MIME-Version: 1.0
References: 
 <CAFOhELcrv+Rm0bBmXt1-c8NOpsaxinKi=QQTn491dbcUo2xjZA@mail.gmail.com>
 <CANxoLDf_X=dbuhgoyiHNDNEXJB+bMJCDWME5HyYwthbkR1eyKg@mail.gmail.com>
 <CA+OCxow_44OfaR1Nq4WucPaR+9fdknu8wMQpN3MNT4SqRX5XGg@mail.gmail.com>
In-Reply-To: 
 <CA+OCxow_44OfaR1Nq4WucPaR+9fdknu8wMQpN3MNT4SqRX5XGg@mail.gmail.com>
From: Khushboo Vashi <khushboo.vashi@enterprisedb.com>
Date: Fri, 22 Apr 2022 14:27:48 +0530
Message-ID: 
 <CAFOhELe-f4W-U1+bAhkEBBu2nRNBk6BzYqX9COPE3mi1cQzvJA@mail.gmail.com>
Subject: Re: [pgAdmin4][Patch]- Feature #7012 - disable master password
 requirement when using alternative auth source
To: Dave Page <dpage@pgadmin.org>
Cc: Akshay Joshi <akshay.joshi@enterprisedb.com>,
	pgadmin-hackers <pgadmin-hackers@postgresql.org>
Content-Type: multipart/alternative; boundary="0000000000005943fe05dd3a6c50"
Archived-At: 
 <https://www.postgresql.org/message-id/CAFOhELe-f4W-U1%2BbAhkEBBu2nRNBk6BzYqX9COPE3mi1cQzvJA%40mail.gmail.com>
Precedence: bulk

--0000000000005943fe05dd3a6c50
Content-Type: text/plain; charset="UTF-8"

On Fri, Apr 22, 2022 at 2:01 PM Dave Page <dpage@pgadmin.org> wrote:

> Hi
>
> On Mon, 11 Apr 2022 at 09:20, Akshay Joshi <akshay.joshi@enterprisedb.com>
> wrote:
>
>> Thanks, the patch applied.
>>
>> On Mon, Apr 11, 2022 at 12:00 PM Khushboo Vashi <
>> khushboo.vashi@enterprisedb.com> wrote:
>>
>>> Hi,
>>>
>>> Please find the attached patch to implement the feature #7012 - Disable
>>> master password requirement when using alternative auth source
>>>
>>> When pgAdmin stores a connection password, it encrypts it using a key
>>> that is formed either from the master password, or from the pgAdmin login
>>> password for the user. In the case of auth methods such as OAuth, Kerberos
>>> or Webserver, pgAdmin doesn't have access to anything long-lived to form
>>> the encryption key from, hence it uses the master password. And if the
>>> master is disabled, there is no way to store the connection password.
>>>
>>> To resolve this, we have added an option to config.py (which defaults to
>>> None) for an alternate encryption key. pgAdmin would use this if a) the
>>> master password is disabled AND b) there is no suitable key/password
>>> available from the auth module for the user. If the option is set to
>>> None, pgAdmin works as it does now.
>>>
>>
> This change has just been brought to my attention through other work. I
> think this is poorly thought out, and could easily be made much more secure
> and flexible than the current design.
>
> Instead of effectively hard-coding a master password, which is only
> slightly more secure than not having one in the first place, we should
> allow the user to specify the path to a script or program that will return
> a key. In a security-conscious environment, the script might query a
> centralised key management system to securely retrieve the key to use. If a
> user really wants the less secure implementation that this current patch
> offers, then a simple script as follows would offer that (but would not be
> recommended):
>
> ====
> #!/bin/sh
>
> echo "my secret key"
> ====
>
> We would probably also want to allow use of a placeholder in which the
> username can be passed, e.g.
>
> MASTER_ENCRYPTION_KEY_SCRIPT = '/path/to/get-key.sh %u'
>
> Sounds good to me.
Does this mean we are going to remove the current implementation which
offers a hard-coded master password?

> --
> Dave Page
> Blog: https://pgsnake.blogspot.com
> Twitter: @pgsnake
>
> EDB: https://www.enterprisedb.com
>
>

--0000000000005943fe05dd3a6c50
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div dir=3D"ltr"><br></div><br><div class=3D"gmail_quote">=
<div dir=3D"ltr" class=3D"gmail_attr">On Fri, Apr 22, 2022 at 2:01 PM Dave =
Page &lt;<a href=3D"mailto:dpage@pgadmin.org">dpage@pgadmin.org</a>&gt; wro=
te:<br></div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px =
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir=3D"=
ltr"><div>Hi</div><br><div class=3D"gmail_quote"><div dir=3D"ltr" class=3D"=
gmail_attr">On Mon, 11 Apr 2022 at 09:20, Akshay Joshi &lt;<a href=3D"mailt=
o:akshay.joshi@enterprisedb.com" target=3D"_blank">akshay.joshi@enterprised=
b.com</a>&gt; wrote:<br></div><blockquote class=3D"gmail_quote" style=3D"ma=
rgin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:=
1ex"><div dir=3D"ltr"><div>Thanks, the patch applied.</div></div><br><div c=
lass=3D"gmail_quote"><div dir=3D"ltr" class=3D"gmail_attr">On Mon, Apr 11, =
2022 at 12:00 PM Khushboo Vashi &lt;<a href=3D"mailto:khushboo.vashi@enterp=
risedb.com" target=3D"_blank">khushboo.vashi@enterprisedb.com</a>&gt; wrote=
:<br></div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.=
8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir=3D"lt=
r"><font color=3D"#000000" face=3D"verdana, sans-serif">Hi,</font><div><fon=
t color=3D"#000000" face=3D"verdana, sans-serif"><br></font></div><div><fon=
t face=3D"verdana, sans-serif" color=3D"#000000">Please find the attached p=
atch to implement the feature #7012 - Disable master password requirement w=
hen using alternative auth source</font></div><div><p><font face=3D"verdana=
, sans-serif" color=3D"#000000">When pgAdmin stores a connection password, =
it encrypts it using a key that is formed either from the master password, =
or from the pgAdmin login password for the user. In the case of auth method=
s such as OAuth, Kerberos or Webserver, pgAdmin doesn&#39;t have access to =
anything long-lived to form the encryption key from, hence it uses the mast=
er password. And if the master is disabled, there is no way to store the co=
nnection password.</font></p><p><font face=3D"verdana, sans-serif" color=3D=
"#000000">To resolve this, we have added an option to config.py (which defa=
ults to None) for an alternate encryption key. pgAdmin would use this if a)=
 the master password is disabled AND b) there is no suitable key/password a=
vailable from the auth module for the user.=C2=A0</font><span style=3D"colo=
r:rgb(0,0,0);font-family:verdana,sans-serif">If the option is set to None, =
pgAdmin works as it does now.=C2=A0</span></p></div></div></blockquote></di=
v></blockquote><div><br></div><div>This change has just been brought to my =
attention through other work. I think this is poorly thought out, and could=
 easily be made much more secure and flexible than the current design.</div=
><div><br></div><div>Instead of effectively hard-coding a master password, =
which is only slightly more secure than not having one in the first place, =
we should allow the user to specify the path to a script or program that wi=
ll return a key. In a security-conscious environment, the script might quer=
y a centralised key management system to securely retrieve the key to use. =
If a user really wants the less secure implementation that this current pat=
ch offers, then a simple script as follows would offer that (but would not =
be recommended):</div><div><br></div><div>=3D=3D=3D=3D</div><div>#!/bin/sh<=
/div><div><br></div><div>echo &quot;my secret key&quot;</div><div>=3D=3D=3D=
=3D</div><div><br></div><div>We would probably also want to allow use of a =
placeholder in which the username can be passed, e.g.</div><div><br></div><=
div>MASTER_ENCRYPTION_KEY_SCRIPT =3D &#39;/path/to/get-key.sh %u&#39;</div>=
<div><br></div></div></div></blockquote><div>Sounds good to me.=C2=A0</div>=
<div>Does this mean we are going to remove the current implementation which=
 offers a hard-coded master password?</div><blockquote class=3D"gmail_quote=
" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);=
padding-left:1ex"><div dir=3D"ltr"><div class=3D"gmail_quote"><div></div></=
div>-- <br><div dir=3D"ltr"><div dir=3D"ltr">Dave Page<br>Blog: <a href=3D"=
https://pgsnake.blogspot.com" target=3D"_blank">https://pgsnake.blogspot.co=
m</a><br>Twitter: @pgsnake<br><br>EDB: <a href=3D"https://www.enterprisedb.=
com" target=3D"_blank">https://www.enterprisedb.com</a><br><br></div></div>=
</div>
</blockquote></div></div>

--0000000000005943fe05dd3a6c50--