How protect the password between the system and the database

Question

We have an application with a script that create a conceptual model and a login role in a PostgreSQL database. This login role will be used by the application for everything, independent of the logged application user.

How can we protect this login role password inside the application code?

Answer 1

You cannot.

If the user has a direct access to the application (they can directly launch it) everything that is hardcoded in the application should be seen as accessible to the user. Whatever obfuscation you can use, a determinated attacker will be able to find it (through decompilers an debuggers).

If a break point exist, all is different:

front end application               back end application
 launched by user         --/-->   launched with a sytem user
  local machine                     local or remote machine

This is typically the use case for web applications: the user has no access to the application code, and does not launch it, so the database password can lie in a configuration file - it will always be accessible to administrators. Even when all runs on the same machine, decent OS allows for access protection to prevent unprivileged users any access to the backend program. For that latter case, the front end and backend can communicate through sockets, named pipes, messages or almost any other IPC mechanism.

TL/DR: only secure way:

• split the application into a front end running under user account with no knowledge of the database server, and a back end running under a system (non admin) user
• ensure that normal users have no access to the backend application files
• store the database password in a configuration file of the backend (never in a source file)

Answer 2

The main three authentication mechanisms you could use, roughly in order of popularity, are:

1. Password. Here you somehow load a password in your application, and use it whenever you connect to the database. One easy way to store the password is in a text file protected by filesystem permissions (similar to how you protect SSH private keys).
2. LDAP. This requires an LDAP server on your network, but that is commonplace in corporate environments. It also requires loading a password in your application. The difference from the regular password mechanism is that the database server doesn't store the credentials or verify the password directly--it delegates these to the LDAP server.
3. Kerberos. This requires a Kerberos server on your network. Here, the application does not need to load a password; instead the user (or service account) which will run the application must first authenticate using Kerberos (either by typing in a password to kinit, or loading a credential file).

Of these, my personal preference would be Kerberos if that service is supported on the network in question. Second best would be LDAP, because it allows centralized control over things like password changes and revocation. And third would be the regular password mechanism, which works in any environment.

Details on all of the available mechanisms are here: https://www.postgresql.org/docs/10/static/auth-methods.html

Answer 3

Consider using a yaml file to store your credentials or alternatively place them in a .pgpass file.