Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1oaNxd-0005V3-0j for pgsql-hackers@arkaria.postgresql.org; Mon, 19 Sep 2022 21:05:49 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.92) (envelope-from ) id 1oaNxa-0004OE-QY for pgsql-hackers@arkaria.postgresql.org; Mon, 19 Sep 2022 21:05:46 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1oaNxa-0004O4-Eg for pgsql-hackers@lists.postgresql.org; Mon, 19 Sep 2022 21:05:46 +0000 Received: from mail-pf1-x432.google.com ([2607:f8b0:4864:20::432]) by magus.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from ) id 1oaNxW-00012p-UU for pgsql-hackers@lists.postgresql.org; Mon, 19 Sep 2022 21:05:45 +0000 Received: by mail-pf1-x432.google.com with SMTP id c198so759208pfc.13 for ; Mon, 19 Sep 2022 14:05:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=timescale.com; s=google; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :from:to:cc:subject:date; bh=VYUD63F62KQN3KzbGGViOORkryUds6QcWjrqbAUpfJI=; b=CM4MjbamrZwBkQx7WpJjng9fthQLstqGIyzV5RPn1AaT/enE1Bi4FMfsQ+AXr6F27z GTKTAU92GONFy71E3p6HRMBzCJb8LRoCuN72HcIhHOnDHNi5XUe4E07O6EjBJMNOCvVU Xte4uhDh3miEu10VxqIFVR7IxGSG79BQyIWKuD53M/RipF6M8UUSSmo0m6+3AE8d1/0h fuIRy+75q9Of79lO4VlgCSt8I95r2N8F9nWUFaJzATcWdaR++zuGBGSD7bndS8UtZflz 8aJiw1jyYYn7NnoFJ9gGsQM5//yHBGx7o/oXHWGMnIYD28uNu9nQqsguLbdQ+puRPVt3 RdIQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date; bh=VYUD63F62KQN3KzbGGViOORkryUds6QcWjrqbAUpfJI=; b=Jz+3BWSHTk4Mef5PgVGQHZyJceeXs+bLRjI4q2FlHGG5/hKuzTcjsTgjclzIFCMvvg ta32Ojulik/CimzH7P2AiUYK7AUH/BpE+5/Oiz42R1x7LQZnXyf1lwfb/99pLwXtqeUc fl3aCT/hg3FVmz9mTUsLDYxeSdwb5IDOZMAtOIBEBfIBc5IFElllktcmWuSwfaJRXyf+ YYkFR+QPchy5jQ+wIbuxdP1EuS80tJ5iwUF4AuDDD+YPFMm4RJhN+/ds+w+0JIGOh6H0 WeRIBkw05D1odNCBkBe/8N+aN2w2aNuLwevnPqCjCSnvLhk2P/+b8h7ON7RSSFQ2T1+O Z1Ew== X-Gm-Message-State: ACrzQf2wPkdOBplIXK9iSknTf9a8iPEHhDUMRLJHL34Re5mJFplGuVa+ kD3KIxbwnz6gyCNmGrUfoNSvgg== X-Google-Smtp-Source: AMsMyM5GUKdxUGX/mgIbY1okTMZMf+CFtwwdnr1qgQzUwgzVrCesS/utpx3oLzr1I2K2oTES+WxJxw== X-Received: by 2002:a05:6a00:1688:b0:53b:4239:7c5c with SMTP id k8-20020a056a00168800b0053b42397c5cmr20384891pfc.81.1663621540686; Mon, 19 Sep 2022 14:05:40 -0700 (PDT) Received: from [192.168.1.21] ([50.39.205.221]) by smtp.gmail.com with ESMTPSA id c16-20020a170903235000b00176dac464e5sm21403117plh.173.2022.09.19.14.05.39 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 19 Sep 2022 14:05:40 -0700 (PDT) Message-ID: <78ea2273-f370-5a78-903a-886511e2511c@timescale.com> Date: Mon, 19 Sep 2022 14:05:39 -0700 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.11.0 Subject: Re: Kerberos delegation support in libpq and postgres_fdw Content-Language: en-US To: Stephen Frost Cc: pgsql-hackers , Magnus Hagander , Peter Eisentraut , Tom Lane , Robert Haas References: <19afb899-318d-c61f-2de4-0e7dcbf5e0fd@enterprisedb.com> <20220301012847.GQ10577@tamriel.snowman.net> <20220406192703.GY10577@tamriel.snowman.net> <20220408042126.GC10577@tamriel.snowman.net> <20220408122130.GD10577@tamriel.snowman.net> <23337c51-7a48-d5a8-569d-ef3ce6fe235f@timescale.com> From: Jacob Champion In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On 9/19/22 10:05, Stephen Frost wrote: > This is coming across as if it's a surprise of some kind when it > certainly isn't.. If the delegated credentials are being used to > authenticate and establish the connection from that backend to another > system then, yes, naturally that means that the keys provided are coming > from the client and the client knows them. I think it may be surprising to end users that credential delegation lets them trivially break transport encryption. Like I said before, it was a surprise to me, because the cryptosystems I'm familiar with prevent that. If it wasn't surprising to you, I could really have used a heads up back when I asked you about it. > The idea of arranging to > have an admin's credentials used to authenticate to another system where > the backend is actually controlled by a non-admin user is, in fact, the > issue in what is being outlined above as that's clearly a situation > where the user's connection is being elevated to an admin level. Yes, controlled elevation is the goal in the scenario I'm describing. > That's > also something that we try to avoid having happen because it's not > really a good idea, which is why we require a password today for the > connection to be established (postgres_fdw/connection.c: > > Non-superuser cannot connect if the server does not request a password. A password is being used in this scenario. The password is the secret being stolen. The rest of your email describes a scenario different from what I'm attacking here. Here's my sample HBA line for the backend again: hostgssenc all all ... password I'm using password authentication with a Kerberos-encrypted channel. It's similar to protecting password authentication with TLS and a client cert: hostssl all all ... password clientcert=verify-* > Consider that, in general, the user could also simply directly connect > to the other system themselves No, because they don't have the password. They don't have USAGE on the foreign table, so they can't see the password in the USER MAPPING. With the new default introduced in this patch, they can now steal the password by delegating their credentials and cracking the transport encryption. This bypasses the protections that are documented for the pg_user_mappings view. > Consider SSH instead of PG. What you're pointing out, accurately, is > that if an admin were to install their keys into a user's .ssh directory > unencrypted and then the user logged into the system, they'd then be > able to SSH to another system with the admin's credentials and then > they'd need the admin's credentials to decrypt the traffic, but that if, > instead, the user brings their own credentials then they could > potentially decrypt the connection between the systems. Is that really > the issue here? No, it's not the issue here. This is more like setting up a restricted shell that provides limited access to a resource on another machine (analogous to the foreign table). The user SSHs into this restricted shell, and then invokes an admin-blessed command whose implementation uses some credentials (which they cannot read, analogous to the USER MAPPING) over an encrypted channel to access the backend resource. In this situation an admin would want to ensure that the encrypted tunnel couldn't be weakened by the client, so that they can't learn how to bypass the blessed command and connect to the backend directly. Unlike SSH, we've never supported credential delegation, and now we're introducing it. So my claim is, it's possible for someone who was previously in a secure situation to be broken by the new default. >> So the client can decrypt backend communications that make use of its >> delegated key material. (This also means that gssencmode is a lot >> weaker than I expected.) > > The backend wouldn't be able to establish the connection in the first > place without those delegated credentials. That's not true in the situation I'm describing; hopefully my comments above help clarify. > The server in the middle should *not* be using its own Kerberos > credentials to establish the connection to the other system- that's > elevating the credentials used for that connection and is something that > should be prevented for non-superusers already (see above). It's not prevented, because a password is being used. In my tests I'm connecting as an unprivileged user. You're claiming that the middlebox shouldn't be doing this. If this new default behavior were the historical behavior, then I would have agreed. But the cat's already out of the bag on that, right? It's safe today. And if it's not safe today for some other reason, please share why, and maybe I can work on a patch to try to prevent people from doing it. Thanks, --Jacob