Re: [HACKERS] Changing references of password encryption to hashing

From: Stephen Frost <sfrost(at)snowman(dot)net>
To: Robert Haas <robertmhaas(at)gmail(dot)com>
Cc: Bruce Momjian <bruce(at)momjian(dot)us>, Michael Paquier <michael(dot)paquier(at)gmail(dot)com>, PostgreSQL mailing lists <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: [HACKERS] Changing references of password encryption to hashing
Date: 2023-11-28 17:23:40
Message-ID: CAOuzzgqXw2vNNMHQWX-J2RkbmNdU782jo4B-cq+W_mFyDXa8sQ@mail.gmail.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

Greetings,

On Tue, Nov 28, 2023 at 20:19 Robert Haas <robertmhaas(at)gmail(dot)com> wrote:

> On Tue, Nov 28, 2023 at 10:16 AM Stephen Frost <sfrost(at)snowman(dot)net> wrote:
> > We pass a completely cleartext password to the server from the client.
> > Yes, we might encrypt it on the way with TLS, but even SSH realized how
> > terrible that is long, long ago and strongly discourages it these days.
> >
> > The problem with ldap as an auth method is that a single compromised PG
> > server in an AD/ldap environment can collect up those username+password
> > credentials and gain access to those users *domain* level access. The
> > CFO logging into a PG server with LDAP auth is giving up their complete
> > access credentials to the entire AD domain. That's terrible.
>
> Good grief. I really think you need to reassess your approach to this
> whole area. It is massively unhelpful to be so prescriptive about what
> people are, or are not, allowed to be comfortable with from a security
> perspective. And it seems like you're so convinced that you're right
> that you're completely closed off to anyone else's input, so there's
> not even any point in arguing.

You asked what the issue is with our ldap auth method. I explained it
pretty clearly. Is there something incorrect about the issues I’ve pointed
out with ldap auth? You basically came back at me saying that I’m being
unhelpful for responding with what the issues are.

In the reality I inhabit, many people could *massively* improve their
> security by switching to LDAP from the really lame things that they're
> doing right now. They would be FAR better off. It would not even be
> close. I pretty much know that you aren't going to believe that and
> are going to offer reasons why it isn't and can't possibly be true, or
> else just say that those people are so hopeless that we shouldn't even
> care about them. All I can say is that you're worrying about security
> problems that are so minute as to be invisible compared to what I see.

I don’t know what they’re doing now, as you don’t say, and so I really
couldn’t say if ldap is better or worse for them. In some cases, sure,
perhaps ldap is better than … something else, but in 99% of cases, ldap is
being used because it seems simpler than setting up GSSAPI … but that’s a
lack of clearer documentation on our side on how to set up GSSAPI with AD
and PG, imv. I’ve tried to improve on that situation by explaining
clearly how to set up GSSAPI authentication with AD and then consistently
pointing people to that. I don’t put this out there as fiat without any
effort behind it, I’ve been working to move folks in the right direction,
I’ve put in that effort on the lists and continue to do so, feel free to
review the archives.

What I don’t understand is the argument for using ldap in an AD environment
instead of GSSAPI/sspi. Is there some reason you feel makes ldap better?
When there are two such options and one is clearly much more secure,
shouldn’t we push people to the more secure option… possibly even to the
exclusion and removal of the insecure option? Ditto below for md5 …

> I disagree- it's a known pass-the-hash vulnerability and frankly every
> > release we do with it still existing is deserving of an immediate CVE
> > (I've been asked off-list why we don't do this, in fact).
>
> I agree that the issues with MD5 are way worse than the ones with
> LDAP, but you're arguing here, as you did with exclusive backup mode,
> that the existence of options that are bad, or that you consider to be
> bad, is a problem even if nothing whatever compels people to use them.

I’m not impressed with the conflation of this discussion and that of
exclusive backup mode. I wasn’t the one who deprecated exclusive backup
mode, tho I did agree with that move, and the reason for removing it was as
much about the complications of documenting it as for the fact that it was
actively broken.

I think that is, to borrow a phrase from Tom, arrant nonsense. Sure,
> MD5 authentication has a pass-the-hash vulnerability, and that sucks.

So, given that we all agree with the CVE-worthy issue that exists with
every release where we include md5 auth, we should be applying for q CVE
prior to each release, no?

So let's say we remove it. Then presumably we should also remove
> password authentication, which has an even easier-to-exploit
> vulnerability, and trust, which is easier to exploit still. And
> presumably it would be right to do all of that even if SCRAM
> authentication had never been implemented, so then we'd have no
> support for any form of password authentication at all. And we'd
> remove LDAP, too, so the most obvious way of doing password
> authentication without putting the passwords in the database would
> also not exist any more. Maybe we should nuke a few more too --- is
> PAM any better than LDAP in this regard? Pretty soon you end up in a
> world where it's either impossible to log into the database at all, or
> everybody's got to use, I don't know, Kerberos and SSL certificates,
> or something.

This is jumping to places that just don’t exist and I don’t really
understand why.

I didn’t ask for md5 to be removed before we had SCRAM. I was here, I knew
about the issues with md5, but, no, I didn’t push for us to remove it, so
this argument that I’m being ridiculous to ask for it to be removed now
doesn’t hold any water.

We do have a much better solution now and therefore, after a number of
years of supporting both, it’s time to remove the CVE-worthy auth method.
Yes, password and PAM and trust have issues. We should consider removing
them. Why didn’t I list them? Because they don’t have alternatives
immediately available (scram in place of md5, GSSAPI in place of ldap). We
could make an argument for removing password given that we have scram and I
would be for that but it’s at least a bit better understood why it’s bad
out there- I don’t feel like folks generally realize the md5 issue that we
have because that was deprecated and removed or not implemented for most
other systems long, long ago. For trust … I’d be a lot happier if we only
enabled that in debug-enabled builds or when explicitly requested for a
build.

But what will happen in practice is that either users will just give
> up on PostgreSQL because it refuses to let them do what they want to
> do, or those SSL certificates will end up unencrypted in a
> world-writable file somewhere, or get emailed around to everyone in
> the group, or maybe checked into the application's git repository that
> is public to the whole company behind the firewall. There won't be a
> passphrase on the certificate, or it will be set to 'secret123', or
> whatever. The expiration date will be set to the furthest date in the
> future that the software supports, or the user won't realize they need
> to worry about that and the application will suddenly go down when the
> certificate expires.

When the goal is “authenticate to our AD environment”, asking users to go
through a different path, eg: GSSAPI, to get that has been generally
successful in my experience, both on our lists and with our direct clients.
So, no, in my experience it isn’t that people give up on PG or switch to
using client side certs that are just distributed around with weak
passwords. More frequently users are very happy to go with the better
solution and they just didn’t realize it was available to them.

I don’t mean to imply that it’s perfect though- there are clear things we
could do to improve the situation and if folks want to discuss that, I’m
all about it. I’m happy to even be told that we need xyz support before we
remove ldap as an auth method, that’s fine, I’ll work to make that happen,
but to claim that we should keep ldap support for ldap support’s usage in
an AD environment … sorry, but no. Even Microsoft tried at one point to
prevent people from using it that way- they had to back off that position
eventually in terms of the default, but good AD admins are aware of the
distinction and will push back against new systems being deployed with it.

You can't make people do the right thing by removing their options.
> You can only make them work a little harder to get around the security
> control that you tried to impose by fiat, and in the process, make
> them frustrated. I imagine that the reason you didn't suggest removing
> 'trust' is that you admit the existence of environments where it's
> safe enough -- someone working with a local PG on a loopback port on a
> single-user machine, maybe a connection from a certain IP where that
> IP and the DB are both behind a firewall, or a burner system that
> someone just literally doesn't care about. But the "safe enough"
> argument applies to everything else, too. It's the job of users to
> adequately secure their systems against external attack, and it's our
> job to help them, not to enforce our own views on them. It is
> absolutely fine to tell users, in a thoughtful and balanced way, what
> the advantages and disadvantages of different choices are. But
> removing their choices is high-handed and ineffective.

I didn’t suggest removing trust directly because there isn’t a directly
comparable already available better alternative. I do think it should be a
bit harder for folks to use because too often they don’t realize what
they’re doing when they enable it, but I appreciate that’s a different
issue.

To parallel it to a recent change- I view it like force_parallel_mode. It
was useful for debugging and testing and perhaps still is, but we should
make it clear that it’s really intended just for that.

If asking users to work just a bit harder means that we get a good chunk of
them over to GSSAPI and off of ldap … then that is a moving us into a
clearly better position.

I’ll even accept, as others have pushed at me, that maybe we should keep
ldap because some folks still use PG with just openldap (and no Kerberos
environment), but it’s been an awful long time since anyone has even tried
to broach that argument and that’s not what is going on here, afaict anyway.

(Replying from my phone and perhaps not as concise or clear as I could be,
sorry about that, but am traveling and otherwise there would be quite an
additional delay..)

Thanks!

Stephen

>

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Tomas Vondra 2023-11-28 17:59:15 Re: Parallel CREATE INDEX for BRIN indexes
Previous Message Peter Geoghegan 2023-11-28 17:19:21 Re: Optimizing nbtree ScalarArrayOp execution, allowing multi-column ordered scans, skip scan