Re: [GENERAL] pgpass file type restrictions

2017-10-19 Thread Stephen Frost
Matt, * Desidero (desid...@gmail.com) wrote: > I agree that it would be better for us to use something other than LDAP, If you happen to be using Active Directory, then you should really be using Kerberos-based auth instead. AD includes both LDAP and a KDC and the LDAP half is really *not* the

Re: [GENERAL] pgpass file type restrictions

2017-10-19 Thread Daniel Verite
Tom Lane wrote: > On many platforms, it's possible for other users to see the environment > variables of a process. So PGPASSWORD is really quite insecure. As said in https://www.postgresql.org/docs/current/static/libpq-envars.html "PGPASSWORD behaves the same as the password

Re: [GENERAL] pgpass file type restrictions

2017-10-19 Thread Tom Lane
"Daniel Verite" writes: > Desidero wrote: >> When attempting to use something like an anonymous pipe for a >> passfile, psql throws an error stating that it only accepts plain files > So the script doing that has access to the password(s) in clear text. > Can't it

Re: [GENERAL] pgpass file type restrictions

2017-10-19 Thread Daniel Verite
Desidero wrote: > When attempting to use something like an anonymous pipe for a > passfile, psql throws an error stating that it only accepts plain files So the script doing that has access to the password(s) in clear text. Can't it instead push the password into the PGPASSWORD

Re: [GENERAL] pgpass file type restrictions

2017-10-19 Thread Andrew Dunstan
On 10/19/2017 09:20 AM, Desidero wrote: > I agree that it would be better for us to use something other than > LDAP, but unfortunately it's difficult to convince the powers that be > that we can/should use something else that they are not yet prepared > to properly manage/audit. We are working

Re: [GENERAL] pgpass file type restrictions

2017-10-19 Thread Desidero
I agree that it would be better for us to use something other than LDAP, but unfortunately it's difficult to convince the powers that be that we can/should use something else that they are not yet prepared to properly manage/audit. We are working towards it, but we're not there yet. It's not

Re: [GENERAL] pgpass file type restrictions

2017-10-19 Thread Andrew Dunstan
On 10/19/2017 02:12 AM, Tom Lane wrote: > Desidero writes: >> I’m running into problems with the restriction on pgpass file types. When >> attempting to use something like an anonymous pipe for a passfile, psql >> throws an error stating that it only accepts plain files. >>

Re: [GENERAL] pgpass file type restrictions

2017-10-19 Thread Tom Lane
Desidero writes: > I’m running into problems with the restriction on pgpass file types. When > attempting to use something like an anonymous pipe for a passfile, psql > throws an error stating that it only accepts plain files. > ... > Does anyone know why it’s set up to avoid

[GENERAL] pgpass file type restrictions

2017-10-18 Thread Desidero
Hello, I’m running into problems with the restriction on pgpass file types. When attempting to use something like an anonymous pipe for a passfile, psql throws an error stating that it only accepts plain files. If it matters, I'm trying to use that so I can pass a decrypted pgpassfile into