Re: Securing .pgpass File?

On Oct 1, 2012, at 10:26 AM, Shaun Thomas <sthomas(at)optionshouse(dot)com> wrote:

> On 10/01/2012 12:19 PM, Darren Duncan wrote:
>
>> You should never put your passwords (or private keys) in source control;
>> it would be better to use the puppet/bcfg option.
>
> That was kind of my point. Puppet / Bcfg2 have the same problem. About a dozen people have access to our bcfg2 repo than I would want to know the contents of .pgpass.
>
> We have twenty machines. If I ever change that file, I have to change it in 20 places. I'd love to put it in bcfg2, but that necessitates allowing anyone with access to bcfg2 the ability to read it. No go.
>
> You basically just reiterated my question back to me. ;) I'd like to *stop* manually copying the files around, but can't because they're completely plain text. It doesn't matter if it's source control, puppet, bcfg2, cfengine, or anything else; unauthorized people can read them, and I rather they didn't.
>
> Encrypted passwords would be nice, but apparently this isn't an option.

If the passwords were encrypted, you'd also need to distribute the password to decrypt the password.

You could obfuscate the passwords (with something that's somewhat equivalent to rot13) which would help with shoulder surfing, but you'd still be distributing a secret that's equivalent to a password. That's something you could do without any support from postgresql though - just deobfuscate as part of the distribution process.

Authentication that isn't based on a secret token would be one way to sidestep the issue - source IP based, for instance.

Cheers,
Steve