat, 2005-12-10 at 11:15 -0500, Tom Lane wrote:
> Simon Riggs <simon(at)2ndquadrant(dot)com> writes:
> > On Fri, 2005-12-09 at 19:41 +0100, Peter Eisentraut wrote:
> >> Maybe we should provide a backslash command in psql
>
> > That is a good option, but not the only option required.
> > There are many reasons to need to supply the password as part of a
> > command, rather than an interactive input.
>
> You miss the point entirely. Normal *use* of a password is not part of
> the SQL command language and is already adequately encrypted. It's only
> supplying a new password in CREATE/ALTER USER that has the security
> hazard of exposing the password in command logs, pg_stat_activity, etc.
> AFAICS, Peter's idea covers that case satisfactorily.

Peter's idea is great and I agree with everything he says.

I meant that if we are helping psql users to encrypt the password, we
should help others as well, thats all.

At very least this should be documented better. At best we could change
the protocol to encrypt things client-side, so that plaintext never goes
across the wire in any circumstance. That would then be good security by
default. I'm not volunteering to write that code anytime soon, but I
could work on some docs to better explain this.

We could also change the logging and pg_stat_activity so that we never
output the password at all, plaintext or otherwise.

Best Regards, Simon Riggs