From: Magnus Hagander on
On Thu, Jan 7, 2010 at 13:34, Heikki Linnakangas
<heikki.linnakangas(a)enterprisedb.com> wrote:
> Fujii Masao wrote:
>> On Thu, Jan 7, 2010 at 5:44 PM, Magnus Hagander <magnus(a)hagander.net> wrote:
>>>> Such information are supplied in the parameter 'primary_conninfo' of
>>>> recovery.conf. For example;
>>>>
>>>>    primary_conninfo = 'host=192.168.1.50 port=5432 user=foo'
>>> So the password can just go there, no?
>>
>> Yeah, the password can be supplied in primary_conninfo.
>>
>>    primary_conninfo = 'host=192.168.1.50 port=5432 user=foo password=foopass'
>>
>> Also you can use the environment variable PGPASSWORD.
>> Is this enough? I was thinking that some people would
>> complain that only the password for replication cannot
>> be supplied in .pgpass.
>
> That seems enough to me.
>
> BTW, how do you set up authentication using an SSL certificate? ISTM
> that's the way we should be encouraging people to configure
> authentication between a master and standby, rather than type a password
> to a file.

Connectoin parameters: sslcert, sslkey and sslrootcert in most cases.
Or just put the key in ~/.postgresql/postgresql.key.


--
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/

--
Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

From: Tom Lane on
Fujii Masao <masao.fujii(a)gmail.com> writes:
> On Thu, Jan 7, 2010 at 5:46 PM, Magnus Hagander <magnus(a)hagander.net> wrote:
>> However, wouldn't it make more logical sense to replace "host/hostssl"
>> with "replication/replicationssl" rather than overload the database
>> field?

> Seems good. How about the following formats?

> replication user CIDR-address auth-method [auth-options]
> replicationssl user CIDR-address auth-method [auth-options]
> replication user IP-address IP-mask auth-method [auth-options]
> replicationssl user IP-address IP-mask auth-method [auth-options]

> Note that "database" field has been removed since it's useless
> for replication.

I'm getting more and more confused here. I thought we were talking
about client-side .pgpass. This seems to be talking about pg_hba.conf.

regards, tom lane

--
Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

From: Heikki Linnakangas on
Tom Lane wrote:
> I'm getting more and more confused here. I thought we were talking
> about client-side .pgpass. This seems to be talking about pg_hba.conf.

Yeah, the topic was covertly changed.

It seems we have consensus to not change .pgpass, and to leave
pg_hba.conf as it is now in the patch as well.

--
Heikki Linnakangas
EnterpriseDB http://www.enterprisedb.com

--
Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers