Re: password is no required, authentication is overridden

Dave Page wrote:

>
>
>
>
>>-----Original Message-----
>>From: pgsql-hackers-owner(at)postgresql(dot)org
>>[mailto:pgsql-hackers-owner(at)postgresql(dot)org] On Behalf Of
>>Andrew Dunstan
>>Sent: 19 July 2006 13:55
>>To: Hiroshi Saito
>>Cc: Thomas Bley; pgsql-hackers(at)postgresql(dot)org
>>Subject: Re: [HACKERS] password is no required,
>>authentication is overridden
>>
>>
>>I don't understand what you are saying here. The problem is
>>that it is
>>not clear (at least to the original user, and maybe to
>>others) that when
>>pgadmin3 saves a password it saves it where it will be found by all
>>libpq clients, not just by pgadmin3.
>>
>>
>
>From: http://www.pgadmin.org/docs/1.4/connect.html
>
>If you select "store password", pgAdmin stores passwords you enter in
>the ~/.pgpass file under *nix or %APPDATA%\postgresql\pgpass.conf under
>Win32 for later reuse. For details, see pgpass documentation. It will be
>used for all libpq based tools. If you want the password removed, you
>can select the server's properties and uncheck the selection any time.
>
>
>

OK, although I am not sure I think that is sensible - it is at least
documented. Does the dialog box also carry similar info?

>
>
>>How is that optimal? If pgadmin3
>>were to save it in a non-standard location and then set PGPASSFILE to
>>point to that location that would solve the problem. Or maybe
>>it should
>>offer a choice. Either way, how would a malicious user affect that?
>>PGPASSFILE only contains a location, not the contents of the file, so
>>exposing it is not any great security issue, as long as the
>>location is
>>itself protected.
>>
>>
>
>We have no sensible way of determining whether or not the libpq we are
>running with supports PGPASSFILE.
>
>
>
>

Well, this answer is better. The lack of an API to tell you the library
version is possibly worrying, though.

cheers

andrew