Re: Accessing other databases with DBLink when leaving user/password empty

Tommy Gildseth wrote:
> Hermann Muster wrote:
>> Hi Adrian,
>>
>> I tried what you suggested, but still get the following Error:
>> "Error connecting to the server: fe_sendauth: no password supplied"
>>
>> What is it I'm doing wrong? Isn't it possible to leave the password
>> empty so that PostgreSQL can retrieve it from the current account?
>>
>
> Your login password isn't kept anywhere in the session, so it's not
> possible for dblink to retrieve it. Furthermore, allowing passwordless
> authentication via dblink is considered a security risk, as it's
> potentially possible to escalate your access privileges to superuser.
> See http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3278 and
> http://www.securityfocus.com/archive/1/archive/1/471541/100/0/threaded
> for more info on this issue.
>
>

Hi Tommy,

I read the pdf from the second link you posted. Very interesting. Didn't
know about that.

So, how is it possible to connect to a second database on my server? I
think it's also a security risk to hardcode the user name and password
into the SQL query and to use the postgres user for all PCs that make
use of this SQL query. If I understand it right, then everyone could
easily read the password from the database with pgAdmin, right? Doesn't
look that secure to me either.

The following text from my first post mentioning the use of the current
account is therefore faulty?

[...]
Below is an example of querying a database on the same server
and cluster using DbLink. Note if no username and password is
specified, then DbLink connects with whatever account you are
currently using.

I checked on connecting two databases in PostgreSQL, but the only thing
I found was dbLink. Isn't there any other possibility?