Re: BUG #10680: LDAP bind password leaks to log on failed authentication

Steven,

* Steven Siebert (smsiebe@gmail.com) wrote:
> > If you don't want the server to see the user's password, don't use LDAP
> > authentication.  A much better approach is Kerberos or client-side SSL
> > certificates.
>=20
> Sadly, all other authentication options will not work for us.
>=20
> I'm not seeing the user password in the log, I'm seeing the bind
> password (ldapbindpasswd) that in the pg_hba.conf file.  There is a
> line in auth.c that, on every failed attempt, prints the full (raw)
> configuration line to the log at all log levels.  So, this isn't just
> a problem with LDAP (with ldapbindpasswd) but also the RADIUS method
> (radiussecret).

Ah, ok.  Kerberos and SSL certs aren't immune to that problem, though
the secrets don't ever end up in the logs- but they still must be
visible to the server process in order.  Of course, if you already
have access to the server process, there shouldn't be much to gain
=66rom the Kerberos secret, the RADIUS secret, the SSL private key, or
the LDAP bind password..

> I've submitted a patch and we're discussing the problem further on the
> pgsql-hackers distro.  Really, I think it all comes down to finding
> the right balance of security and convenience of the administrator.
> I'm hopeful we'll come up with the right answer soon and I can submit
> a new patch.

Oh, yeah, I saw that discussion but hadn't quite put it together with
this bug report (somehow I saw the bug report after the hackers
discussion...).

    Thanks,

        Stephen