| From: | Brian Crowell <brian(at)fluggo(dot)com> |
|---|---|
| To: | Stephen Frost <sfrost(at)snowman(dot)net> |
| Cc: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, pgsql-bugs <pgsql-bugs(at)postgresql(dot)org> |
| Subject: | Re: BUG #9337: SSPI/GSSAPI with mismatched user names |
| Date: | 2014-02-25 17:19:15 |
| Message-ID: | CAAQkdDrEgt24Lbq6yG5DvjF8Cmmdn6o16WarpAEJxeaC-wubTg@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
On Tue, Feb 25, 2014 at 11:07 AM, Stephen Frost <sfrost(at)snowman(dot)net> wrote:
> I've not gone back to look at why we added multi-realm support, but I
> wonder if it might have specifically been to allow a PG server to be in
> both an AD realm and a Unix realm at the same time, without a cross
> realm trust between the two (which was problematic until AD got AES
> support since the only compatible encryption was quite weak).
What a wacky world :P
> On the other hand, Magnus removing the krb5 auth method also removed
> krb_server_hostname.. I'll ask him about that because we should
> probably make that available under 'gss' or we may end up leaving some
> of our users out in the cold when 9.4 comes out and that'd be quite
> unfortuante.
I'd be interested in why the principal needs to be specified ahead of
time, since it arrives in the ticket. Is it a limitation of the
Kerberos APIs? Or maybe it's to prevent using a different key from the
key file?
> If we decide to allow an option where we use the 'default cred' in
> GSSAPI to also determine the PG username we are authenticating to, we'll
> want to think about how we support that in libpq and psql and consider
> what to do about the limitations of not being able to specify different
> krb_server_hostname depending on the user which is attempting to
> authenicate.
I figured this would be an optional extension, something you could
request in the initial packet. You would explicitly ask for it using
some special invocation of psql, like "psql -K" the way ssh does. As
such, if there are going to be limitations, you could just choose to
authenticate the normal way.
> No complaints here, just a word of caution that we don't want to break
> existing setups and should consider what other systems do in this regard
> to avoid surprising behavior for users who are used to SSH or other
> Kerberos-enabled systems.
Agreed. I looked around, and I thought I saw setups where you could
authenticate using "ssh -K hostname" without having to specify a user.
I couldn't find any more details on it, though, so I'd have to
research that when the time comes.
--Brian
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Stephen Frost | 2014-02-25 17:45:20 | Re: BUG #9337: SSPI/GSSAPI with mismatched user names |
| Previous Message | Tom Lane | 2014-02-25 17:18:24 | Re: Problem with PostgreSQL 9.2.7 and make check on AIX 7.1 |