Re: BUG #9337: SSPI/GSSAPI with mismatched user names
| От | Brian Crowell |
|---|---|
| Тема | Re: BUG #9337: SSPI/GSSAPI with mismatched user names |
| Дата | |
| Msg-id | CAAQkdDrEgt24Lbq6yG5DvjF8Cmmdn6o16WarpAEJxeaC-wubTg@mail.gmail.com обсуждение исходный текст |
| Ответ на | Re: BUG #9337: SSPI/GSSAPI with mismatched user names (Stephen Frost <sfrost@snowman.net>) |
| Ответы |
Re: BUG #9337: SSPI/GSSAPI with mismatched user names
|
| Список | pgsql-bugs |
On Tue, Feb 25, 2014 at 11:07 AM, Stephen Frost <sfrost@snowman.net> wrote: > I've not gone back to look at why we added multi-realm support, but I > wonder if it might have specifically been to allow a PG server to be in > both an AD realm and a Unix realm at the same time, without a cross > realm trust between the two (which was problematic until AD got AES > support since the only compatible encryption was quite weak). What a wacky world :P > On the other hand, Magnus removing the krb5 auth method also removed > krb_server_hostname.. I'll ask him about that because we should > probably make that available under 'gss' or we may end up leaving some > of our users out in the cold when 9.4 comes out and that'd be quite > unfortuante. I'd be interested in why the principal needs to be specified ahead of time, since it arrives in the ticket. Is it a limitation of the Kerberos APIs? Or maybe it's to prevent using a different key from the key file? > If we decide to allow an option where we use the 'default cred' in > GSSAPI to also determine the PG username we are authenticating to, we'll > want to think about how we support that in libpq and psql and consider > what to do about the limitations of not being able to specify different > krb_server_hostname depending on the user which is attempting to > authenicate. I figured this would be an optional extension, something you could request in the initial packet. You would explicitly ask for it using some special invocation of psql, like "psql -K" the way ssh does. As such, if there are going to be limitations, you could just choose to authenticate the normal way. > No complaints here, just a word of caution that we don't want to break > existing setups and should consider what other systems do in this regard > to avoid surprising behavior for users who are used to SSH or other > Kerberos-enabled systems. Agreed. I looked around, and I thought I saw setups where you could authenticate using "ssh -K hostname" without having to specify a user. I couldn't find any more details on it, though, so I'd have to research that when the time comes. --Brian
В списке pgsql-bugs по дате отправления: