Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1oaKDy-0002mR-9m for pgsql-hackers@arkaria.postgresql.org; Mon, 19 Sep 2022 17:06:26 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.92) (envelope-from ) id 1oaKDw-0004u4-Vx for pgsql-hackers@arkaria.postgresql.org; Mon, 19 Sep 2022 17:06:24 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1oaKCy-00073x-V3 for pgsql-hackers@lists.postgresql.org; Mon, 19 Sep 2022 17:05:24 +0000 Received: from tamriel.snowman.net ([70.109.60.50]) by makus.postgresql.org with esmtp (Exim 4.92) (envelope-from ) id 1oaKCr-0005vv-6W for pgsql-hackers@lists.postgresql.org; Mon, 19 Sep 2022 17:05:22 +0000 Received: by tamriel.snowman.net (Postfix, from userid 1000) id 3784F5F7B7; Mon, 19 Sep 2022 13:05:17 -0400 (EDT) Date: Mon, 19 Sep 2022 13:05:17 -0400 From: Stephen Frost To: Jacob Champion Cc: pgsql-hackers , Magnus Hagander , Peter Eisentraut , Tom Lane , Robert Haas Subject: Re: Kerberos delegation support in libpq and postgres_fdw Message-ID: References: <19afb899-318d-c61f-2de4-0e7dcbf5e0fd@enterprisedb.com> <20220301012847.GQ10577@tamriel.snowman.net> <20220406192703.GY10577@tamriel.snowman.net> <20220408042126.GC10577@tamriel.snowman.net> <20220408122130.GD10577@tamriel.snowman.net> <23337c51-7a48-d5a8-569d-ef3ce6fe235f@timescale.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="qqjQDz5zL5oLuNQI" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/2.1.4 (2021-12-11) List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --qqjQDz5zL5oLuNQI Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Greetings, * Jacob Champion (jchampion@timescale.com) wrote: > On Thu, Jul 7, 2022 at 4:24 PM Jacob Champion w= rote: > > So my question is this: does substituting my credentials for the admin's > > credentials let me weaken or break the transport encryption on the > > backend connection, and grab the password that I'm not supposed to have > > access to as a front-end client? >=20 > With some further research: yes, it does. >=20 > If a DBA is using a GSS encrypted tunnel to communicate to a foreign > server, accepting delegation by default means that clients will be > able to break that backend encryption at will, because the keys in use > will be under their control. This is coming across as if it's a surprise of some kind when it certainly isn't.. If the delegated credentials are being used to authenticate and establish the connection from that backend to another system then, yes, naturally that means that the keys provided are coming =66rom the client and the client knows them. The idea of arranging to have an admin's credentials used to authenticate to another system where the backend is actually controlled by a non-admin user is, in fact, the issue in what is being outlined above as that's clearly a situation where the user's connection is being elevated to an admin level. That's also something that we try to avoid having happen because it's not really a good idea, which is why we require a password today for the connection to be established (postgres_fdw/connection.c: Non-superuser cannot connect if the server does not request a password. ). Consider that, in general, the user could also simply directly connect to the other system themselves instead of having a PG backend make that connection for them- the point in doing it from PG would be to avoid having to pass all the data back through the client's system. Consider SSH instead of PG. What you're pointing out, accurately, is that if an admin were to install their keys into a user's .ssh directory unencrypted and then the user logged into the system, they'd then be able to SSH to another system with the admin's credentials and then they'd need the admin's credentials to decrypt the traffic, but that if, instead, the user brings their own credentials then they could potentially decrypt the connection between the systems. Is that really the issue here? Doesn't seem like that's where the concern should be in this scenario. > > Maybe there's some ephemeral exchange going on that makes it too hard to > > attack in practice, or some other mitigations. >=20 > There is no forward secrecy, ephemeral exchange, etc. to mitigate this [1= ]: >=20 > The Kerberos protocol in its basic form does not provide perfect > forward secrecy for communications. If traffic has been recorded by > an eavesdropper, then messages encrypted using the KRB_PRIV message, > or messages encrypted using application-specific encryption under > keys exchanged using Kerberos can be decrypted if the user's, > application server's, or KDC's key is subsequently discovered. >=20 > So the client can decrypt backend communications that make use of its > delegated key material. (This also means that gssencmode is a lot > weaker than I expected.) The backend wouldn't be able to establish the connection in the first place without those delegated credentials. > > I'm trying to avoid writing Wireshark dissector > > code, but maybe that'd be useful either way... >=20 > I did end up filling out the existing PGSQL dissector so that it could > decrypt GSSAPI exchanges (with the use of a keytab, that is). If you'd > like to give it a try, the patch, based on Wireshark 3.7.1, is > attached. Note the GPLv2 license. It isn't correct code yet, because I > didn't understand how packet reassembly worked in Wireshark when I > started writing the code, so really large GSSAPI messages that are > split across multiple TCP packets will confuse the dissector. But it's > enough to prove the concept. >=20 > To see this in action, set up an FDW connection that uses gssencmode > (so the server in the middle will need its own Kerberos credentials). The server in the middle should *not* be using its own Kerberos credentials to establish the connection to the other system- that's elevating the credentials used for that connection and is something that should be prevented for non-superusers already (see above). We do allow that when a superuser is involved because they are considered to essentially have OS-level privileges and therefore could see those credentials anyway, but that's not the case for non-superusers. Thanks, Stephen --qqjQDz5zL5oLuNQI Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEwf6gbxKhD863zrx/7WyKOINHZFUFAmMooUYACgkQ7WyKOINH ZFXKzg//TOkyHBBdoBb0QeV00KpTOHt548PxfaN6yVMZg0rg2O7GYJIJAbKrQIP6 nThGNwzB2IOzEnR5faUMaic0tZFiEfO2GKqOD22A4uHNu1z7Mz2XlL20OVI1xL0U Vj4Tu5K8lz+tsnGj8MR3YUDZCDcl91MfrRoiasUm724dFYrNZi1ZoQQiGetU0wFY 8uP9gyQuOfHr9mlPIU8ykIPbFtLvE3lS5nsxoyOdvkUqzbwPStP+1hJcyoC4Y2T5 FmiQneRZ7IyUM6brcwYXowEjJ37XuQ7ehQeu0yWo+bWNKxInS+ye2Cf5wIAvZhyJ WvYSyHUeeYX98FY82RmzuM3J72JnlpFDU0iHTSdqFxT7t2zq6I1ASB1rFzHJapsr u6AhgmqKPxGKMULIyTynrOlc6njemS1BiW2UtkIxaC6QSAuT7WFjQfFkK/arO87y G4xtY6T4vNA1F2e7CcrYvwoFIBgavOSFFUaLY1mSSPg0pp9qacq4XvtRHwte4MHp DmSrnfUx654e6YYQOiwGGGNjgNbR0+6k2tYjxBcIwj4kwJm155rSDvsRF92uNuQZ ERRzLzAYGDXUyBkEDREng0FdyiEg1ZAEqCPmwcDPjvmwoXgMP1nmO7OhTtu/O4vO XOTWkNok/gsiAMHfrU18wSx5g6H60zSwx39gHB9KcyB6tMlCMTc= =HDp3 -----END PGP SIGNATURE----- --qqjQDz5zL5oLuNQI--