-
Notifications
You must be signed in to change notification settings - Fork 4.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
PostgreSQL plugin creates roles with password in clear text #6910
Comments
agreed, I have the same problem. When logs format == ddl - all passwords stored cleartext in log. |
Think we would need lib/pq#941 (or an equivalent from another library) to implement this. |
@rafaelremondes, @evkuzin, @ncabatoff: The lib/pq has SCRAM-SHA-256 support since a moment: And you can see this PR here: |
There's been a change to pgx from
I'm curious if this is an issue still or relevant? @rafaelremondes can you kindly confirm if you've retested since? PS - @Neustradamus @evkuzin - any input from you folks on a retest would be welcome too. |
Hey folks, there's a fix for this in #19616 and should be released as a part of Vault 1.14.
With the password_authentication set to scram-sha-256, passwords created by Vault will first hashed before sending them to PostgreSQL, which will store the hashed password as-is, preventing plaintext passwords from leaking in the logs. |
Hello
I am using the PostgreSQL plugin to create temporary credentials. The creation statement allows to set a password for the role newly created. However, in PostgreSQL, when creating a ROLE with password it is showed in clear test in logs.
Documentation in Postgres suggests that is possible to pass an hash using md5 or other function instead of clear text password.
https://www.postgresql.org/docs/current/sql-createrole.html
So, could Vault store an hashed password instead of one in clear text?
Disabling the logs for the db user Vault uses to create the role would work but it would not be ideal as we would miss logs that might be important for debugging or auditing.
Thanks
The text was updated successfully, but these errors were encountered: