diff --git a/docs/en_US/alternate_encryption_key.rst b/docs/en_US/alternate_encryption_key.rst new file mode 100644 index 000000000..4bc470a34 --- /dev/null +++ b/docs/en_US/alternate_encryption_key.rst @@ -0,0 +1,33 @@ +.. _alternate_encryption_key: + +********************************** +`Alternate Encryption Key`:index: +********************************** + +pgAdmin would use the alternate encryption key to secure and later unlock the saved server +passwords if the master password is disabled AND there is NO suitable key/password available +from the authentication module for the user in server mode. + +When pgAdmin stores a connection password, +it encrypts it using a key that is formed either from the master password, or +from the pgAdmin login password for the user. In the case of authentication methods +such as OAuth, Kerberos or Webserver, pgAdmin doesn't have access to anything long-lived to +form the encryption key from, hence it uses the master password and if master password +is disabled pgAdmin would use the alternate encryption key, if it is set. + + +.. note:: You can set the alternate encryption key by setting the configuration + parameter *ALTERNATE_ENCRYPTION_KEY=*. + See :ref:`config_py` for more information on configuration parameters and how + they can be changed or enforced across an organisation. + +.. note:: If the master password and the alternate encryption key is disabled, + then all the saved passwords will be removed. + + +.. warning:: By setting this option, you should be fully aware of the potential security + risk of using the same encryption key for multiple users, that may be accessible to + sysadmins who would not normally be able to use pgAdmin. + + It is **not recommended** that you use the alternate encryption key instead of master password + if you use the *Save Password* option. diff --git a/docs/en_US/connecting.rst b/docs/en_US/connecting.rst index 8d1a3e4cf..df1874c37 100644 --- a/docs/en_US/connecting.rst +++ b/docs/en_US/connecting.rst @@ -38,6 +38,13 @@ It is set by the user and can be disabled using config. master_password +The Alternate Encryption Key is used to secure and later unlock saved server passwords. +It is **not recommended** to use the alternate encryption key. + +.. toctree:: + + alternate_encryption_key + After defining a server connection, right-click on the server name, and select *Connect to server* to authenticate with the server, and start using pgAdmin to manage objects that reside on the server. diff --git a/docs/en_US/master_password.rst b/docs/en_US/master_password.rst index ced1c7eb5..48edfdf49 100644 --- a/docs/en_US/master_password.rst +++ b/docs/en_US/master_password.rst @@ -5,7 +5,9 @@ ************************ A master password is required to secure and later unlock the saved server -passwords. This is applicable only for desktop mode users. +passwords. This is applicable for desktop mode users and for the auth methods +such as OAuth, Kerberos or Webserver where pgAdmin doesn't have access to anything +long-lived to form the encryption key. * You are prompted to enter the master password when you open the window for the first time after starting the application. @@ -23,15 +25,15 @@ passwords. This is applicable only for desktop mode users. See :ref:`config_py` for more information on configuration parameters and how they can be changed or enforced across an organisation. -.. note:: If the master password is disabled, then all the saved passwords will - be removed. +.. note:: If the master password and :ref:`alternate_encryption_key` is disabled, + then all the saved passwords will be removed. .. warning:: If the master password is disabled, then the saved passwords will - be encrypted using a key which is derived from information within the - configuration database. Use of a master password ensures that the encryption - key does not need to be stored anywhere, and thus prevents possible access - to server credentials if the configuration database becomes available to an - attacker. + be encrypted using the :ref:`alternate_encryption_key` or a key which is derived + from information within the configuration database. Use of a master password + ensures that the encryption key does not need to be stored anywhere, and thus + prevents possible access to server credentials if the configuration database + becomes available to an attacker. It is **strongly** recommended that you use the master password if you use the *Save Password* option. diff --git a/web/config.py b/web/config.py index f8733fe0a..14e3b3ec0 100644 --- a/web/config.py +++ b/web/config.py @@ -553,6 +553,27 @@ ALLOW_SAVE_TUNNEL_PASSWORD = False ########################################################################## MASTER_PASSWORD_REQUIRED = True +########################################################################## +# When pgAdmin stores a connection password, +# it encrypts it using a key that is formed either from the master password, or +# from the pgAdmin login password for the user. +# +# In the case of auth methods such as OAuth or Kerberos, pgAdmin +# doesn't have access to anything long-lived to form the encryption key from, +# hence it uses the master password. + +# So, pgAdmin would use this alternate encryption key if +# a) the master password is disabled +# AND +# b) there is NO suitable key/pass available from the auth module for the user. + +# By setting this option, you should fully aware of the potential security +# risk of using the same encryption key for multiple users, +# that may be accessible to sysadmins who would not normally +# be able to use pgAdmin. +########################################################################## +ALTERNATE_ENCRYPTION_KEY = None + ########################################################################## # Allows pgAdmin4 to create session cookies based on IP address, so even # if a cookie is stolen, the attacker will not be able to connect to the diff --git a/web/pgadmin/browser/__init__.py b/web/pgadmin/browser/__init__.py index 4a7e18eb0..4525206ee 100644 --- a/web/pgadmin/browser/__init__.py +++ b/web/pgadmin/browser/__init__.py @@ -750,7 +750,8 @@ def index(): auth_source = session['auth_source_manager'][ 'source_friendly_name'] - if not config.MASTER_PASSWORD_REQUIRED and 'pass_enc_key' in session: + if not config.MASTER_PASSWORD_REQUIRED and 'pass_enc_key' in session\ + and not config.ALTERNATE_ENCRYPTION_KEY: session['allow_save_password'] = False response = Response(render_template( diff --git a/web/pgadmin/utils/master_password.py b/web/pgadmin/utils/master_password.py index 27db924cf..ba00963a7 100644 --- a/web/pgadmin/utils/master_password.py +++ b/web/pgadmin/utils/master_password.py @@ -33,6 +33,9 @@ def get_crypt_key(): elif config.MASTER_PASSWORD_REQUIRED \ and enc_key is None: return False, None + elif not config.MASTER_PASSWORD_REQUIRED and config.SERVER_MODE and \ + config.ALTERNATE_ENCRYPTION_KEY: + return True, config.ALTERNATE_ENCRYPTION_KEY elif not config.MASTER_PASSWORD_REQUIRED and config.SERVER_MODE and \ 'pass_enc_key' in session: return True, session['pass_enc_key']