Re: BUG #10680: LDAP bind password leaks to log on failed authentication

Steven,

* Steven Siebert (smsiebe(at)gmail(dot)com) wrote:
> > If you don't want the server to see the user's password, don't use LDAP
> > authentication. A much better approach is Kerberos or client-side SSL
> > certificates.
>
> Sadly, all other authentication options will not work for us.
>
> I'm not seeing the user password in the log, I'm seeing the bind
> password (ldapbindpasswd) that in the pg_hba.conf file. There is a
> line in auth.c that, on every failed attempt, prints the full (raw)
> configuration line to the log at all log levels. So, this isn't just
> a problem with LDAP (with ldapbindpasswd) but also the RADIUS method
> (radiussecret).

Ah, ok. Kerberos and SSL certs aren't immune to that problem, though
the secrets don't ever end up in the logs- but they still must be
visible to the server process in order. Of course, if you already
have access to the server process, there shouldn't be much to gain
from the Kerberos secret, the RADIUS secret, the SSL private key, or
the LDAP bind password..

> I've submitted a patch and we're discussing the problem further on the
> pgsql-hackers distro. Really, I think it all comes down to finding
> the right balance of security and convenience of the administrator.
> I'm hopeful we'll come up with the right answer soon and I can submit
> a new patch.

Oh, yeah, I saw that discussion but hadn't quite put it together with
this bug report (somehow I saw the bug report after the hackers
discussion...).

Thanks,

Stephen