Re: BUG #16079: Question Regarding the BUG #16064

Greetings,

* Thomas Munro (thomas(dot)munro(at)gmail(dot)com) wrote:
> On Tue, Oct 29, 2019 at 4:48 AM Stephen Frost <sfrost(at)snowman(dot)net> wrote:
> > Uh, the user's credentials certainly are sent to the PG server.
>
> Perhaps we should log a warning when PostgreSQL has received a
> password over the network without SSL. Perhaps we should log another
> warning when PostgreSQL has sent a password over the network without
> SSL.

I like the idea of having these warnings, I don't like the idea of
limiting it to when SSL is or isn't being used.

> > users password is: hello
>
> The fact that you can steal the password from PostgreSQL's memory
> seems like a next level problem to me, but the fact that it's easy to
> configure PostgreSQL in a way that sends cleartext passwords over the
> network a couple of times seems to be a bigger problem to me.

Both are issues and clearly users are confused when they use an
enterprise authentication system (eg: Active Directory) and configure PG
to use it ("ldap") and expect us to do things intelligently like other
similar products do (SQL Server).

Is it our fault that they don't realize that they aren't configuring PG
properly in an AD environment when they use the LDAP auth method? Maybe
not *technically*, but we sure don't make it very clear that the LDAP
auth method is *not* the same as what they get with something like a
SQL Server instance and that it's an poor way of doing authentication
when you're in an Active Directory environment.

> Here's a demonstration. I run make -C src/test/ldap check, just to
> get a working slapd setup, and then I start it like so:
>
> /usr/local/libexec/slapd -f slapd.conf -h ldap://localhost:8888
>
> I put this into my pg_hba.conf:
>
> host postgres test1 127.0.0.1/32 ldap
> ldapurl="ldap://localhost:8888/dc=example,dc=net?uid?sub"
>
> I trace my postmaster + children with truss -p PID -s 1024 -f, and
> then I try to log in with psql -h localhost -p 8888 postgres test1,
> and give the password "foobar". Here is my password, which travelled
> over the network in cleartext twice (into PostgreSQL, and then out to
> slapd):
>
> 38412: accept(6,{ AF_INET 127.0.0.1:12891 },0x801d07118) = 9 (0x9)
> ...
> 38412: fork() = 38459 (0x963b)
> ...
> 38459: recvfrom(9,"p\0\0\0\vfoobar\0",8192,0,NULL,0x0) = 12 (0xc)
> ...
> 38459: connect(4,{ AF_INET 127.0.0.1:8888 },16) = 0 (0x0)
> 38459: write(4,"0-\^B\^A\^A`(\^B\^A\^C\^D\^[uid=test1,dc=example,dc=net\M^(at)\^Ffoobar",47)
> = 47 (0x2f)

Yes, this is indeed also terrible, heh.

Thanks,

Stephen