PostgreSQL plugin creates roles with password in clear text

[rafaelremondes]

Hello

I am using the PostgreSQL plugin to create temporary credentials. The creation statement allows to set a password for the role newly created. However, in PostgreSQL, when creating a ROLE with password it is showed in clear test in logs.

Documentation in Postgres suggests that is possible to pass an hash using md5 or other function instead of clear text password.

https://www.postgresql.org/docs/current/sql-createrole.html

If the presented password string is already in MD5-encrypted or SCRAM-encrypted format, then it is stored as-is regardless of password_encryption (since the system cannot decrypt the specified encrypted password string, to encrypt it in a different format). This allows reloading of encrypted passwords during dump/restore.

So, could Vault store an hashed password instead of one in clear text?

Disabling the logs for the db user Vault uses to create the role would work but it would not be ideal as we would miss logs that might be important for debugging or auditing.

Thanks

[evkuzin]

agreed, I have the same problem. When logs format == ddl - all passwords stored cleartext in log.

[ncabatoff]

Think we would need lib/pq#941 (or an equivalent from another library) to implement this.

[Neustradamus]

@rafaelremondes, @evkuzin, @ncabatoff: The lib/pq has SCRAM-SHA-256 support since a moment:

• Add SCRAM-SHA-256 authentication to this library lib/pq#833

And you can see this PR here:

• Upgrade github.com/lib/pq to pickup SCRAM-SHA-* methods #6895

[aphorise]

There's been a change to pgx from lib/pq as per the CHANGELOG.md release notes of 1.11.0

database & storage: Change underlying driver library from lib/pq to pgx. This change affects Redshift & Postgres database secrets engines, and CockroachDB & Postgres storage engines [GH-15343].

I'm curious if this is an issue still or relevant?

@rafaelremondes can you kindly confirm if you've retested since?

PS - @Neustradamus @evkuzin - any input from you folks on a retest would be welcome too.

[raymonstah]

Hey folks, there's a fix for this in #19616 and should be released as a part of Vault 1.14.
You'll have to update your PostgreSQL configuration using the following:

    $ vault write database/config/my-postgresql-database \
        ... \
        password_authentication="scram-sha-256"

With the password_authentication set to scram-sha-256, passwords created by Vault will first hashed before sending them to PostgreSQL, which will store the hashed password as-is, preventing plaintext passwords from leaking in the logs.