On Friday, September 22, 2023, Dominique Devienne <ddevie...@gmail.com> wrote:
> > Remember that I'm already connected in the "parent" process, to the DB. > There aught to be a way to obtain a token from the DB via a connection, > with a short duration, to supply to the exec'd PostgreSQL tools like psql > or pg_dump, > to completely bypass passwords. The server would maintain per-DB secrets, > and sign a JWT token for example, valid for a few seconds, for that > user/DB pair, > that the parent "process" could then utilize / pass to the "fork/exec"d > tool. > > Much safer than plain-text passwords floating around env-vars or > temp-files. --DD > Sure, though maybe just some kind of “—password-on-stdin” option and then the next input read from stdin is interpreted as the password, would be more readily accomplished. Scripts should be sent via “—file” in that usage but that seems desirable anyway. David J.
