| From: | Magnus Hagander <magnus(at)hagander(dot)net> |
|---|---|
| To: | abcxiaod(at)126(dot)com, PostgreSQL mailing lists <pgsql-bugs(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: BUG #16450: Recovery.conf file shows clear text password. |
| Date: | 2020-05-18 09:47:39 |
| Message-ID: | CABUevExhD-aU8++xn40Z4R6EX7fvN541t+wZTx-JMZQz=9AAGA@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
On Mon, May 18, 2020 at 11:41 AM PG Bug reporting form <
noreply(at)postgresql(dot)org> wrote:
> The following bug has been logged on the website:
>
> Bug reference: 16450
> Logged by: yi Ding
> Email address: abcxiaod(at)126(dot)com
> PostgreSQL version: 10.12
> Operating system: linux
> Description:
>
> cat recovery.conf
>
> standby_mode = 'on'
> primary_conninfo = 'host=2019::abcd:516 port=6755 user=test
> application_name=sb2019abcd516 password=8d5s256fhHJ keepalives_idle=60
> keepalives_interval=5 keepalives_count=5 sslmode=disable'
> recovery_target_timeline = 'latest'
>
>
As PostgreSQL needs the password to connect to a service requiring a
password, it has to be stored either in plantext or plaintext-equivalent.
You can avoid this by using an authentication method that does not require
a password to be stored, such as Kerberos/gssapi or certificate.
Nevertheless, the client side of the connection needs to store the
credentials for access *in some way*, but for example with certificate
authentication method you could use a smartcard or yubikey or similar to
store it.
--
Magnus Hagander
Me: https://www.hagander.net/ <http://www.hagander.net/>
Work: https://www.redpill-linpro.com/ <http://www.redpill-linpro.com/>
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Heikki Linnakangas | 2020-05-18 09:49:51 | Re: BUG #16448: Remote code execution vulnerability |
| Previous Message | Magnus Hagander | 2020-05-18 09:46:22 | Re: BUG #16451: .psql_history file shows clear text password. |