diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml
index 426928f680..4d6a0edd91 100644
--- a/doc/src/sgml/config.sgml
+++ b/doc/src/sgml/config.sgml
@@ -1452,18 +1452,18 @@ include_dir 'conf.d'
mechanism is used.
- The command must print the passphrase to the standard output and exit
- with code 0. In the parameter value, %p is
- replaced by a prompt string. (Write %% for a
- literal %.) Note that the prompt string will
- probably contain whitespace, so be sure to quote adequately. A single
- newline is stripped from the end of the output if present.
-
-
- The command does not actually have to prompt the user for a
- passphrase. It can read it from a file, obtain it from a keychain
- facility, or similar. It is up to the user to make sure the chosen
- mechanism is adequately secure.
+ The command must print the passphrase to the standard output
+ and exit with code 0. It can prompt from the terminal if
+ is used. In the parameter value,
+ %R represents the file descriptor number opened
+ to the terminal that started the server. A file descriptor is only
+ available if enabled at server start. If %R
+ is used and no file descriptor is available, the server will not
+ start. Value %p is replaced by a pre-defined
+ prompt string. (Write %% for a literal
+ %.) Note that the prompt string will probably
+ contain whitespace, so be sure to quote its use adequately.
+ Newlines are stripped from the end of the output if present.
This parameter can only be set in the postgresql.conf
@@ -1486,10 +1486,12 @@ include_dir 'conf.d'
parameter is off (the default), then
ssl_passphrase_command will be ignored during a
reload and the SSL configuration will not be reloaded if a passphrase
- is needed. That setting is appropriate for a command that requires a
- TTY for prompting, which might not be available when the server is
- running. Setting this parameter to on might be appropriate if the
- passphrase is obtained from a file, for example.
+ is needed. This setting is appropriate for a command that requires a
+ terminal for prompting, which will likely not be available when the server is
+ running. ( closes the terminal file
+ descriptor soon after server start.) Setting this parameter on
+ might be appropriate, for example, if the passphrase is obtained
+ from a file.
This parameter can only be set in the postgresql.conf
diff --git a/doc/src/sgml/ref/pg_ctl-ref.sgml b/doc/src/sgml/ref/pg_ctl-ref.sgml
index f04e417745..0662ae051a 100644
--- a/doc/src/sgml/ref/pg_ctl-ref.sgml
+++ b/doc/src/sgml/ref/pg_ctl-ref.sgml
@@ -380,8 +380,9 @@ PostgreSQL documentation
- Allows the command
- to prompt for a passphrase or PIN.
+ Allows or
+ to prompt for a passphrase
+ or PIN.
diff --git a/doc/src/sgml/ref/pgupgrade.sgml b/doc/src/sgml/ref/pgupgrade.sgml
index 98be3921cb..b1bcdb77a3 100644
--- a/doc/src/sgml/ref/pgupgrade.sgml
+++ b/doc/src/sgml/ref/pgupgrade.sgml
@@ -170,7 +170,9 @@ PostgreSQL documentation
- allows prompting for a passphrase or PIN
+ allows or
+ to prompt for a passphrase
+ or PIN.
diff --git a/src/backend/libpq/be-secure-common.c b/src/backend/libpq/be-secure-common.c
index 94cdf4c887..1b712cfbba 100644
--- a/src/backend/libpq/be-secure-common.c
+++ b/src/backend/libpq/be-secure-common.c
@@ -22,6 +22,7 @@
#include
#include
+#include "postmaster/postmaster.h"
#include "common/string.h"
#include "libpq/libpq.h"
#include "storage/fd.h"
@@ -61,6 +62,19 @@ run_ssl_passphrase_command(const char *prompt, bool is_server_start, char *buf,
appendStringInfoString(&command, prompt);
p++;
break;
+ case 'R':
+ {
+ char fd_str[20];
+
+ if (terminal_fd == -1)
+ ereport(ERROR,
+ (errcode(ERRCODE_INTERNAL_ERROR),
+ errmsg("ssl_passphrase_command referenced %%R, but -R not specified")));
+ p++;
+ snprintf(fd_str, sizeof(fd_str), "%d", terminal_fd);
+ appendStringInfoString(&command, fd_str);
+ break;
+ }
case '%':
appendStringInfoChar(&command, '%');
p++;