Re: [pgAdmin4][Patch]- Feature #7012 - disable master password requirement when using alternative auth source

On Fri, Apr 22, 2022 at 2:01 PM Dave Page <dpage@pgadmin.org> wrote:

Hi

On Mon, 11 Apr 2022 at 09:20, Akshay Joshi <akshay.joshi@enterprisedb.com> wrote:

Thanks, the patch applied.

On Mon, Apr 11, 2022 at 12:00 PM Khushboo Vashi <khushboo.vashi@enterprisedb.com> wrote:

Hi,

Please find the attached patch to implement the feature #7012 - Disable master password requirement when using alternative auth source

When pgAdmin stores a connection password, it encrypts it using a key that is formed either from the master password, or from the pgAdmin login password for the user. In the case of auth methods such as OAuth, Kerberos or Webserver, pgAdmin doesn't have access to anything long-lived to form the encryption key from, hence it uses the master password. And if the master is disabled, there is no way to store the connection password.

To resolve this, we have added an option to config.py (which defaults to None) for an alternate encryption key. pgAdmin would use this if a) the master password is disabled AND b) there is no suitable key/password available from the auth module for the user. If the option is set to None, pgAdmin works as it does now. 

This change has just been brought to my attention through other work. I think this is poorly thought out, and could easily be made much more secure and flexible than the current design.

Instead of effectively hard-coding a master password, which is only slightly more secure than not having one in the first place, we should allow the user to specify the path to a script or program that will return a key. In a security-conscious environment, the script might query a centralised key management system to securely retrieve the key to use. If a user really wants the less secure implementation that this current patch offers, then a simple script as follows would offer that (but would not be recommended):

====

#!/bin/sh

echo "my secret key"

====

We would probably also want to allow use of a placeholder in which the username can be passed, e.g.

MASTER_ENCRYPTION_KEY_SCRIPT = '/path/to/get-key.sh %u'

Sounds good to me. 

Does this mean we are going to remove the current implementation which offers a hard-coded master password?