Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1puCkF-0001K4-QG for pgadmin-hackers@arkaria.postgresql.org; Wed, 03 May 2023 13:42:12 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.92) (envelope-from ) id 1puCkE-0005de-OD for pgadmin-hackers@arkaria.postgresql.org; Wed, 03 May 2023 13:42:10 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1puCkE-0005dV-68 for pgadmin-hackers@lists.postgresql.org; Wed, 03 May 2023 13:42:10 +0000 Received: from mail-ed1-x533.google.com ([2a00:1450:4864:20::533]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1puCkA-000JP5-Ni for pgadmin-hackers@postgresql.org; Wed, 03 May 2023 13:42:08 +0000 Received: by mail-ed1-x533.google.com with SMTP id 4fb4d7f45d1cf-50bc4ba28cbso6826712a12.0 for ; Wed, 03 May 2023 06:42:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=enterprisedb.com; s=google; t=1683121324; x=1685713324; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=uXcDNm6pF+kbhdiHZOLqfTkP1/FcfCDSFfMsxV3ozxY=; b=P6UKznkfbdINg2wAbbi08eXbtmj0fPpDuY9k/UI3yPJtS7+oI50niAvwh7TSzoOo72 kbfxt0PSwyA9fceA8AxMONImzUVpR3lMHl4nMo+FjspiZlj/23Z0aK3AUyWXbPs/QkmJ wfJWSs0Asq3x+EmRt2Sg0YTiq27wzLXR77ZpcgZWte5XoHk8kwr5pya5vXU1vKyeNnD5 ANEYphDeQpAoXkjONehlvk2Vk8RqJiMkJ5V5jUVoFblu2QDZG6B7NtMCV3wkZQMbNDiH PYTrfGa2YQ3DMGsx4CEOPSgZu81T1IQCF+xDJDkywzehBTVUOOgWY4RCcJPVekfr7sK8 OrFA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1683121324; x=1685713324; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=uXcDNm6pF+kbhdiHZOLqfTkP1/FcfCDSFfMsxV3ozxY=; b=MrzavX/+viiUWN/xv47uVkb3uuKF1XRahLF2NP2SngB1oidX6fYxtxnsxVMxVD+5CF Nrwg6X2GECiKF5b9gjFvPIaDIF3S60v3TJ93ypokPlVHfjqsqWrHfUcyoAWY0pX+ZSqS fYqK1cDj9Ytm0FvQ7EumQ1K5NnS/fCB7iwuY3COiIuKqDl0gZkp7NGqm/uteAX2Olo3G k7/6oNHwUMG80TA1XrPCcYlEx3z4q51DGtrUPNvdzBMjSJz/h0YTjvrADxy4kVQedQ2K 46suHW62OOEF71HqH7ip1byz6NN3Q8BodBEpZomSF5rIp7pksODFx+VCznpk/4l8ByPE XbcA== X-Gm-Message-State: AC+VfDxcoOTbDD305AYqCxjAXPmUQF/Csk2Q04U0YR4bCL6DS8Dpa4F6 MMf+4szvTExYNpjWoC8sUfbhUGEWacu1f57vTraMpdIpEKkUlD0pxSE7WHlmOYFUyEG/VnjVNz8 7N+LYsoKAkBGSo2YxvPN9WkbuhnUfdisRRgctTQVRK7dzqApX7CQPslrfVvl0ZI/9wHtmYhsaaK bHVN+0KYFtqqZ9TenHLrAP5mUMRp7usbwaqZpHCPrbRIUFfrZGc9bxo0S9wUICCZ/HbZWrRpC8a SFqnxcb7BsfMIMoP3EQc2aPm+Si3Dm75v6WtkPcHZmD X-Google-Smtp-Source: ACHHUZ6s8Sb1EumAltCNy747L805i2JdumJR+MQoVTZmVLoORar+/CJu13TBBS4xXdllVpz6M0k3Rw== X-Received: by 2002:aa7:d290:0:b0:50b:dcf6:8e6d with SMTP id w16-20020aa7d290000000b0050bdcf68e6dmr2833395edq.18.1683121323879; Wed, 03 May 2023 06:42:03 -0700 (PDT) Received: from mail-ej1-f52.google.com (mail-ej1-f52.google.com. [209.85.218.52]) by smtp.gmail.com with ESMTPSA id d26-20020aa7ce1a000000b0050bcd778a92sm735741edv.28.2023.05.03.06.42.02 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 03 May 2023 06:42:02 -0700 (PDT) Received: by mail-ej1-f52.google.com with SMTP id a640c23a62f3a-956ff2399b1so1047505366b.3 for ; Wed, 03 May 2023 06:42:02 -0700 (PDT) X-Received: by 2002:a17:907:368a:b0:947:4828:4399 with SMTP id bi10-20020a170907368a00b0094748284399mr2905400ejc.12.1683121322305; Wed, 03 May 2023 06:42:02 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Dave Page Date: Wed, 3 May 2023 14:41:51 +0100 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [pgAdmin4][Patch]- Feature #7012 - disable master password requirement when using alternative auth source To: Yogesh Mahajan Cc: Khushboo Vashi , Akshay Joshi , pgadmin-hackers , Aditya Toshniwal Content-Type: multipart/alternative; boundary="00000000000087de1905faca38a5" X-CLOUD-SEC-AV-Info: enterprisedb,google_mail,monitor X-CLOUD-SEC-AV-Sent: true X-Gm-Spam: 0 X-Gm-Phishy: 0 List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --00000000000087de1905faca38a5 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Wed, 3 May 2023 at 10:45, Yogesh Mahajan wrote: > Hi Dave/Team, > > As per the new design, pgAdmin should add a config to specify a path for > script/program to retrieve an encryption key & use it to encrypt the > passwords. > Right. > The script/program will be at an application level and not a user level. > This feature will be applicable only in case of server mode as we are goi= ng > to use OS level secret storage for the same in Desktop mode. > Yes. However, we can pass parameters to the hook. For example, we might do something like: MASTER_PASSWORD_HOOK =3D '/path/to/key_client.sh %U %E' Where at runtime %U is replaced with the username and %E is replaced with the user's email address. Those are just examples of course - there may be other parameters that make sense to make available. > > Thanks, > Yogesh Mahajan > EnterpriseDB > > > On Fri, Apr 22, 2022 at 4:01=E2=80=AFPM Aditya Toshniwal < > aditya.toshniwal@enterprisedb.com> wrote: > >> >> On Fri, Apr 22, 2022 at 3:57 PM Dave Page wrote: >> >>> >>> >>> On Fri, 22 Apr 2022 at 11:16, Aditya Toshniwal < >>> aditya.toshniwal@enterprisedb.com> wrote: >>> >>>> >>>> >>>> On Fri, Apr 22, 2022 at 3:28 PM Dave Page wrote: >>>> >>>>> >>>>> >>>>> On Fri, 22 Apr 2022 at 10:49, Aditya Toshniwal < >>>>> aditya.toshniwal@enterprisedb.com> wrote: >>>>> >>>>>> Hi Dave, >>>>>> >>>>>> Generally, secure keys like API_KEYS and all are supposed to be set >>>>>> in env and are read by the app. Similar is the alternative encryptio= n key. >>>>>> People can run their scripts to export those config vars. >>>>>> >>>>> >>>>> On the client side, yes. This is server side though. It's not uncommo= n >>>>> on the server side to include hooks to allow key retrieval from exter= nal >>>>> key management systems. >>>>> >>>> Even on the server side. Like the AWS auth keys, or DB passwords. We >>>> can include hooks, not against it. Just discussing. >>>> >>> >>> If you're using an AWS auth key on a server, then you're acting as a >>> client for AWS - and DB passwords are a great example of why using a ho= ok >>> is a good thing; it's a very common request from users to have a secure= way >>> to retrieve credentials from an external service. Not to mention that a= DB >>> password is needed on the client side of a connection, not on the serve= r >>> side. On the server side, the database would query LDAP/Kerberos/whatev= er. >>> >>> A better example would be querying a key management service to unlock a= n >>> encrypted disk or something like the service Bruce wrote for managing >>> pgcrypto keys. >>> >> >> Got it. Thanks. >> >>> >>> >>> >>>> >>>>> >>>>> >>>>>> >>>>>> On Fri, Apr 22, 2022 at 2:38 PM Khushboo Vashi < >>>>>> khushboo.vashi@enterprisedb.com> wrote: >>>>>> >>>>>>> >>>>>>> >>>>>>> On Fri, Apr 22, 2022 at 2:34 PM Dave Page wrote= : >>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On Fri, 22 Apr 2022 at 09:57, Khushboo Vashi < >>>>>>>> khushboo.vashi@enterprisedb.com> wrote: >>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> On Fri, Apr 22, 2022 at 2:01 PM Dave Page >>>>>>>>> wrote: >>>>>>>>> >>>>>>>>>> Hi >>>>>>>>>> >>>>>>>>>> On Mon, 11 Apr 2022 at 09:20, Akshay Joshi < >>>>>>>>>> akshay.joshi@enterprisedb.com> wrote: >>>>>>>>>> >>>>>>>>>>> Thanks, the patch applied. >>>>>>>>>>> >>>>>>>>>>> On Mon, Apr 11, 2022 at 12:00 PM Khushboo Vashi < >>>>>>>>>>> khushboo.vashi@enterprisedb.com> wrote: >>>>>>>>>>> >>>>>>>>>>>> Hi, >>>>>>>>>>>> >>>>>>>>>>>> Please find the attached patch to implement the feature #7012 = - >>>>>>>>>>>> Disable master password requirement when using alternative aut= h source >>>>>>>>>>>> >>>>>>>>>>>> When pgAdmin stores a connection password, it encrypts it usin= g >>>>>>>>>>>> a key that is formed either from the master password, or from = the pgAdmin >>>>>>>>>>>> login password for the user. In the case of auth methods such = as OAuth, >>>>>>>>>>>> Kerberos or Webserver, pgAdmin doesn't have access to anything= long-lived >>>>>>>>>>>> to form the encryption key from, hence it uses the master pass= word. And if >>>>>>>>>>>> the master is disabled, there is no way to store the connectio= n password. >>>>>>>>>>>> >>>>>>>>>>>> To resolve this, we have added an option to config.py (which >>>>>>>>>>>> defaults to None) for an alternate encryption key. pgAdmin wou= ld use this >>>>>>>>>>>> if a) the master password is disabled AND b) there is no suita= ble >>>>>>>>>>>> key/password available from the auth module for the user. If >>>>>>>>>>>> the option is set to None, pgAdmin works as it does now. >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> This change has just been brought to my attention through other >>>>>>>>>> work. I think this is poorly thought out, and could easily be ma= de much >>>>>>>>>> more secure and flexible than the current design. >>>>>>>>>> >>>>>>>>>> Instead of effectively hard-coding a master password, which is >>>>>>>>>> only slightly more secure than not having one in the first place= , we should >>>>>>>>>> allow the user to specify the path to a script or program that w= ill return >>>>>>>>>> a key. In a security-conscious environment, the script might que= ry a >>>>>>>>>> centralised key management system to securely retrieve the key t= o use. If a >>>>>>>>>> user really wants the less secure implementation that this curre= nt patch >>>>>>>>>> offers, then a simple script as follows would offer that (but wo= uld not be >>>>>>>>>> recommended): >>>>>>>>>> >>>>>>>>>> =3D=3D=3D=3D >>>>>>>>>> #!/bin/sh >>>>>>>>>> >>>>>>>>>> echo "my secret key" >>>>>>>>>> =3D=3D=3D=3D >>>>>>>>>> >>>>>>>>>> We would probably also want to allow use of a placeholder in >>>>>>>>>> which the username can be passed, e.g. >>>>>>>>>> >>>>>>>>>> MASTER_ENCRYPTION_KEY_SCRIPT =3D '/path/to/get-key.sh %u' >>>>>>>>>> >>>>>>>>>> Sounds good to me. >>>>>>>>> Does this mean we are going to remove the current implementation >>>>>>>>> which offers a hard-coded master password? >>>>>>>>> >>>>>>>>>> >>>>>>>> Yes, I think that is the way to go. I don't want to add a config >>>>>>>> parameter that doesn't seem like a good solution, and then remove = it again >>>>>>>> in the next release. >>>>>>>> >>>>>>>> Ok, In that case, we need to revert the patch and also need to >>>>>>> update the RM #7012 regarding our proposal. >>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Dave Page >>>>>>>> Blog: https://pgsnake.blogspot.com >>>>>>>> Twitter: @pgsnake >>>>>>>> >>>>>>>> EDB: https://www.enterprisedb.com >>>>>>>> >>>>>>>> >>>>>> >>>>>> -- >>>>>> Thanks, >>>>>> Aditya Toshniwal >>>>>> pgAdmin Hacker | Software Architect | *edbpostgres.com* >>>>>> >>>>>> "Don't Complain about Heat, Plant a TREE" >>>>>> >>>>> >>>>> >>>>> -- >>>>> Dave Page >>>>> Blog: https://pgsnake.blogspot.com >>>>> Twitter: @pgsnake >>>>> >>>>> EDB: https://www.enterprisedb.com >>>>> >>>>> >>>> >>>> -- >>>> Thanks, >>>> Aditya Toshniwal >>>> pgAdmin Hacker | Software Architect | *edbpostgres.com* >>>> >>>> "Don't Complain about Heat, Plant a TREE" >>>> >>> >>> >>> -- >>> Dave Page >>> Blog: https://pgsnake.blogspot.com >>> Twitter: @pgsnake >>> >>> EDB: https://www.enterprisedb.com >>> >>> >> >> -- >> Thanks, >> Aditya Toshniwal >> pgAdmin Hacker | Software Architect | *edbpostgres.com* >> >> "Don't Complain about Heat, Plant a TREE" >> > --=20 Dave Page VP, Chief Architect, Database Infrastructure Blog: https://www.enterprisedb.com/dave-page Twitter: @pgsnake EDB: https://www.enterprisedb.com --00000000000087de1905faca38a5 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable


=
On Wed, 3 May 2023 at 10:45, Yogesh M= ahajan <yogesh.mahaja= n@enterprisedb.com> wrote:
Hi Dave/Tea= m,

<= /div>
As per t= he new design, pgAdmin should=C2=A0add a config to specify a path for scrip= t/program to retrieve=C2=A0an encryption key & use it to encrypt the pa= sswords.

Right.
=C2= =A0
The script/program will be at an application = level and not a user level. This feature will=C2=A0be applicable only in ca= se of server mode as we are going to use OS level secret storage for the sa= me in Desktop mode.

Yes. Howeve= r, we can pass parameters to the hook. For example, we might do something l= ike:

MASTER_PASSWORD_HOOK =3D '/path/to/key_cl= ient.sh %U %E'

Where at runtime %U is replaced= with the username and %E is replaced with the user's email address.

Those are just examples of course - there may be oth= er parameters that make sense to make available.
=C2=A0

Thanks,
Yogesh Mahajan
Ent= erpriseDB


On Fri, Apr 22, 2022 at 4:0= 1=E2=80=AFPM Aditya Toshniwal <aditya.toshniwal@enterprisedb.com> wro= te:

<= div class=3D"gmail_quote">
On Fri, Apr= 22, 2022 at 3:57 PM Dave Page <dpage@pgadmin.org> wrote:
=


=
On Fri, 22 Apr 2022 at 11:16, Aditya = Toshniwal <aditya.toshniwal@enterprisedb.com> wrote:


On Fri, Apr 22, 2022 at 3:28 PM Dave Page <dpage@pgadmin.org&= gt; wrote:

=

= On Fri, 22 Apr 2022 at 10:49, Aditya Toshniwal <aditya.toshniwal@enterprised= b.com> wrote:
Hi Dave,

Generally, secure keys like API_KEYS and all are supposed to be set in en= v and are read by the app. Similar is the alternative encryption key.
=
People can run their scripts = to export those config vars.

On= the client side, yes. This is server side though. It's not uncommon on= the server side to include hooks to allow key retrieval from external key = management systems.
Even on the server side.= Like the AWS auth keys, or DB passwords. We can include hooks, not against= it. Just discussing.=C2=A0

<= /div>
If you're using an AWS auth key on a server, then you're = acting as a client for AWS - and DB passwords are a great example of why us= ing a hook is a good thing; it's a very common request from users to ha= ve a secure way to retrieve credentials from an external service. Not to me= ntion that a DB password is needed on the client side of a connection,=C2= =A0not on the server side. On the server side, the database would query LDA= P/Kerberos/whatever.

A better example would be que= rying a key management service to unlock an encrypted=C2=A0disk or somethin= g like the service Bruce wrote for managing pgcrypto keys.

= Got it. Thanks.

=C2=A0

=C2=A0

On Fri, Apr 22, 2022= at 2:38 PM Khushboo Vashi <khushboo.vashi@enterprisedb.com> wrote:
=


On Fri, Apr 22= , 2022 at 2:34 PM Dave Page <dpage@pgadmin.org> wrote:


On Fri, 22 Apr 2022 at 09:57, Khushboo Va= shi <khushboo.vashi@enterprisedb.com> wrote:
=


=
On Fri, Apr 22, 2022 at 2:01 PM Dave = Page <dpage@pgadm= in.org> wrote:
Hi
On = Mon, 11 Apr 2022 at 09:20, Akshay Joshi <akshay.joshi@enterprisedb.com> w= rote:
Thanks, the patch app= lied.

On Mon, Apr 11, 2022 at 12:00 PM Khushboo Vashi <khushboo.vashi@ent= erprisedb.com> wrote:
Hi,

Please find the attached patch t= o implement the feature #7012 - Disable master password requirement when us= ing alternative auth source

When pgAdmin stores a connection password, it enc= rypts it using a key that is formed either from the master password, or fro= m the pgAdmin login password for the user. In the case of auth methods such= as OAuth, Kerberos or Webserver, pgAdmin doesn't have access to anythi= ng long-lived to form the encryption key from, hence it uses the master pas= sword. And if the master is disabled, there is no way to store the connecti= on password.

To resolve this, we have added an option to config.py (which defaults t= o None) for an alternate encryption key. pgAdmin would use this if a) the m= aster password is disabled AND b) there is no suitable key/password availab= le from the auth module for the user.=C2=A0If the option is set to None, pgAdmi= n works as it does now.=C2=A0


This change has just been brought to my attent= ion through other work. I think this is poorly thought out, and could easil= y be made much more secure and flexible than the current design.
=
Instead of effectively hard-coding a master password, which = is only slightly more secure than not having one in the first place, we sho= uld allow the user to specify the path to a script or program that will ret= urn a key. In a security-conscious environment, the script might query a ce= ntralised key management system to securely retrieve the key to use. If a u= ser really wants the less secure implementation that this current patch off= ers, then a simple script as follows would offer that (but would not be rec= ommended):

=3D=3D=3D=3D
#!/bin/sh
<= div>
echo "my secret key"
=3D=3D=3D=3D

We would probably also want to allow use of a placeh= older in which the username can be passed, e.g.

MA= STER_ENCRYPTION_KEY_SCRIPT =3D '/path/to/get-key.sh %u'
<= br>
Sounds good to me.=C2=A0
D= oes this mean we are going to remove the current implementation which offer= s a hard-coded master password?

Yes, I think that is the way to go. I do= n't want to add a config parameter that doesn't seem like a good so= lution, and then remove it again in the next release.

Ok, In that case, we need to revert the patch and= also need to update the RM #7012 regarding our proposal.=C2=A0

--
Dave Page
Blog: https://pgsnake.blogspot.com
Twitter: @pgsnake

ED= B: https://www.e= nterprisedb.com



--
Thanks,
Aditya Toshniwal=
pgAdmin Hacker=C2=A0| Software Architect=C2=A0| = edbpostgres.com
=
&q= uot;Don't Complain about Heat, Plant a TREE"


--
Dave Page
Blog: https://pgsnake.blogspot.com
Twitter: @pgsnake<= br>
EDB: http= s://www.enterprisedb.com



--
Thanks,
Aditya Toshniwal=
pgAdmin Hacker=C2=A0| Software Architect=C2=A0| = edbpostgres.com
=
&q= uot;Don't Complain about Heat, Plant a TREE"


--
Dave Page
Blog: https://pgsnake.blogspot.com
Twitter: @pgsnake<= br>
EDB: http= s://www.enterprisedb.com



--
Thanks,
Aditya Toshniwal=
pgAdmin Hacker=C2=A0| Software Architect=C2=A0| = edbpostgres.com
=
&q= uot;Don't Complain about Heat, Plant a TREE"


--
Dave Page
VP, Chief Architect, Database InfrastructureBlog:=C2=A0https://www.enterprisedb.com/dave-page
Twitter: @pgsnake
<= br>EDB:=C2=A0htt= ps://www.enterprisedb.com
--00000000000087de1905faca38a5--