Hi, maybe you want to use [1] pgcrypto encrypt/decrypt function using "secret" word stored outside database.
See F.25.4. Raw Encryption Functions [1] https://www.postgresql.org/docs/11/pgcrypto.html Regards, Il giorno gio 19 set 2019 alle ore 16:19 Adrian Klaver < adrian.kla...@aklaver.com> ha scritto: > On 9/19/19 3:30 AM, Matthias Apitz wrote: > > > > Hello, > > > > Our software, a huge ILS, is running on Linux with DBS Sybase. To > > connect to the Sybase server (over the network, even on localhost), > > credentials must be known: a user (say 'sisis') and its password. > > > > For Sybase we have them stored on the disk of the system in a file > > syb.npw as: > > > > $ cat /opt/lib/sisis/etc/syb/syb.npw > > sisis:e53902b9923ab2fb > > sa:64406def48efca8c > > > > for the user 'sisis' and the administrator 'sa'. Our software has as > > shared library a blob which knows how to decrypt the password hash above > > shown as 'e53902b9923ab2fb' into clear text which is then used in the > > ESQL/C or Java layer to connect to the Sybase server. > > > > For PostgreSQL the password must be typed in (for pgsql) or can be > > provided in an environment variable PGPASSWORD=blabla > > > > Is there somehow an API in PG to use ciphered passwords and provide as a > > shared library the blob to decrypt it? If not, we will use the mechanism > same as > > There is not and I am not sure that would be much use even if it did > exist. You would be right back at someone being able to grab the > credentials from a file and feeding them to the database for access. > > The system you currently have at least seems to limit access to a > specific program external to Postgres. > > > we use for Sybase. Or any other idea to not make detectable the > > credentials? This was a request of our customers some years ago. > > > > matthias > > > > > > > -- > Adrian Klaver > adrian.kla...@aklaver.com > > >
