Re: SCRAM pass-through authentication for postgres_fdw
Matheus Alcantara <matheusssilv97@gmail.com>
From: Matheus Alcantara <matheusssilv97@gmail.com>
To: Jacob Champion <jacob.champion@enterprisedb.com>
Cc: PostgreSQL Hackers <pgsql-hackers@lists.postgresql.org>
Date: 2024-12-09T17:59:13Z
Lists: pgsql-hackers
Attachments
- v2-0001-postgres_fdw-SCRAM-authentication-pass-through.patch (text/plain) patch v2-0001
Thanks for the comments! On 04/12/24 19:11, Jacob Champion wrote: >> This is achieved by storing the SCRAM ClientKey and ServerKey obtained >> during client authentication with the backend. These keys are then >> used to complete the SCRAM exchange between the backend and the fdw >> server, eliminating the need to derive them from a stored plain-text >> password. > What are the assumptions that have to be made for pass-through SCRAM > to succeed? Is it just "the two servers have identical verifiers for > the user," or are there others? Yes, from the tests that I've performed I would say that this is the only requirement. > It looks like the patch is using the following property [1]: > > If an attacker obtains the authentication information from the > authentication repository and either eavesdrops on one authentication > exchange or impersonates a server, the attacker gains the ability to > impersonate that user to all servers providing SCRAM access using the > same hash function, password, iteration count, and salt. For this > reason, it is important to use randomly generated salt values. > > It makes me a little uneasy to give users a reason to copy identical > salts/verifiers around... But for e.g. a loopback connection, it seems > like there'd be no additional risk. Is that the target use case? I think that both can be use cases. In case of using with different servers it can be another option over the plain-text password approach. I'm attaching a v2 patch with a TAP test that validate the both use cases. For connections with different servers an ALTER ROLE <role> PASSWORD <encrypted_password> is required, so that both servers have identical verifiers. >> - pg_hmac_ctx *ctx = pg_hmac_create(state->hash_type); >> + pg_hmac_ctx *ctx = pg_hmac_create(PG_SHA256); > > Why was that change made? Not needed, sorry. Fixed on v2 -- Matheus Alcantara EDB: https://www.enterprisedb.com
Commits
-
postgres_fdw and dblink should check if backend has MyProcPort
- 762fed90bfee 18.0 landed
- 138750dde4a8 19 (unreleased) landed
-
postgres_fdw: SCRAM authentication pass-through
- 761c79508e7f 18.0 landed