Re: Bug Report - PGAdmin3 windows pgpass.conf passwords stored in plain text - Mailing list pgadmin-support
| From | Dave Page |
|---|---|
| Subject | Re: Bug Report - PGAdmin3 windows pgpass.conf passwords stored in plain text |
| Date | |
| Msg-id | [email protected] Whole thread Raw |
| In response to | Re: Bug Report - PGAdmin3 windows pgpass.conf passwords stored in plain text ("Joe Moyle" <[email protected]>) |
| List | pgadmin-support |
Joe Moyle wrote: >> Joe Moyle wrote: > ... >>> While doing some poking around I discovered that the passwords in > the >>> pgpass.conf file are stored in plain text. I consider this a bug. > ... >>> Would the 'powers that be' list this as a bug and add it to the TODO >>> list? >> This is how PostgreSQL's libpq requires the file to be formatted. >> >> Regards, Dave. > > First let me say that I'm not a programmer (wanna-be at best) so I'm > asking forgiveness in advance if I use the wrong nomenclature or fail to > communicate what I'm thinking in terms that interested parties can > easily understand. > > I'm looking at the documentation for the libpq method called > PQconnectdb. I see that it requires user and password in a scenario > like I've got my server set up. I still think that PGA3 storing the > password in plain text is a bug. Wouldn't it be better if it stored it > encrypted using an encryption algorithm that can be unencrypted so that > it could be unencrypted and then sent to libpq in plain text? > > When trying to answer this question for myself I thought that it might > be pointless because some key would be required for unencrypting. I > then thought that if I had to type in the key every time it would blow > my lazy desire to type less out of the water. Upon further reflection I > thought that it would still be better since I would only have to > remember one key instead of the various username/password combinations. > > I can't help but feel I'm missing something obvious here but am just too > ignorant to know it. I'll continue reading the libpq documentation and > thinking about it. > pgAdmin only ever writes the file, libpq does the reading so we have to write it in the format it dictates. See http://www.postgresql.org/docs/8.2/interactive/libpq-pgpass.html for more info. pgAdmin 1.8 does also warn you about the possible consequences of having an unsecured pgpass file. Regards, Dave.
pgadmin-support by date: