search

pgadmin-org / pgadmin4

pgAdmin is the most popular and feature rich Open Source administration and development platform for PostgreSQL, the most advanced Open Source database in the world.
https://www.pgadmin.org
Other
2.53k stars 655 forks source link

pgadmin4 needs to work on a Red Hat fips 140-2 enabled operating system (RM #6104) #4034

Closed dpage closed 2 years ago

dpage commented 3 years ago

Issue migrated from Redmine: https://redmine.postgresql.org/issues/6104 Originally created by Karen Watson at 2020-12-21 14:04:54 UTC.

Urgent need to have pgadmin4 work on a Red Hat fips 140-2 enabled operating system. It appears pgadmin4 uses md5 hash for password when logging in server mode through a web browser. Once the operating system is fips enabled logging into pgadmin4 through the web browser does not work. Also, if the operating system is in fips mode the installation setup.py fails once the email and password is entered when prompted in the script. Part of the error message: EVP_DigestInit_ex:disabled for fips

dpage commented 3 years ago

Comment migrated from Redmine: https://redmine.postgresql.org/issues/6104#note-1 Originally created by Khushboo Vashi at 2021-01-08 11:50:37 UTC.

We need further investigation on this issue.

Redmine ticket header update:

Name Old Value New Value
Sprint changed Ready
Assigned To changed Karen Watson
dpage commented 3 years ago

Comment migrated from Redmine: https://redmine.postgresql.org/issues/6104#note-2 Originally created by Karen Watson at 2021-02-04 20:25:24 UTC.

Can I get an update on this feature request? Our customer has an urgent need for PGADMIN to work with a FIPS 140-2 enabled RedHat OS.

Customer is asking when fix will be available.

dpage commented 3 years ago

Comment migrated from Redmine: https://redmine.postgresql.org/issues/6104#note-3 Originally created by Dave Page at 2021-03-12 16:15:30 UTC.

pgAdmin uses pbkdf2_sha512 hashes by default. This is configured by the SECURITY_PASSWORD_HASH configuration option - see https://www.pgadmin.org/docs/pgadmin4/5.0/config_py.html#config-py. Connections to database servers will use whatever the database server requests, which may be md5 (in that case, reconfigure the database server to use scram-sha-256).

Please note that this is an Open Source project; time spent on it by developers is determined by them and what they want to work on, which is usually driven by their own interests and common requests from the community. If you have need for a specific feature on an urgent basis, the only way to guarantee it gets done is to task one of your own team to do the work - and they would need to discuss the changes they want to make on the development mailing list to ensure there's agreement from the other developers that the feature is desirable and appropriately implemented before it can be committed.

Redmine ticket header update:

Name Old Value New Value
Priority changed High Normal
Assigned To changed Karen Watson
dpage commented 3 years ago

Comment migrated from Redmine: https://redmine.postgresql.org/issues/6104#note-4 Originally created by Philippe Racette at 2021-04-28 20:17:13 UTC.

Ended up disabling the gravatar image in the configuration of pgadmin4.

SHOW_GRAVATAR_IMAGE=false

The gravatar python library makes use of a md5 hashlib. It was causing an issue in our setup.

dpage commented 3 years ago

Comment migrated from Redmine: https://redmine.postgresql.org/issues/6104#note-5 Originally created by Philippe Racette at 2021-04-28 20:20:15 UTC.

Excerpt from gravatar lib below : 

        if use_ssl:
            url = 'https://secure.gravatar.com/avatar/'
        else:
            url = 'http://www.gravatar.com/avatar/'

dpage commented 3 years ago

Comment migrated from Redmine: https://redmine.postgresql.org/issues/6104#note-6 Originally created by Philippe Racette at 2021-04-28 20:21:51 UTC.

Philippe Racette wrote:

Excerpt from gravatar lib below : 

        if use_ssl:
            url = 'https://secure.gravatar.com/avatar/'
        else:
            url = 'http://www.gravatar.com/avatar/'

  • hash = hashlib.md5(email.encode('utf-8')).hexdigest()* ​ link = '{url}{hash}'\ '?s={size}&d={default}&r={rating}'.format(**locals()) ​

Make sure like stated above that your pg_hba.conf has at least scram-sha-256 in your postgres configuration.

dpage commented 3 years ago

Comment migrated from Redmine: https://redmine.postgresql.org/issues/6104#note-7 Originally created by Aditya Toshniwal at 2021-04-29 08:20:45 UTC.

For discussion of the hackers - Should we replace gravatar with Libravatar which supports SHA256 as well ?

Redmine ticket header update:

Name Old Value New Value
Sprint changed Ready
Fixed Version changed 4.30
dpage commented 3 years ago

Comment migrated from Redmine: https://redmine.postgresql.org/issues/6104#note-8 Originally created by Yogesh Mahajan at 2021-05-21 11:29:51 UTC.

No response from author, Hence closing issue.

Redmine ticket header update:

Name Old Value New Value
Status changed New Rejected
dpage commented 2 years ago

Issue closed on Redmine.