
----- Original Message -----
From: "Alon Bar-Lev" <alonbl@redhat.com> To: "Eli Mesika" <emesika@redhat.com> Cc: "Keith Robertson" <kroberts@redhat.com>, "Juan Hernandez" <jhernand@redhat.com>, "engine-devel" <engine-devel@ovirt.org>, "pmatouse" <pmatouse@redhat.com> Sent: Sunday, May 5, 2013 10:17:28 AM Subject: Re: [Engine-devel] Dropping encryption of database password
----- Original Message -----
From: "Eli Mesika" <emesika@redhat.com> To: "Keith Robertson" <kroberts@redhat.com>, "Alon Bar-Lev" <alonbl@redhat.com>, "Juan Hernandez" <jhernand@redhat.com> Cc: "engine-devel" <engine-devel@ovirt.org>, "pmatouse" <pmatouse@redhat.com> Sent: Sunday, May 5, 2013 10:13:59 AM Subject: Re: [Engine-devel] Dropping encryption of database password
----- Original Message -----
From: "Alon Bar-Lev" <alonbl@redhat.com> To: "Keith Robertson" <kroberts@redhat.com> Cc: "Juan Hernandez" <jhernand@redhat.com>, "engine-devel" <engine-devel@ovirt.org>, "pmatouse" <pmatouse@redhat.com> Sent: Wednesday, May 1, 2013 9:40:13 PM Subject: Re: [Engine-devel] Dropping encryption of database password
----- Original Message -----
From: "Keith Robertson" <kroberts@redhat.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: "Josh Bressers" <bressers@redhat.com>, "Juan Hernandez" <jhernand@redhat.com>, "engine-devel" <engine-devel@ovirt.org>, "pmatouse" <pmatouse@redhat.com>, "Sandro Bonazzola" <sbonazzo@redhat.com> Sent: Wednesday, May 1, 2013 9:31:15 PM Subject: Re: [Engine-devel] Dropping encryption of database password
On 05/01/2013 02:16 PM, Alon Bar-Lev wrote:
Thank you. This is what I wrote in my initial post. The only users who should access this password is ovirt user and root user.
Regards, Alon Bar-Lev.
> Alon, I agree with the desire to store the PW in plaintext and in a non-obfuscated manner. In this case, obfuscation really doesn't gain anything.
I would suggest; however, that the migration to plaintext be coordinated with a simultaneous patch to the the Log Collector. It does have a dependency on the current architecture.
Keith
Hi,
As far as I know it reads the plain text from .pgpass, we need to modify it to search within the alternate format as well.
We are using the original .pgpass file that is in 0600 mode ( have access only to root) If the file does not have this mode , it is ignored by Postgres I see no security issue in that ...
Please see details in http://www.postgresql.org/docs/9.0/static/libpq-pgpass.html
I am going to drop the .pgpass file in favor of other configuration file and produce .pgpass on will. This is because: 1. The proprietary format of .pgpass is not friendly to parsing. 2. It does not hold the SSL setting. 3. It does not hold the SSL host validation setting. 4. It will be more difficult to modify user password.
This file is also 0600 owned by engine but in key=value format, so no change as far as security is concerned.
That's OK from my point ....
Thanks! Alon.
Thanks, Alon _______________________________________________ Engine-devel mailing list Engine-devel@ovirt.org http://lists.ovirt.org/mailman/listinfo/engine-devel