| From: | Alexander Kukushkin <cyberdemn(at)gmail(dot)com> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | David Fetter <david(at)fetter(dot)org>, PostgreSQL Development <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Increase psql's password buffer size |
| Date: | 2020-01-20 20:17:47 |
| Message-ID: | CAFh8B=ksT0dhQhHHWA1Y9Oc+RBNso4SOwxm1cXan3Hw3-6x7uQ@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Hi,
I think I should add my two cents.
On Mon, 20 Jan 2020 at 20:38, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
>
> > I found another place that assumes 100 bytes and upped it to 2048.
There one more place, in the code which is parsing .pgpass
>
> So this is pretty much exactly what I expected. And have you tried
> it with e.g. PAM, or LDAP?
>
> I think the AWS guys are fools to imagine that this will work in very
> many places, and I don't see why we should be leading the charge to
> make it work for them. What's the point of having a huge amount of
> data in a password, anyway?
We at Zalando are using JWT tokens as passwords. JWT tokens are
self-contained and therefore quite huge (up to 700-800 bytes in our
case). Tokens have a limited lifetime (1 hour) and we are using PAM to
verify them.
Altogether the whole thing works like a charm. The only problem that
it is not possible to copy&paste the token into psql password prompt,
but there is a workaround, export PGPASSWORD=verylongtokenstring &&
psql
JWT: https://jwt.io/
PAM module to verify OAuth tokens: https://github.com/CyberDem0n/pam-oauth2
Regards,
--
Alexander Kukushkin
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Dean Rasheed | 2020-01-20 20:18:48 | Re: Greatest Common Divisor |
| Previous Message | Robert Haas | 2020-01-20 20:14:47 | Re: Online checksums patch - once again |