From: "Eli Mesika" <emesika(a)redhat.com>
To: "Keith Robertson" <kroberts(a)redhat.com>, "Alon Bar-Lev"
<alonbl(a)redhat.com>, "Juan Hernandez"
<jhernand(a)redhat.com>
Cc: "engine-devel" <engine-devel(a)ovirt.org>, "pmatouse"
<pmatouse(a)redhat.com>
Sent: Sunday, May 5, 2013 10:13:59 AM
Subject: Re: [Engine-devel] Dropping encryption of database password
----- Original Message -----
> From: "Alon Bar-Lev" <alonbl(a)redhat.com>
> To: "Keith Robertson" <kroberts(a)redhat.com>
> Cc: "Juan Hernandez" <jhernand(a)redhat.com>,
"engine-devel"
> <engine-devel(a)ovirt.org>, "pmatouse" <pmatouse(a)redhat.com>
> Sent: Wednesday, May 1, 2013 9:40:13 PM
> Subject: Re: [Engine-devel] Dropping encryption of database password
>
>
>
> ----- Original Message -----
> > From: "Keith Robertson" <kroberts(a)redhat.com>
> > To: "Alon Bar-Lev" <alonbl(a)redhat.com>
> > Cc: "Josh Bressers" <bressers(a)redhat.com>, "Juan
Hernandez"
> > <jhernand(a)redhat.com>, "engine-devel"
> > <engine-devel(a)ovirt.org>, "pmatouse"
<pmatouse(a)redhat.com>, "Sandro
> > Bonazzola" <sbonazzo(a)redhat.com>
> > Sent: Wednesday, May 1, 2013 9:31:15 PM
> > Subject: Re: [Engine-devel] Dropping encryption of database password
> >
> > On 05/01/2013 02:16 PM, Alon Bar-Lev wrote:
> > > Thank you.
> > > This is what I wrote in my initial post.
> > > The only users who should access this password is ovirt user and root
> > > user.
> > >
> > > Regards,
> > > Alon Bar-Lev.
> > >
> > >> >
> > Alon,
> > I agree with the desire to store the PW in plaintext and in a
> > non-obfuscated manner. In this case, obfuscation really doesn't gain
> > anything.
> >
> > I would suggest; however, that the migration to plaintext be coordinated
> > with a simultaneous patch to the the Log Collector. It does have a
> > dependency on the current architecture.
> >
> > Keith
> >
>
> Hi,
>
> As far as I know it reads the plain text from .pgpass, we need to modify it
> to search within the alternate format as well.
We are using the original .pgpass file that is in 0600 mode ( have access
only to root)
If the file does not have this mode , it is ignored by Postgres
I see no security issue in that ...
Please see details in
http://www.postgresql.org/docs/9.0/static/libpq-pgpass.html
I am going to drop the .pgpass file in favor of other configuration file and produce
.pgpass on will.
This is because:
1. The proprietary format of .pgpass is not friendly to parsing.
2. It does not hold the SSL setting.
3. It does not hold the SSL host validation setting.
4. It will be more difficult to modify user password.
This file is also 0600 owned by engine but in key=value format, so no change as far as
security is concerned.
Thanks!
Alon.
>
> Thanks,
> Alon
> _______________________________________________
> Engine-devel mailing list
> Engine-devel(a)ovirt.org
>
http://lists.ovirt.org/mailman/listinfo/engine-devel
>