0

I've got a Linux based application (Java) that connects to an external database (PostgreSQL) in the same LAN.

However, due the sensitiveness of the database contents I would like to avoid the admins from the application server (root users) to open the configuration file and see the database password contained inside the file.

Is there any alternative or passwordless method to connect? My primary though is something such as SSL certificates.

Thanks in advance,

Andre
  • 1,341
  • 4
  • 19
  • 34
  • Sure. Client certificates would be one obvious choice, but GSSAPI (Kerberos) is probably a superior option. In general though, it's futile to try to prevent someone who can run arbitrary code on the appserver from getting access to the DB. No matter what you do, at most you might slow them down slightly. – Craig Ringer Jan 07 '15 at 12:50

1 Answers1

3

There is a whole host of authentication methods available for postgresql.

However the way you're talking it sounds like your application is using a user that is able to see/do more than you want the actual administrators of the application to be able to.
This is a possible design flaw you should look in to.
Regardless of the way you authenticate from your application server. If they have admin privileges to the application they could, if they wanted to, abuse that privilege and access your database.

What you might want to look into is giving the user that's used to accesses the database the least amount of privileges required to run the app.

Reaces
  • 5,597
  • 4
  • 38
  • 46
  • Hi Reaces, thanks for your reply. I got some time to read the authentication methods page. Is the "Certificate Authentication" binded to the application or OS, or is it something can be stolen and used in other system to login? – Andre Jan 08 '15 at 07:30