Re: Proposed patch for key managment

[Bruce Momjian]

On Tue, Dec 22, 2020 at 10:40:17AM -0500, Bruce Momjian wrote:
> On Mon, Dec 21, 2020 at 10:07:48PM -0500, Bruce Momjian wrote:
> > Attached is the script patch.  It is also at:
> > 
> >     
> > https://github.com/postgres/postgres/compare/master...bmomjian:cfe-sh.diff
> > 
> > I think it still needs docs but those will have to be done after the
> > code doc patch is added.
> 
> Here is an updated patch.  Are people happy with the Makefile, its
> location in the source tree, and the install directory name?  I used the
> directory name 'auth_commands' because I thought 'auth' was too easily
> misinterpreted. I put the scripts in /src/backend/utils/auth_commands. 
> It also contains a script that can be used for SSL passphrase prompting,
> but I haven't written the C code for that yet.

Here is a new patch, build on previous patches, which allows for the SSL
passphrase to be prompted from the terminal.

-- 
  Bruce Momjian  <br...@momjian.us>        https://momjian.us
  EnterpriseDB                             https://enterprisedb.com

  The usefulness of a cup is in its emptiness, Bruce Lee


diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml
new file mode 100644
index 639c623..850813e
*** a/doc/src/sgml/config.sgml
--- b/doc/src/sgml/config.sgml
*************** include_dir 'conf.d'
*** 1452,1469 ****
          mechanism is used.
         </para>
         <para>
!         The command must print the passphrase to the standard output and exit
!         with code 0.  In the parameter value, <literal>%p</literal> is
!         replaced by a prompt string.  (Write <literal>%%</literal> for a
!         literal <literal>%</literal>.)  Note that the prompt string will
!         probably contain whitespace, so be sure to quote adequately.  A single
!         newlines is stripped from the end of the output if present.
!        </para>
!        <para>
!         The command does not actually have to prompt the user for a
!         passphrase.  It can read it from a file, obtain it from a keychain
!         facility, or similar.  It is up to the user to make sure the chosen
!         mechanism is adequately secure.
         </para>
         <para>
          This parameter can only be set in the <filename>postgresql.conf</filename>
--- 1452,1469 ----
          mechanism is used.
         </para>
         <para>
!         The command must print the passphrase to the standard output
!         and exit with code 0.  It can prompt from the terminal if
!         <option>--authprompt</option> is used.  In the parameter value,
!         <literal>%R</literal> represents the file descriptor number opened
!         to the terminal that started the server.  A file descriptor is only
!         available if enabled at server start.  If <literal>%R</literal>
!         is used and no file descriptor is available, the server will not
!         start.  Value <literal>%p</literal> is replaced by a pre-defined
!         prompt string.  (Write <literal>%%</literal> for a literal
!         <literal>%</literal>.)  Note that the prompt string will probably
!         contain whitespace, so be sure to quote its use adequately.
!         Newlines are stripped from the end of the output if present.
         </para>
         <para>
          This parameter can only be set in the <filename>postgresql.conf</filename>
*************** include_dir 'conf.d'
*** 1486,1495 ****
          parameter is off (the default), then
          <varname>ssl_passphrase_command</varname> will be ignored during a
          reload and the SSL configuration will not be reloaded if a passphrase
!         is needed.  That setting is appropriate for a command that requires a
!         TTY for prompting, which might not be available when the server is
!         running.  Setting this parameter to on might be appropriate if the
!         passphrase is obtained from a file, for example.
         </para>
         <para>
          This parameter can only be set in the <filename>postgresql.conf</filename>
--- 1486,1495 ----
          parameter is off (the default), then
          <varname>ssl_passphrase_command</varname> will be ignored during a
          reload and the SSL configuration will not be reloaded if a passphrase
!         is needed.  This setting is appropriate for a command that requires a
!         terminal for prompting, which might not be available when the server is
!         running.  Setting this parameter on might be appropriate, for
!         example, if the passphrase is obtained from a file.
         </para>
         <para>
          This parameter can only be set in the <filename>postgresql.conf</filename>
diff --git a/doc/src/sgml/ref/pg_ctl-ref.sgml b/doc/src/sgml/ref/pg_ctl-ref.sgml
new file mode 100644
index f04e417..0662ae0
*** a/doc/src/sgml/ref/pg_ctl-ref.sgml
--- b/doc/src/sgml/ref/pg_ctl-ref.sgml
*************** PostgreSQL documentation
*** 380,387 ****
        <term><option>--authprompt</option></term>
        <listitem>
         <para>
!         Allows the <option>--cluster-key-command</option> command
!         to prompt for a passphrase or PIN.
         </para>
        </listitem>
       </varlistentry>
--- 380,388 ----
        <term><option>--authprompt</option></term>
        <listitem>
         <para>
!         Allows <option>ssl_passphrase_command</option> or
!         <option>cluster_key_command</option> to prompt for a passphrase
!         or PIN.
         </para>
        </listitem>
       </varlistentry>
diff --git a/doc/src/sgml/ref/pgupgrade.sgml b/doc/src/sgml/ref/pgupgrade.sgml
new file mode 100644
index 98be392..b1bcdb7
*** a/doc/src/sgml/ref/pgupgrade.sgml
--- b/doc/src/sgml/ref/pgupgrade.sgml
*************** PostgreSQL documentation
*** 170,176 ****
       <varlistentry>
        <term><option>-R</option></term>
        <term><option>--authprompt</option></term>
!       <listitem><para>allows prompting for a passphrase or PIN
        </para></listitem>
       </varlistentry>
  
--- 170,178 ----
       <varlistentry>
        <term><option>-R</option></term>
        <term><option>--authprompt</option></term>
!       <listitem><para>allows <option>ssl_passphrase_command</option> or
!       <option>cluster_key_command</option> to prompt for a passphrase
!       or PIN.
        </para></listitem>
       </varlistentry>
  
diff --git a/src/backend/libpq/be-secure-common.c b/src/backend/libpq/be-secure-common.c
new file mode 100644
index 94cdf4c..1b712cf
*** a/src/backend/libpq/be-secure-common.c
--- b/src/backend/libpq/be-secure-common.c
***************
*** 22,27 ****
--- 22,28 ----
  #include <sys/stat.h>
  #include <unistd.h>
  
+ #include "postmaster/postmaster.h"
  #include "common/string.h"
  #include "libpq/libpq.h"
  #include "storage/fd.h"
*************** run_ssl_passphrase_command(const char *p
*** 61,66 ****
--- 62,80 ----
  					appendStringInfoString(&command, prompt);
  					p++;
  					break;
+ 				case 'R':
+ 					{
+ 						char fd_str[20];
+ 
+ 						if (terminal_fd == -1)
+ 							ereport(ERROR,
+ 									(errcode(ERRCODE_INTERNAL_ERROR),
+ 									 errmsg("ssl_passphrase_command referenced %%R, but -R not specified")));
+ 						p++;
+ 						snprintf(fd_str, sizeof(fd_str), "%d", terminal_fd);
+ 						appendStringInfoString(&command, fd_str);
+ 						break;
+ 					}
  				case '%':
  					appendStringInfoChar(&command, '%');
  					p++;