MIME-Version: 1.0
References: 
 <CAFOhELcrv+Rm0bBmXt1-c8NOpsaxinKi=QQTn491dbcUo2xjZA@mail.gmail.com>
 <CANxoLDf_X=dbuhgoyiHNDNEXJB+bMJCDWME5HyYwthbkR1eyKg@mail.gmail.com>
In-Reply-To: 
 <CANxoLDf_X=dbuhgoyiHNDNEXJB+bMJCDWME5HyYwthbkR1eyKg@mail.gmail.com>
From: Dave Page <dpage@pgadmin.org>
Date: Fri, 22 Apr 2022 09:31:36 +0100
Message-ID: 
 <CA+OCxow_44OfaR1Nq4WucPaR+9fdknu8wMQpN3MNT4SqRX5XGg@mail.gmail.com>
Subject: Re: [pgAdmin4][Patch]- Feature #7012 - disable master password
 requirement when using alternative auth source
To: Akshay Joshi <akshay.joshi@enterprisedb.com>
Cc: Khushboo Vashi <khushboo.vashi@enterprisedb.com>,
	pgadmin-hackers <pgadmin-hackers@postgresql.org>
Content-Type: multipart/alternative; boundary="000000000000ab9cdb05dd3a0e6e"
Archived-At: 
 <https://www.postgresql.org/message-id/CA%2BOCxow_44OfaR1Nq4WucPaR%2B9fdknu8wMQpN3MNT4SqRX5XGg%40mail.gmail.com>
Precedence: bulk

--000000000000ab9cdb05dd3a0e6e
Content-Type: text/plain; charset="UTF-8"

Hi

On Mon, 11 Apr 2022 at 09:20, Akshay Joshi <akshay.joshi@enterprisedb.com>
wrote:

> Thanks, the patch applied.
>
> On Mon, Apr 11, 2022 at 12:00 PM Khushboo Vashi <
> khushboo.vashi@enterprisedb.com> wrote:
>
>> Hi,
>>
>> Please find the attached patch to implement the feature #7012 - Disable
>> master password requirement when using alternative auth source
>>
>> When pgAdmin stores a connection password, it encrypts it using a key
>> that is formed either from the master password, or from the pgAdmin login
>> password for the user. In the case of auth methods such as OAuth, Kerberos
>> or Webserver, pgAdmin doesn't have access to anything long-lived to form
>> the encryption key from, hence it uses the master password. And if the
>> master is disabled, there is no way to store the connection password.
>>
>> To resolve this, we have added an option to config.py (which defaults to
>> None) for an alternate encryption key. pgAdmin would use this if a) the
>> master password is disabled AND b) there is no suitable key/password
>> available from the auth module for the user. If the option is set to
>> None, pgAdmin works as it does now.
>>
>
This change has just been brought to my attention through other work. I
think this is poorly thought out, and could easily be made much more secure
and flexible than the current design.

Instead of effectively hard-coding a master password, which is only
slightly more secure than not having one in the first place, we should
allow the user to specify the path to a script or program that will return
a key. In a security-conscious environment, the script might query a
centralised key management system to securely retrieve the key to use. If a
user really wants the less secure implementation that this current patch
offers, then a simple script as follows would offer that (but would not be
recommended):

====
#!/bin/sh

echo "my secret key"
====

We would probably also want to allow use of a placeholder in which the
username can be passed, e.g.

MASTER_ENCRYPTION_KEY_SCRIPT = '/path/to/get-key.sh %u'

-- 
Dave Page
Blog: https://pgsnake.blogspot.com
Twitter: @pgsnake

EDB: https://www.enterprisedb.com

--000000000000ab9cdb05dd3a0e6e
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div>Hi</div><br><div class=3D"gmail_quote"><div dir=3D"lt=
r" class=3D"gmail_attr">On Mon, 11 Apr 2022 at 09:20, Akshay Joshi &lt;<a h=
ref=3D"mailto:akshay.joshi@enterprisedb.com">akshay.joshi@enterprisedb.com<=
/a>&gt; wrote:<br></div><blockquote class=3D"gmail_quote" style=3D"margin:0=
px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-=
color:rgb(204,204,204);padding-left:1ex"><div dir=3D"ltr"><div>Thanks, the =
patch applied.</div></div><br><div class=3D"gmail_quote"><div dir=3D"ltr" c=
lass=3D"gmail_attr">On Mon, Apr 11, 2022 at 12:00 PM Khushboo Vashi &lt;<a =
href=3D"mailto:khushboo.vashi@enterprisedb.com" target=3D"_blank">khushboo.=
vashi@enterprisedb.com</a>&gt; wrote:<br></div><blockquote class=3D"gmail_q=
uote" style=3D"margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-s=
tyle:solid;border-left-color:rgb(204,204,204);padding-left:1ex"><div dir=3D=
"ltr"><font color=3D"#000000" face=3D"verdana, sans-serif">Hi,</font><div><=
font color=3D"#000000" face=3D"verdana, sans-serif"><br></font></div><div><=
font face=3D"verdana, sans-serif" color=3D"#000000">Please find the attache=
d patch to implement the feature #7012 - Disable master password requiremen=
t when using alternative auth source</font></div><div><p><font face=3D"verd=
ana, sans-serif" color=3D"#000000">When pgAdmin stores a connection passwor=
d, it encrypts it using a key that is formed either from the master passwor=
d, or from the pgAdmin login password for the user. In the case of auth met=
hods such as OAuth, Kerberos or Webserver, pgAdmin doesn&#39;t have access =
to anything long-lived to form the encryption key from, hence it uses the m=
aster password. And if the master is disabled, there is no way to store the=
 connection password.</font></p><p><font face=3D"verdana, sans-serif" color=
=3D"#000000">To resolve this, we have added an option to config.py (which d=
efaults to None) for an alternate encryption key. pgAdmin would use this if=
 a) the master password is disabled AND b) there is no suitable key/passwor=
d available from the auth module for the user.=C2=A0</font><span style=3D"c=
olor:rgb(0,0,0);font-family:verdana,sans-serif">If the option is set to Non=
e, pgAdmin works as it does now.=C2=A0</span></p></div></div></blockquote><=
/div></blockquote><div><br></div><div>This change has just been brought to =
my attention through other work. I think this is poorly thought out, and co=
uld easily be made much more secure and flexible than the current design.</=
div><div><br></div><div>Instead of effectively hard-coding a master passwor=
d, which is only slightly more secure than not having one in the first plac=
e, we should allow the user to specify the path to a script or program that=
 will return a key. In a security-conscious environment, the script might q=
uery a centralised key management system to securely retrieve the key to us=
e. If a user really wants the less secure implementation that this current =
patch offers, then a simple script as follows would offer that (but would n=
ot be recommended):</div><div><br></div><div>=3D=3D=3D=3D</div><div>#!/bin/=
sh</div><div><br></div><div>echo &quot;my secret key&quot;</div><div>=3D=3D=
=3D=3D</div><div><br></div><div>We would probably also want to allow use of=
 a placeholder in which the username can be passed, e.g.</div><div><br></di=
v><div>MASTER_ENCRYPTION_KEY_SCRIPT =3D &#39;/path/to/get-key.sh %u&#39;</d=
iv><div><br></div></div>-- <br><div dir=3D"ltr" class=3D"gmail_signature"><=
div dir=3D"ltr">Dave Page<br>Blog: <a href=3D"https://pgsnake.blogspot.com"=
 target=3D"_blank">https://pgsnake.blogspot.com</a><br>Twitter: @pgsnake<br=
><br>EDB: <a href=3D"https://www.enterprisedb.com" target=3D"_blank">https:=
//www.enterprisedb.com</a><br><br></div></div></div>

--000000000000ab9cdb05dd3a0e6e--