How can we lock down Postgresql connections from user > warpgate to not be a password?

[Christian-Little-Tava]

We've been excitedly setting up warpgate, and we have all of our other connections all configured, but when we get to Postgres we realized that it only works with password authentication. This isn't ideal since we originally were having users ONLY login through SSO, and we've been really trying to keep everything as secure as possible.

Do you think there could be a way to require at least the OTP as part of the postgresql connection? Or possibly have some sort of cli authenticator that could authenticate a user and create a connection to warpgate that they then could use to connect to their target?

I've seen other tools before require authentication which opens a socket on a localhost port for the user, which they can then connect to as if it's a direct connection to their target DB. Would something like that make sense to do to keep things more secure?

[Christian-Little-Tava]

I'm not very familiar with the code, but maybe the easiest(ish) option would be to require establishing a localhost:port connection that requires either SSO, OTP, or some other method to establish the connection with the warpgate instance, and then all connections (SSH and postgresql) act the same way through that tunnel to the box, where everything else acts the same?

[Eugeny]

You've correctly noticed that Postgres currently doesn't support any auth methods except for the password. The reason for this was that the PostgreSQL protocol doesn't support any authentication methods other than SCRAM.

However there's indeed a possibility, at least for interactive human sessions, to add support for web authentication by either returning the auth URL in an error or showing it on the homepage and delaying the responses until it's done. I've opened #1323 to track this