Re: Certificate, login & php question ? krb / sso

From: Michael Fuhr <mike(at)fuhr(dot)org>
To: Jean-Gerard Pailloncy <jg(at)rilk(dot)com>
Cc: Postgres general mailing list <pgsql-general(at)postgresql(dot)org>
Subject: Re: Certificate, login & php question ? krb / sso
Date: 2006-09-11 14:09:26
Message-ID: 20060911140926.GA85359@winnie.fuhr.org
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

On Mon, Sep 11, 2006 at 10:44:18AM +0200, Jean-Gerard Pailloncy wrote:
> Le 11 sept. 06 à 05:57, Michael Fuhr a écrit :
> > If such a capability existed then it could arguably be considered
> > a flaw in SSL because it would allow a server to impersonate one
> > of its clients to another server or to hijack a client's secure
> > connection with another server. Secure protocols are designed to
> > prevent such attacks.
>
> The point is to USE AGAIN the authentification done by Apache with
> PostgreSQL not DO AGAIN the authentification.

To "use again" the client's authentication you'd have to "do again"
the authentication. If the PHP script makes an SSL connection to
PostgreSQL then that connection is independent of the HTTP client's
SSL connection with the web server. If the server in the new
connection (PostgreSQL) sends an SSL CertificateRequest message
then the client (the PHP script) needs access to a certificate and
the corresponding private key to reply with Certificate and
CertificateVerify messages. The HTTP client's certificate would
be available but that client's private key would not, so the PHP
script would have no way to build a valid CertificateVerify message.

> Googling around, I found:
> mod_auth_krb with "AuthType KerberosV5SaveCredentials"
> The auth is done by mod_auth_krb and mod_perl is able to use the same
> ticket for PostgreSQL. It is in the doc of PG.

You didn't mention Kerberos before; you said you wanted to reuse
the client's SSL authentication. Kerberos works differently than
SSL; I'd have to research the links you mentioned to see if reusing
the client's credientials would indeed be possible using Kerberos.

--
Michael Fuhr

In response to

Browse pgsql-general by date

  From Date Subject
Next Message Marco Bizzarri 2006-09-11 14:49:37 Re: [GENERAL] Problem with lo_export() and lo_import() from remote machine.
Previous Message John DeSoi 2006-09-11 13:36:28 Re: references/tutorial/tricks on dynamic generation of sql (& plpgsql functions) editing/coding