Hi On Mon, 11 Apr 2022 at 09:20, Akshay Joshi <akshay.jo...@enterprisedb.com> wrote:
> Thanks, the patch applied. > > On Mon, Apr 11, 2022 at 12:00 PM Khushboo Vashi < > khushboo.va...@enterprisedb.com> wrote: > >> Hi, >> >> Please find the attached patch to implement the feature #7012 - Disable >> master password requirement when using alternative auth source >> >> When pgAdmin stores a connection password, it encrypts it using a key >> that is formed either from the master password, or from the pgAdmin login >> password for the user. In the case of auth methods such as OAuth, Kerberos >> or Webserver, pgAdmin doesn't have access to anything long-lived to form >> the encryption key from, hence it uses the master password. And if the >> master is disabled, there is no way to store the connection password. >> >> To resolve this, we have added an option to config.py (which defaults to >> None) for an alternate encryption key. pgAdmin would use this if a) the >> master password is disabled AND b) there is no suitable key/password >> available from the auth module for the user. If the option is set to >> None, pgAdmin works as it does now. >> > This change has just been brought to my attention through other work. I think this is poorly thought out, and could easily be made much more secure and flexible than the current design. Instead of effectively hard-coding a master password, which is only slightly more secure than not having one in the first place, we should allow the user to specify the path to a script or program that will return a key. In a security-conscious environment, the script might query a centralised key management system to securely retrieve the key to use. If a user really wants the less secure implementation that this current patch offers, then a simple script as follows would offer that (but would not be recommended): ==== #!/bin/sh echo "my secret key" ==== We would probably also want to allow use of a placeholder in which the username can be passed, e.g. MASTER_ENCRYPTION_KEY_SCRIPT = '/path/to/get-key.sh %u' -- Dave Page Blog: https://pgsnake.blogspot.com Twitter: @pgsnake EDB: https://www.enterprisedb.com
