Re: ssl passphrase callback

On Fri, 15 Nov 2019 at 00:34, Andrew Dunstan <andrew(dot)dunstan(at)2ndquadrant(dot)com>
wrote:

>
> On 11/14/19 11:07 AM, Bruce Momjian wrote:
> > On Thu, Nov 14, 2019 at 11:42:05AM +0100, Magnus Hagander wrote:
> >> On Wed, Nov 13, 2019 at 9:23 PM Tomas Vondra <
> tomas(dot)vondra(at)2ndquadrant(dot)com>
> >> I think it would be beneficial to explain why shared object is more
> >> secure than an OS command. Perhaps it's common knowledge, but it's
> not
> >> quite obvious to me.
> >>
> >>
> >> Yeah, that probably wouldn't hurt. It's also securely passing from more
> than
> >> one perspective -- both from the "cannot be eavesdropped" (like putting
> the
> >> password on the commandline for example) and the requirement for
> escaping.
> > I think a bigger issue is that if you want to give people the option of
> > using a shell command or a shared object, and if you use two commands to
> > control it, it isn't clear what happens if both are defined. By using
> > some character prefix to control if a shared object is used, you can use
> > a single variable and there is no confusion over having two variables
> > and their conflicting behavior.
> >
>
>
> I'm not sure how that would work in the present instance. The shared
> preloaded module installs a function and defines the params it wants. If
> we somehow unify the params with ssl_passphrase_command that could look
> icky, and the module would have to parse the settings string. That's not
> a problem for the sample module which only needs one param, but it will
> be for other more complex implementations.
>
> I'm quite open to suggestions, but I want things to be tolerably clean.

If someone wants a shell command wrapper, they can load a contrib that
delegates the hook to a shell command. So we can just ship a contrib, which
acts both as test coverage for the feature, and a shell-command-support
wrapper for anyone who desires that.

--
Craig Ringer http://www.2ndQuadrant.com/
2ndQuadrant - PostgreSQL Solutions for the Enterprise