Re: BUG #16106: Patch - Radius secrets always gets lowercased
Magnus Hagander <magnus@hagander.net>
From: Magnus Hagander <magnus@hagander.net>
To: Tom Lane <tgl@sss.pgh.pa.us>
Cc: Marcos David <mdavid@palantir.com>, "pgsql-bugs@lists.postgresql.org" <pgsql-bugs@lists.postgresql.org>
Date: 2019-11-12T16:45:13Z
Lists: pgsql-bugs
On Tue, Nov 12, 2019 at 10:33 AM Tom Lane <tgl@sss.pgh.pa.us> wrote: > Marcos David <mdavid@palantir.com> writes: > > On 11/11/2019, 20:24, "Tom Lane" <tgl@sss.pgh.pa.us> wrote: > >> I'm hesitant to back-patch a change like this, because in theory > >> it could change a working configuration into a non-working one. > >> But it'd be sensible to do in HEAD. > > > We only noticed this because we were upgrading from 9.6 and it seems > this bug was introduced in 10 in this commit: > > > https://github.com/postgres/postgres/commit/6b76f1bb58f53aec25cfec76391270ea36ad1170 > > Oh! Hm, if it can be painted as a regression, that changes the calculus > a bit. In that case I'd be inclined to go ahead and back-patch. > Ugh. Yeah. > I don't think patch would break anything in current configs since the > secret would currently need to be lowercased anyway for the radius auth to > work. > > The case I was imagining was where the secret was entered in the PG > configuration with some uppercase letters, but the server actually > expects lowercase, so the forced lowercasing makes it work. I admit > that's a bit of a stretch, but if it had always worked like that > then it's at least possible someone was relying on the behavior. > But if we changed the behavior from correct to less correct, that's > another story. > I agree that this is definitely a risk, and probably something that happens. But one can't really argue that the current behaviour isn't a bug, since the lowercasing certainly isn't documented. I bet a lot of people just use autogenerated lowercase passwords though, which is why we don't hear much about it. Or randomness passed through a hash function turned into a hex-string. BTW, it looks to me like it should work to double-quote the > secret, although doing so is really tedious because there is an > additional layer of double-quoting required by the pg_hba syntax: > > host ... radiussecrets="""ServerSecret"",""OtherServersSecret""" > > However, while you can defeat the downcasing that way, you can't > bypass the truncation to NAMEDATALEN. So it's arguably broken > even if this point had been documented, which it was not, > at least not in any adequate way (the reference to quoting in > the docs is mighty unclear to my eyes, and for sure it doesn't > give a working example). > I believe the RADIUS standard doesn't actually specify the length of the key, so different implementations have different limits. For example freeradius has 48 characters, cisco has 63. *silent* truncation is not great of course... -- Magnus Hagander Me: https://www.hagander.net/ <http://www.hagander.net/> Work: https://www.redpill-linpro.com/ <http://www.redpill-linpro.com/>
Commits
-
Avoid using SplitIdentifierString to parse ListenAddresses, too.
- 7bf40ea0d028 13.0 landed
-
Avoid downcasing/truncation of RADIUS authentication parameters.
- d9802590a1b3 12.2 landed
- d66e68207e99 11.7 landed
- 7618eaf5f315 13.0 landed
- 4be69e2ea14d 10.12 landed
-
Support multiple RADIUS servers
- 6b76f1bb58f5 10.0 cited