Re: BUG #10680: LDAP bind password leaks to log on failed authentication

From: Steven Siebert <smsiebe(at)gmail(dot)com>
To: Stephen Frost <sfrost(at)snowman(dot)net>
Cc: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Bruce Momjian <bruce(at)momjian(dot)us>, Magnus Hagander <magnus(at)hagander(dot)net>, pgsql-bugs <pgsql-bugs(at)postgresql(dot)org>
Subject: Re: BUG #10680: LDAP bind password leaks to log on failed authentication
Date: 2014-10-27 18:07:52
Message-ID: CAC3nzeje5hyBi7DMsXhx=kfHHW+kNvKONj7tsgoNuynOwM2Oug@mail.gmail.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-bugs

Stephen,

Thanks for the response. I was actually about to write the patch after
having let the thread bake a bit =)

> This is why there is ongoing work to reduce the need for a superuser
> role, to make it possible to have an actual DBA role which is *not* a
> superuser but is still able to get their job done, while superuser would
> be reserved for system administrators.
>

Ah! That makes a lot of sense. Thanks for the context.

>
>
> We can simply have a new option for the radius auth method that is
> 'pwfile' or similar- there's no need for real variables.
>
>
Easy enough - I can do it this way...much cleaner.

> > 2) use pgadmin GUI or a new CLI command ('secphrase' or whatever) to
> > create a new encrypted phrase
>
> If you can demonstrate that this would actually be useful then perhaps
> it can be considered, but I don't see how this does anything for you-
> how would PG get the password to use with the radius server? You'd need
> a key somewhere for that which PG can read.
>
> That was really in the context of taking the approach of encrypting the
password...if it's a simple file...no biggie....don't really think this is
necessary.

> > 3) while printing the hba line, the raw line will contain the variable
> > string but when the actual secret is requested the encrypted value
> > will be retrieved
>
> Sure, we can print the hba line w/ this new option and not have the
> secret be leaked to the logfile, but store the actual password for use
> by the authentication method.
>

perfect!

>
> > Normally, storing anything in reversible encryption is really just the
> > same as storing it as clear text, but what I propose is to use the
> > same asymmetric keys used for secure SSL comms
> > (http://www.postgresql.org/docs/9.3/static/ssl-tcp.html)
>
> Ok- and then what? You encrypt it with a different key than you use for
> decryption, sure, but PG still has to know the decryption key to be able
> to actually use the secret.. Now, if you fix radius to not use a shared
> secret structure...
>

lol. well, the idea of piggybacking on the way SSL comms works is that
this has already been addressed - at the DBA makes the choice (based on
their requirements) if they want to have to type it in each time they
restart the service or put it in a file...I wouldn't be introducing a
foreign concept to postgres. Of course, it's moot...I'm more than happy a
patch based around your suggestions - and it'll meet our needs for the
STIGs.

I'll move forward with writing the patch now, I'm grateful for the
additional feedback.

Thanks!

S

In response to

Responses

Browse pgsql-bugs by date

  From Date Subject
Next Message Stephen Frost 2014-10-27 20:18:05 Re: BUG #10680: LDAP bind password leaks to log on failed authentication
Previous Message Stephen Frost 2014-10-27 17:19:42 Re: BUG #10680: LDAP bind password leaks to log on failed authentication