| From: | Jacob Champion <jchampion(at)timescale(dot)com> |
|---|---|
| To: | Stephen Frost <sfrost(at)snowman(dot)net> |
| Cc: | pgsql-hackers <pgsql-hackers(at)lists(dot)postgresql(dot)org>, Magnus Hagander <magnus(at)hagander(dot)net>, Peter Eisentraut <peter(dot)eisentraut(at)enterprisedb(dot)com>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Robert Haas <robertmhaas(at)gmail(dot)com> |
| Subject: | Re: Kerberos delegation support in libpq and postgres_fdw |
| Date: | 2022-09-16 00:06:05 |
| Message-ID: | CAAWbhmjwUC4kHb+yvJiTi4XQOKEqbOujErXXOx_phC9c8qN7pQ@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Thu, Jul 7, 2022 at 4:24 PM Jacob Champion <jchampion(at)timescale(dot)com> wrote:
> So my question is this: does substituting my credentials for the admin's
> credentials let me weaken or break the transport encryption on the
> backend connection, and grab the password that I'm not supposed to have
> access to as a front-end client?
With some further research: yes, it does.
If a DBA is using a GSS encrypted tunnel to communicate to a foreign
server, accepting delegation by default means that clients will be
able to break that backend encryption at will, because the keys in use
will be under their control.
> Maybe there's some ephemeral exchange going on that makes it too hard to
> attack in practice, or some other mitigations.
There is no forward secrecy, ephemeral exchange, etc. to mitigate this [1]:
The Kerberos protocol in its basic form does not provide perfect
forward secrecy for communications. If traffic has been recorded by
an eavesdropper, then messages encrypted using the KRB_PRIV message,
or messages encrypted using application-specific encryption under
keys exchanged using Kerberos can be decrypted if the user's,
application server's, or KDC's key is subsequently discovered.
So the client can decrypt backend communications that make use of its
delegated key material. (This also means that gssencmode is a lot
weaker than I expected.)
> I'm trying to avoid writing Wireshark dissector
> code, but maybe that'd be useful either way...
I did end up filling out the existing PGSQL dissector so that it could
decrypt GSSAPI exchanges (with the use of a keytab, that is). If you'd
like to give it a try, the patch, based on Wireshark 3.7.1, is
attached. Note the GPLv2 license. It isn't correct code yet, because I
didn't understand how packet reassembly worked in Wireshark when I
started writing the code, so really large GSSAPI messages that are
split across multiple TCP packets will confuse the dissector. But it's
enough to prove the concept.
To see this in action, set up an FDW connection that uses gssencmode
(so the server in the middle will need its own Kerberos credentials).
Capture traffic starting from the kinit through the query on the
foreign table. Export the client's key material into a keytab, and set
up Wireshark to use that keytab for decryption. When credential
forwarding is *not* in use, Wireshark will be able to decrypt the
initial client connection, but it won't be able to see anything inside
the foreign server connection. When credential forwarding is in use,
Wireshark will be able to decrypt both connections.
Thanks,
--Jacob
| Attachment | Content-Type | Size |
|---|---|---|
| GPLv2-Wireshark3.7.1-pgsql-decrypt-GSS.patch.txt | text/plain | 10.5 KB |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Thomas Munro | 2022-09-16 00:10:05 | Re: A question about wording in messages |
| Previous Message | Michael Paquier | 2022-09-16 00:05:46 | Re: Assertion failure in WaitForWALToBecomeAvailable state machine |