Re: Kerberos delegation support in libpq and postgres_fdw
| От | Jacob Champion |
|---|---|
| Тема | Re: Kerberos delegation support in libpq and postgres_fdw |
| Дата | |
| Msg-id | CAAWbhmjwUC4kHb+yvJiTi4XQOKEqbOujErXXOx_phC9c8qN7pQ@mail.gmail.com обсуждение исходный текст |
| Ответ на | Re: Kerberos delegation support in libpq and postgres_fdw (Jacob Champion <jchampion@timescale.com>) |
| Ответы |
Re: Kerberos delegation support in libpq and postgres_fdw
|
| Список | pgsql-hackers |
On Thu, Jul 7, 2022 at 4:24 PM Jacob Champion <jchampion@timescale.com> wrote: > So my question is this: does substituting my credentials for the admin's > credentials let me weaken or break the transport encryption on the > backend connection, and grab the password that I'm not supposed to have > access to as a front-end client? With some further research: yes, it does. If a DBA is using a GSS encrypted tunnel to communicate to a foreign server, accepting delegation by default means that clients will be able to break that backend encryption at will, because the keys in use will be under their control. > Maybe there's some ephemeral exchange going on that makes it too hard to > attack in practice, or some other mitigations. There is no forward secrecy, ephemeral exchange, etc. to mitigate this [1]: The Kerberos protocol in its basic form does not provide perfect forward secrecy for communications. If traffic has been recorded by an eavesdropper, then messages encrypted using the KRB_PRIV message, or messages encrypted using application-specific encryption under keys exchanged using Kerberos can be decrypted if the user's, application server's, or KDC's key is subsequently discovered. So the client can decrypt backend communications that make use of its delegated key material. (This also means that gssencmode is a lot weaker than I expected.) > I'm trying to avoid writing Wireshark dissector > code, but maybe that'd be useful either way... I did end up filling out the existing PGSQL dissector so that it could decrypt GSSAPI exchanges (with the use of a keytab, that is). If you'd like to give it a try, the patch, based on Wireshark 3.7.1, is attached. Note the GPLv2 license. It isn't correct code yet, because I didn't understand how packet reassembly worked in Wireshark when I started writing the code, so really large GSSAPI messages that are split across multiple TCP packets will confuse the dissector. But it's enough to prove the concept. To see this in action, set up an FDW connection that uses gssencmode (so the server in the middle will need its own Kerberos credentials). Capture traffic starting from the kinit through the query on the foreign table. Export the client's key material into a keytab, and set up Wireshark to use that keytab for decryption. When credential forwarding is *not* in use, Wireshark will be able to decrypt the initial client connection, but it won't be able to see anything inside the foreign server connection. When credential forwarding is in use, Wireshark will be able to decrypt both connections. Thanks, --Jacob [1] https://www.rfc-editor.org/rfc/rfc4120
Вложения
В списке pgsql-hackers по дате отправления: