[CLUE-Tech] postgres questions on pg_dump and pg_hba.conf security
Jeff Cann
j.cann at isuma.org
Wed Feb 25 20:29:43 MST 2004
Greetings.
I have my pg_hba.conf file set to password authenticate for a single user into
the database used by an application.
I want to pg_dump the database each night for backup, but pg_dump has no
password parameter. I can easily pipe in the database user's password into
pg_dump using an expect script. But, this seems like a security hole because
the password would be unecrypted.
So, my questions:
1) Anyone have a slick way to crypt and decrypt a password to plain text?
I'm thinking that the expect script would read the encrypted password from a
file, decrypt it to it's plain text and then pass it into pg_dump.
2) What is the security risk if I loosen my pg_hba.conf file and allow
ident/sameuser for this user?
The main security goal is to protect the database from unauthorized access,
which is why I tightened up the pg_hba.conf in the first place. Only Java
applications (via hibernate) access the database.
I appreciate any suggestions.
Jeff
--
http://isuma.org/
More information about the clue-tech
mailing list