Skip to content
/ pg-scram Public

A tiny C program to create valid Postgres scram-sha-256 passwords

License

MPL-2.0 license
1 star 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

fboulnois/pg-scram

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
Dockerfile-alpine
Dockerfile-alpine
 
 
Dockerfile-debian
Dockerfile-debian
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
main.c
main.c
 
 

Repository files navigation

pg-scram: Postgres scram-sha-256 passwords

A tiny C program to create valid Postgres scram-sha-256 passwords.

These can be used to automatically set and update database passwords without accidentally logging the passwords in plaintext:

echo "my_super_secret_password" > secret.txt
echo "CREATE USER joe WITH PASSWORD :'PGPW';" | psql --set PGPW=$(cat secret.txt | pg-scram) -f -

joe now has the password my_super_secret_password, but the database logs include this statement instead:

CREATE USER joe WITH PASSWORD 'SCRAM-SHA-256$4096:Hamvc7BOELb9OnEgS1dL/g==$jjR4ODiN5vqzbNUas2xSG08+1iZLWnghzjfXDx9p6yg=:/sRVoDORHCaojcWGg5ifOFx3NN7bzT/xgamQ7CSDpiE='

How to build:

Build locally

pg-scram only requires the libpq headers to build the code. Depending on your distribution, these headers are included in the libpq-dev, libpq-devel, or postgresql-devel packages.

To build the code run:

cc -I/usr/include/postgresql main.c -o pg-scram -lpq

The include paths and library paths might need to be adjusted to match your distribution.

Build using Docker

Two Dockerfiles are also available to build the code:

How to use:

Although pg-scram depends on libpq, it does not need a running Postgres instance.

The password can be specified directly as a command line argument:

$ pg-scram "hello"
SCRAM-SHA-256$4096:if2MpZnsBy6B/TbMKd+siw==$xXmOAWEPkeDuJqT+N3wVVVY/eJL0vkpGQStEpoIKRw4=:KxdUo1wXlH5O4MCKzTX5E7iZbLxY1p9RX4o7WWbg89I=

The password can also be passed using a pipe:

$ echo "hello" | pg-scram
SCRAM-SHA-256$4096:1FZKq8e9WsX+p6fFN4pVQg==$Tn9TsEDc4v7UVpb7rCgvPVi2lCOck4ip1rQwKEg3coI=:X3ugMHIx12rIxYg2/6n/iaICOLl9dL6n0iyKxaQlZno=

For convenience with most shell utilities, the final newline is discarded by default when using pipes. However, this behavior may be undesirable when piping in files. To avoid this behavior, pass the --no-trim option:

$ cat secret.txt | pg-scram --no-trim
SCRAM-SHA-256$4096:BBsdc8M0Ir9WsCXXMYW3iw==$5rdGQRbwufOlEsrz1dlU1WYA32t5mAMz1Vv57rEP6Ww=:abldSFOQtYuZv5bNfJywrp6V/UtKkptS+DJ0nzx1sq8=

About

A tiny C program to create valid Postgres scram-sha-256 passwords

Topics

c postgres postgresql libpq scram-sha-256

Resources

Readme

License

MPL-2.0 license
Activity

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases 1

v1.0.0 Latest
Mar 12, 2022

Packages

No packages published

Languages