Skip site navigation (1) Skip section navigation (2)

Re: Bug Report - PGAdmin3 windows pgpass.conf passwords stored in plain text

From: Dave Page <dpage(at)postgresql(dot)org>
To: Joe Moyle <jmoyle(at)paymetric(dot)com>
Cc: pgadmin-support(at)postgresql(dot)org
Subject: Re: Bug Report - PGAdmin3 windows pgpass.conf passwords stored in plain text
Date: 2007-05-23 16:25:45
Message-ID: 46546B09.5080108@postgresql.org (view raw or flat)
Thread:
Lists: pgadmin-support
Joe Moyle wrote:
>> Joe Moyle wrote:
> ...
>>> While doing some poking around I discovered that the passwords in
> the
>>> pgpass.conf file are stored in plain text.  I consider this a bug.
> ...
>>> Would the 'powers that be' list this as a bug and add it to the TODO
>>> list?
>> This is how PostgreSQL's libpq requires the file to be formatted.
>>
>> Regards, Dave.
> 
> First let me say that I'm not a programmer (wanna-be at best) so I'm
> asking forgiveness in advance if I use the wrong nomenclature or fail to
> communicate what I'm thinking in terms that interested parties can
> easily understand.
> 
> I'm looking at the documentation for the libpq method called
> PQconnectdb.  I see that it requires user and password in a scenario
> like I've got my server set up.  I still think that PGA3 storing the
> password in plain text is a bug.  Wouldn't it be better if it stored it
> encrypted using an encryption algorithm that can be unencrypted so that
> it could be unencrypted and then sent to libpq in plain text?
> 
> When trying to answer this question for myself I thought that it might
> be pointless because some key would be required for unencrypting.  I
> then thought that if I had to type in the key every time it would blow
> my lazy desire to type less out of the water.  Upon further reflection I
> thought that it would still be better since I would only have to
> remember one key instead of the various username/password combinations.
> 
> I can't help but feel I'm missing something obvious here but am just too
> ignorant to know it.  I'll continue reading the libpq documentation and
> thinking about it.
> 

pgAdmin only ever writes the file, libpq does the reading so we have to
write it in the format it dictates. See
http://www.postgresql.org/docs/8.2/interactive/libpq-pgpass.html for
more info.

pgAdmin 1.8 does also warn you about the possible consequences of having
an unsecured pgpass file.

Regards, Dave.

In response to

pgadmin-support by date

Next:From: Guillaume LelargeDate: 2007-05-23 16:58:27
Subject: Re: Server order
Previous:From: Joe MoyleDate: 2007-05-23 16:02:21
Subject: Re: Bug Report - PGAdmin3 windows pgpass.conf passwords stored in plain text

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group