Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
sqitch-passwords(3)   User Contributed Perl Documentation  sqitch-passwords(3)

       sqitch-passwords	- Guide	to using database passwords with Sqitch

       You may have noticed that Sqitch	has no "--password" option. This is
       intentional. It's generally not a great idea to specify a password on
       the command-line: from there, it	gets logged to your command history
       and is easy to extract by anyone	with access to your system. So you
       might wonder how	to specify passwords so	that Sqitch an successfully
       deploy to databases that	require	passwords. There are four approaches,
       in order	from most- to least-recommended:

       1. Avoid	using a	password at all
       2. Use a	database engine-specific password file
       3. Use the $SQITCH_PASSWORD environment variable
       4. Include the password in the deploy target URI

       Each is covered in detail in the	sections below.

Don't use Passwords
       Of course, the best way to protect your passwords is not	to use them at
       all.  If	your database engine is	able to	do passwordless
       authentication, it's worth taking the time to make it work, especially
       on your production database systems. Some examples:

	   PostgreSQL supports a number	of authentication methods
	   including the passwordless SSL certificate
	   methods.html#AUTH-CERT>, GSSAPI
	   methods.html#GSSAPI-AUTH>, and, for local connections, peer
	   authentication <

	   MySQL supports a number of authentication methods
	   plus	SSL authentication

	   Oracle supports a number of authentication methods
	   including SSL authentication
	   third-party authentication
	   and,	for local connections, OS authentication

	   Vertica supports a number of	authentication methods
	   including the passwordless TLS authentication
	   GSS authentication
	   and,	for local connections, ident authentication

	   Firebird supports passwordless authentication only via trusted
	   authentication <>
	   for local connections.

Use a Password File
       If you must use password	authentication with your database server, you
       may be able to use a protected password file. This is file with access
       limited only to the current user	that the server	client library can
       read in.	As such, the format is specified by the	database vendor, and
       not all database	servers	offer the feature. Here's how the database
       engines supported by Sqitch shake out:

	   PostgreSQL will use a .pgpass file
	   in the user's home directory	to or referenced by the	$PGPASSFILE
	   environment variable. This file must	limit access only to the
	   current user	(0600) and contains lines specify authentication rules
	   as follows:


	   For MySQL, if the MySQL::Config module is installed,	passwords can
	   be specified	in the /etc/my.cnf and ~/.my.cnf files
	   user.html#idm139947650158560>.  These files must limit access only
	   to the current user (0600). Sqitch will look	for a password under
	   the "[client]" and "[mysql]"	sections, in that order.

	   Oracle supports "password
	   created with	the "ORAPWD" utility to	authenticate "SYSDBA" and
	   "SYSOPER" users, but	Sqitch is unable to take advantage of this
	   functionality. Neither can one embed	a username and password
	   <> into a tnsnames.ora

	   Vertica does	not currently support a	password file.

	   Firebird does not currently support a password file.

       The $SQITCH_PASSWORD environment	variable can be	used to	specify	the
       password	for any	supported database engine. However use of this
       environment variable is not recommended for security reasons, as	some
       operating systems allow non-root	users to see process environment
       variables via "ps".

       The behavior of $SQITCH_PASSWORD	is consistent across all supported
       engines.	Some database engines support their own	password environment
       variables, which	you may	wish to	use instead. However, their behaviors
       may not be consistent:





Use Target URIs
       Passwords may also be specified in target URIs.	This is	not generally
       recommended, since such URIs are	either specified via the command-line
       (and therefore visible in "ps" and your shell history) or stored	in the
       configuration, the project instance of which is generally pushed	to
       your source code	repository. But	it's provided here as an absolute last
       resort (and because web URLs support it,	though it's heavily frowned
       upon there, too).

       Such URIs can either be specified on the	command-line:

	 sqitch	deploy db:pg://

       Or stored as named targets in the project configuration file:

	 sqitch	target add wigets db:pg://

       After which the target is available by its name:

	 sqitch	deploy widgets

       See sqitch-targets and "sqitch-configuration" for details  on target

See Also
       o   sqitch-environment

       o   sqitch-configuration

       o   sqitch-target

       Part of the sqitch suite.

perl v5.32.1			  2021-03-02		   sqitch-passwords(3)

Name | Description | Don't use Passwords | Use a Password File | Use $SQITCH_PASSWORD | Use Target URIs | See Also | Sqitch

Want to link to this manual page? Use this URL:

home | help