----- Original Message -----

From: "Liran Zelkha" <liran.zelkha@gmail.com> To: "Eli Mesika" <emesika@redhat.com> Cc: "Alon Bar-Lev" <alonbl@redhat.com>, "Juan Hernandez" <jhernand@redhat.com>, "engine-devel" <engine-devel@ovirt.org> Sent: Wednesday, May 1, 2013 8:34:18 AM Subject: Re: [Engine-devel] Dropping encryption of database password

Why not do use the same technology like JBoss DataSource password encryption? http://docs.jboss.org/jbosssecurity/docs/6.0/security_guide/html/Encrypting_...

As I wrote: 1. Out project is not java specific, we need to access the database in other tools as well, example: python. 2. Reversible encryption is a total void, what benefit is there to encrypt password which can be decrypted by anyone? 3. We currently store the same password at two files, one which is .pgpass as plain text and another is at the service configuration which is encrypted, what is the benefit in this duplication? Thanks! Alon

On Wed, May 1, 2013 at 3:45 AM, Eli Mesika <emesika@redhat.com> wrote:

...

----- Original Message -----

...

From: "Alon Bar-Lev" <alonbl@redhat.com> To: "engine-devel" <engine-devel@ovirt.org> Cc: "Yair Zaslavsky" <yzaslavs@redhat.com>, "Eli Mesika" < emesika@redhat.com>, "Juan Hernandez" <jhernand@redhat.com> Sent: Tuesday, April 30, 2013 10:41:20 PM Subject: Dropping encryption of database password

Hello,

Currently we store database password encrypted using org.picketbox.datasource.security.SecureIdentityLoginModule.

This is reverse encryption with common knowledge shared secret.

Using encryption with common knowledge shared secret is close to void protection.

So far we also stored the password as plain text at /etc/ovirt-engine/.pgpass, this is going to be removed as no component actually uses the .pgpass, however we do need to store non-java specific password in for utilities.

In master (aiming to 3.3), we store the database connection details in own file /etc/ovirt-engine/engine.conf.d/50-setup-database.conf owned by ovirt user and not world readable.

I would like to use the same 50-setup-database.conf to store plain text password and remove the java specific reversible encrypted password usage.

Bottom line... 1. We drop the .pgpass file. 2. We store database connection information in /etc/ovirt-engine/engine.conf.d/<file> that is readable only by ovirt usage. 3. We drop the java specific reversible encryption in favor of plain text.

Thoughts?

I see no problem in the .pgpass , only root can access it (it has 0600 mode , if it doesn't it is ignored by PG) Apart from that , this is the standard way used by PG so why not using it , AFAIK this is considered safe & secured

...

Alon

_______________________________________________ Engine-devel mailing list Engine-devel@ovirt.org http://lists.ovirt.org/mailman/listinfo/engine-devel

----- Original Message -----

From: "Alon Bar-Lev" <alonbl@redhat.com> To: "Eli Mesika" <emesika@redhat.com> Cc: "engine-devel" <engine-devel@ovirt.org>, "Yair Zaslavsky" <yzaslavs@redhat.com>, "Juan Hernandez" <jhernand@redhat.com> Sent: Wednesday, May 1, 2013 8:55:05 AM Subject: Re: Dropping encryption of database password

----- Original Message -----

...

From: "Eli Mesika" <emesika@redhat.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: "engine-devel" <engine-devel@ovirt.org>, "Yair Zaslavsky" <yzaslavs@redhat.com>, "Juan Hernandez" <jhernand@redhat.com> Sent: Wednesday, May 1, 2013 3:45:06 AM Subject: Re: Dropping encryption of database password

----- Original Message -----

...

From: "Alon Bar-Lev" <alonbl@redhat.com> To: "engine-devel" <engine-devel@ovirt.org> Cc: "Yair Zaslavsky" <yzaslavs@redhat.com>, "Eli Mesika" <emesika@redhat.com>, "Juan Hernandez" <jhernand@redhat.com> Sent: Tuesday, April 30, 2013 10:41:20 PM Subject: Dropping encryption of database password

Hello,

Currently we store database password encrypted using org.picketbox.datasource.security.SecureIdentityLoginModule.

This is reverse encryption with common knowledge shared secret.

Using encryption with common knowledge shared secret is close to void protection.

So far we also stored the password as plain text at /etc/ovirt-engine/.pgpass, this is going to be removed as no component actually uses the .pgpass, however we do need to store non-java specific password in for utilities.

In master (aiming to 3.3), we store the database connection details in own file /etc/ovirt-engine/engine.conf.d/50-setup-database.conf owned by ovirt user and not world readable.

I would like to use the same 50-setup-database.conf to store plain text password and remove the java specific reversible encrypted password usage.

Bottom line... 1. We drop the .pgpass file. 2. We store database connection information in /etc/ovirt-engine/engine.conf.d/<file> that is readable only by ovirt usage. 3. We drop the java specific reversible encryption in favor of plain text.

Thoughts?

I see no problem in the .pgpass , only root can access it (it has 0600 mode , if it doesn't it is ignored by PG) Apart from that , this is the standard way used by PG so why not using it , AFAIK this is considered safe & secured

In another words you are for storing password as plain text.... :)

If the file is protected , I don't mind that the password is in plain text...

...

...

Alon

----- Original Message -----

From: "Josh Bressers" <bressers@redhat.com> To: "Eli Mesika" <emesika@redhat.com> Cc: "Alon Bar-Lev" <alonbl@redhat.com>, "Juan Hernandez" <jhernand@redhat.com>, "engine-devel" <engine-devel@ovirt.org>, "pmatouse" <pmatouse@redhat.com> Sent: Wednesday, May 1, 2013 6:40:26 PM Subject: Re: [Engine-devel] Dropping encryption of database password

...

...

In another words you are for storing password as plain text.... :)

If the file is protected , I don't mind that the password is in plain text...

Hi all,

Hello,

Itamar pointed me at this thread. I'm part of the Red Hat Product Security Team, we exist to help various projects and products with security needs (such as advice in this instance).

I can't really comment on this without understanding some of the background (sorry for not being up to speed, I don't have time to research this today and I'm away tomorrow so my replies may be slow).

Can you explain to me what the passwords in question are used for?

The password of the user used to access the database. Regards, Alon

Thanks.

-- Josh Bressers / Red Hat Product Security Team

----- Original Message -----

From: "Josh Bressers" <bressers@redhat.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: "Eli Mesika" <emesika@redhat.com>, "Juan Hernandez" <jhernand@redhat.com>, "engine-devel" <engine-devel@ovirt.org>, "pmatouse" <pmatouse@redhat.com> Sent: Wednesday, May 1, 2013 9:13:24 PM Subject: Re: [Engine-devel] Dropping encryption of database password

...

...

...

...

In another words you are for storing password as plain text.... :)

If the file is protected , I don't mind that the password is in plain text...

Hi all,

Hello,

...

Itamar pointed me at this thread. I'm part of the Red Hat Product Security Team, we exist to help various projects and products with security needs (such as advice in this instance).

I can't really comment on this without understanding some of the background (sorry for not being up to speed, I don't have time to research this today and I'm away tomorrow so my replies may be slow).

Can you explain to me what the passwords in question are used for?

The password of the user used to access the database.

Ahh, so the subject is quite literal.

So in an instance like this it's not uncommon to store this password as plaintext in a file. The important part is then to ensure that the file is protected and can only be accessed on a need-to-know basis.

Using various scrambling techniques don't really provide any additional security. Some claim it makes things worse as it provides a false sense of security.

I would suggest you make a note about what processes and users can view or modify this file and for what reasons. This should help identify things in the future that should or shouldn't have this level of access.

Let me know if you have any questions.

Thanks.

Thank you. This is what I wrote in my initial post. The only users who should access this password is ovirt user and root user. Regards, Alon Bar-Lev.

-- Josh Bressers / Red Hat Product Security Team

----- Original Message -----

From: "Keith Robertson" <kroberts@redhat.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: "Josh Bressers" <bressers@redhat.com>, "Juan Hernandez" <jhernand@redhat.com>, "engine-devel" <engine-devel@ovirt.org>, "pmatouse" <pmatouse@redhat.com>, "Sandro Bonazzola" <sbonazzo@redhat.com> Sent: Wednesday, May 1, 2013 9:31:15 PM Subject: Re: [Engine-devel] Dropping encryption of database password

On 05/01/2013 02:16 PM, Alon Bar-Lev wrote:

...

Thank you. This is what I wrote in my initial post. The only users who should access this password is ovirt user and root user.

Regards, Alon Bar-Lev.

...

...

Alon, I agree with the desire to store the PW in plaintext and in a non-obfuscated manner. In this case, obfuscation really doesn't gain anything.

I would suggest; however, that the migration to plaintext be coordinated with a simultaneous patch to the the Log Collector. It does have a dependency on the current architecture.

Keith

Hi, As far as I know it reads the plain text from .pgpass, we need to modify it to search within the alternate format as well. Thanks, Alon

----- Original Message -----

From: "Eli Mesika" <emesika@redhat.com> To: "Keith Robertson" <kroberts@redhat.com>, "Alon Bar-Lev" <alonbl@redhat.com>, "Juan Hernandez" <jhernand@redhat.com> Cc: "engine-devel" <engine-devel@ovirt.org>, "pmatouse" <pmatouse@redhat.com> Sent: Sunday, May 5, 2013 10:13:59 AM Subject: Re: [Engine-devel] Dropping encryption of database password

----- Original Message -----

...

From: "Alon Bar-Lev" <alonbl@redhat.com> To: "Keith Robertson" <kroberts@redhat.com> Cc: "Juan Hernandez" <jhernand@redhat.com>, "engine-devel" <engine-devel@ovirt.org>, "pmatouse" <pmatouse@redhat.com> Sent: Wednesday, May 1, 2013 9:40:13 PM Subject: Re: [Engine-devel] Dropping encryption of database password

----- Original Message -----

...

From: "Keith Robertson" <kroberts@redhat.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: "Josh Bressers" <bressers@redhat.com>, "Juan Hernandez" <jhernand@redhat.com>, "engine-devel" <engine-devel@ovirt.org>, "pmatouse" <pmatouse@redhat.com>, "Sandro Bonazzola" <sbonazzo@redhat.com> Sent: Wednesday, May 1, 2013 9:31:15 PM Subject: Re: [Engine-devel] Dropping encryption of database password

On 05/01/2013 02:16 PM, Alon Bar-Lev wrote:

...

Thank you. This is what I wrote in my initial post. The only users who should access this password is ovirt user and root user.

Regards, Alon Bar-Lev.

...

...

Alon, I agree with the desire to store the PW in plaintext and in a non-obfuscated manner. In this case, obfuscation really doesn't gain anything.

I would suggest; however, that the migration to plaintext be coordinated with a simultaneous patch to the the Log Collector. It does have a dependency on the current architecture.

Keith

Hi,

As far as I know it reads the plain text from .pgpass, we need to modify it to search within the alternate format as well.

We are using the original .pgpass file that is in 0600 mode ( have access only to root) If the file does not have this mode , it is ignored by Postgres I see no security issue in that ...

Please see details in http://www.postgresql.org/docs/9.0/static/libpq-pgpass.html

I am going to drop the .pgpass file in favor of other configuration file and produce .pgpass on will. This is because: 1. The proprietary format of .pgpass is not friendly to parsing. 2. It does not hold the SSL setting. 3. It does not hold the SSL host validation setting. 4. It will be more difficult to modify user password. This file is also 0600 owned by engine but in key=value format, so no change as far as security is concerned. Thanks! Alon.

...

Thanks, Alon _______________________________________________ Engine-devel mailing list Engine-devel@ovirt.org http://lists.ovirt.org/mailman/listinfo/engine-devel

On 05/05/2013 03:17 AM, Alon Bar-Lev wrote:

I am going to drop the .pgpass file in favor of other configuration file and produce .pgpass on will. This is because: 1. The proprietary format of .pgpass is not friendly to parsing. Ack. Please remove this for a key/value solution.