Re: Authentication in batch processing

Alfred Anzlovar wrote:
> pgman(at)candle(dot)pha(dot)pa(dot)us (Bruce Momjian) wrote in message news:<200206022022(dot)g52KM8m18308(at)candle(dot)pha(dot)pa(dot)us>...
> > Password prompting was changed in 7.2.X. You can now pass a script into
> > psql, and you will be prompted for the password on your terminal rather
> > than having the password coming from the script.
> >
> > The best way send the password in 7.2.X is to use 'expect', or use the
> > PGPASSWORD environment variable. (However, on some OS's, environment
> > values like PGPASSWORD can be seen by 'ps'.) Another option is that if
> > /dev/tty can't get opened, the password will be requested from stdin.
> > Unfortunately, I can't think of an easy way to make /dev/tty fail.
>
> I see it as a very radical change in password processing.
>
> I know you must have your reasons to have it this way, but there are
> people like Hal Lynch (or like me), to whom this change introduces
> many new problems (and does not solve any of security ones).

Yes, we had complaints that people were running their script and they
wouldn't be prompted for the password on their terminal. Researching,
we found no applications that gets passwords from stdin _if_ a
controlling terminal (/dev/tty) can be opened.

> It would be nice if there was an option (in psql) to use stdin instead of
> /dev/tty to read password(s) (like before 7.2.X).
>
> Is this too much to ask?

It will read the password from stdin if there is no controlling
terminal. Does that help?

--
Bruce Momjian | http://candle.pha.pa.us
pgman(at)candle(dot)pha(dot)pa(dot)us | (610) 853-3000
+ If your life is a hard drive, | 830 Blythe Avenue
+ Christ can be your backup. | Drexel Hill, Pennsylvania 19026