Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1t159N-00EdqS-3n for pgsql-general@arkaria.postgresql.org; Wed, 16 Oct 2024 14:37:21 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1t159K-004JVl-RL for pgsql-general@arkaria.postgresql.org; Wed, 16 Oct 2024 14:37:19 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1t159J-004JVc-UK for pgsql-general@lists.postgresql.org; Wed, 16 Oct 2024 14:37:18 +0000 Received: from fhigh-a7-smtp.messagingengine.com ([103.168.172.158]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1t159H-001C4Z-Dc for pgsql-general@postgresql.org; Wed, 16 Oct 2024 14:37:17 +0000 Received: from phl-compute-05.internal (phl-compute-05.phl.internal [10.202.2.45]) by mailfhigh.phl.internal (Postfix) with ESMTP id 1924311401D6; Wed, 16 Oct 2024 10:37:14 -0400 (EDT) Received: from phl-mailfrontend-02 ([10.202.2.163]) by phl-compute-05.internal (MEProxy); Wed, 16 Oct 2024 10:37:14 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:content-type:date:date:feedback-id:feedback-id :from:from:in-reply-to:in-reply-to:message-id:mime-version :reply-to:subject:subject:to:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm2; t=1729089434; x= 1729175834; bh=LT3gKpAR/xaYv6KpmXGAIP3KbdVUecV6JgnWQSYLyFA=; b=K UqA8fpoSvPJlhILMLguVtbEBQyUHQqVZ08gZytpr2+t4b4cJxtz6jKc86pOXlYoK t6NQEgnxgZwGD14DaM1Wji3lWC4UA5Os4a0N3qm2fDw0QY46xLN2RyMHV24Be5GC uOFOzJn8L+iu2Vqq+JWAC0hktA4HXTxQwsYBrud+Uui70hy4xS+iyJM1oYB2b4qX NeYoUpH/qqy5ZATQk5CRoopCkfENyVYFkfLic6l2vjnhfi/zbxT5yq4ghKHHgCAZ hTRxObhI0bczdS84puJZ1BBntyjictlwCI/zD/6sdtviACknSMqJC4i1GHfszxCk Xo/MPAPsRSust+YsqOJvA== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeeftddrvdegledgjeelucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdggtfgfnhhsuhgsshgtrhhisggvpdfu rfetoffkrfgpnffqhgenuceurghilhhouhhtmecufedttdenucenucfjughrpeffhffvve fukfggtggugfgjsehtkeertddttdejnecuhfhrohhmpeetlhhvrghrohcujfgvrhhrvghr rgcuoegrlhhvhhgvrhhrvgesrghlvhhhrdhnohdqihhprdhorhhgqeenucggtffrrghtth gvrhhnpedujeegueduteduffeffeegieejhfefudfhgeefkedtgeejhedtfedtueefteeg keenucffohhmrghinhepphgrshhsfihorhgushhtohhrvgdrohhrghdpphhoshhtghhrvg hsqhhlrdhorhhgpdgvnhhtvghrphhrihhsvggusgdrtghomhenucevlhhushhtvghrufhi iigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpegrlhhvhhgvrhhrvgesrghlvhhhrd hnohdqihhprdhorhhgpdhnsggprhgtphhtthhopedvpdhmohguvgepshhmthhpohhuthdp rhgtphhtthhopehmsghorhhksehmsghorhhkrdhplhdprhgtphhtthhopehpghhsqhhlqd hgvghnvghrrghlsehpohhsthhgrhgvshhqlhdrohhrgh X-ME-Proxy: Feedback-ID: ia2694551:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Wed, 16 Oct 2024 10:37:13 -0400 (EDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=alvh.no-ip.org; s=schmee; t=1729089431; bh=Q8BCsXSno3CHtxNQmEhGkp2rKYz5rx6wQfKcbkHYTms=; h=Date:From:To:Cc:Subject:In-Reply-To:From; b=f62y5Krb43wyiRI9c6gPauS1e051aLM9cajxxeAfrrK36u5WwLtkjJjF6Fh0WVvYc m4NMqo8GVkOJvGferxxR5p+3U0lbzUP9GRyQEqxzJfK6l2SVY4D8RaGQVkIxWf4zCG zHas3i45zEdHGxUztowDTXCZQeHewGWk2PVjO+1koM5Ct0i1k4ftzI1aaDw8Ed0+DL YQkPcpJg4U+NwcqPVXnt/v6OtJHezZo6T4FxhoKOEx4uUKmeN9lgJKF3cNboEz8zhv 4r9Lr7hGT4NXUXTtdBU9ctoC4D4A1K0bDCu8M3+DvtD/RbX1bwwCXx/pL3TCMLcS3K ul/E7KX/gg77A== Received: by schmee.alvh.no-ip.org (Postfix, from userid 1000) id 1A66580; Wed, 16 Oct 2024 16:37:11 +0200 (CEST) Date: Wed, 16 Oct 2024 16:37:11 +0200 From: Alvaro Herrera To: mbork@mbork.pl Cc: pgsql-general@postgresql.org Subject: Re: What are best practices wrt passwords? Message-ID: <202410161437.sw2xkl37rcmz@alvherre.pgsql> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <87o73kgzkd.fsf@mbork.pl> List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On 2024-Oct-16, mbork@mbork.pl wrote: > I understand why giving the password on the command line or in an > environment variable is a security risk (because of `ps`), but I do not > understand why `psql` doesn't have an option like `--password-command` > accepting a command which then prints the password on stdout. For > example, I could then use `pass` (https://www.passwordstore.org/) with > gpg-agent. We had a patch to add PGPASSCOMMAND once: https://www.postgresql.org/message-id/flat/CAE35ztOGZqgwae3mBA%3DL97pSg3kvin2xycQh%3Dir%3D5NiwCApiYQ%40mail.gmail.com I don't remember the overall conclusions (other than the patch being rejected), but maybe you can give that a read. -- Álvaro Herrera PostgreSQL Developer — https://www.EnterpriseDB.com/