[CLUE-Tech] RE: postgres questions on pg_dump and pg_hba.conf security
Friedman, Jason
Jason.Friedman at xemkt.com
Thu Feb 26 13:12:57 MST 2004
I've used the .pgpass file. The sample here is with a database named "chess" and a user named "powerpull".
powerpull at love ~ $ ll .pgpass
-rw------- 1 powerpull users 41 Dec 14 04:03 .pgpass
powerpull at love ~ $ cat .pgpass
localhost:5432:chess:powerpull:putPasswordHere
host:port:dbName:userName:putPasswordHere
postgres at love ~ $ grep chess /var/lib/pgsql/data/pg_hba.conf
local chess postgres md5
local chess powerpull md5
When an ordinary user attempts an operation on the database:
jason at love ~ $ pg_dump -s chess
pg_dump: [archiver (db)] connection to database "chess" failed: FATAL: No pg_hba.conf entry for host localhost, user jason, database chess
But, when an authorized (pg_hba.conf) user with a .pgpass file attempts an operation on the database:
powerpull at love ~ $ pg_dump -s chess
[ output here ]
Without the .pgpass file, a password prompt is issued.
>
> Greetings.
>
> I have my pg_hba.conf file set to password authenticate for a
> single user into
> the database used by an application.
>
> I want to pg_dump the database each night for backup, but
> pg_dump has no
> password parameter. I can easily pipe in the database user's
> password into
> pg_dump using an expect script. But, this seems like a
> security hole because
> the password would be unecrypted.
>
> So, my questions:
>
> 1) Anyone have a slick way to crypt and decrypt a password
> to plain text?
> I'm thinking that the expect script would read the encrypted
> password from a
> file, decrypt it to it's plain text and then pass it into pg_dump.
>
> 2) What is the security risk if I loosen my pg_hba.conf file
> and allow
> ident/sameuser for this user?
>
> The main security goal is to protect the database from
> unauthorized access,
> which is why I tightened up the pg_hba.conf in the first
> place. Only Java
> applications (via hibernate) access the database.
>
> I appreciate any suggestions.
>
> Jeff
More information about the clue-tech
mailing list