Re: Postgresql 8.4 GSSAPI auth with fallback to password prompting?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 24/03/13 18:47, Stephen Frost wrote:

Tim,

* Tim Watts (tim.j.watts@xxxxxxxxx) wrote:

Is it possible to specify GSSAPI auth (with MIT kerberos as the
backend) but get Postgresql to fallback to prompting for a password
if a kerberos ticket cannot be supplied by the client - eg because
the client cannot do GSSAPI or because the client is not part of the
kerberos realm?


You're right- it's a 'no'.  It would also really degrade the security
which you get with Kerberos as you'd undoubtably end up with clients
storing those passwords and using them routinely instead of using
Kerberos.

	Thanks,

		Stephen



Thank you Stephen, for confirming that.
I would have to respectfully take another point of view: that that particular judgement is probably better placed with the sysadmin rather than a blanket decision by the devs.
Reason: Whilst the argument is solid in an ideal world (all clients are part of the kerberos realm), in reality it means that I cannot gain partial security improvements and I have to leave it running with PAM auth which ensures that passwords are chucked around 100% of the time.
My solution regarding scripts is that those *MUST* have a separate user account that is a member of "role_apps" and uses Postgresql local authentication. Those are expect to have passwords in config files, so the domain of attack is limited of the password leaks (one database is at risk typically). 

I definitely do not want user account passwords in config files.
But it would be nice to be able to use kerberos tickets *where available* and fallback to password-interactive login where not. On about about 50% of the connections (those where a dev has ssh-ed into a server that is kerberized) they would not need to retype passwords, so the temptation to stuff them into .pgpass files would be much reduced :) 

Cheers :)

Tim

--
Tim Watts                               Tel (VOIP): +44 (0)1580 848360
Systems Manager              Digital Humanities, King's College London

Systems Messages and Notifications: https://systemsblog.cch.kcl.ac.uk/
Personal Blog:                         http://squiddy.blog.dionic.net/

http://www.sensorly.com/ Crowd mapping of 2G/3G/4G mobile signal coverage



--
Sent via pgsql-admin mailing list (pgsql-admin@xxxxxxxxxxxxxx)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-admin
[Index of Archives]     [KVM ARM]     [KVM ia64]     [KVM ppc]     [Virtualization Tools]     [Spice Development]     [Libvirt]     [Libvirt Users]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite Questions]     [Linux Kernel]     [Linux SCSI]     [XFree86]

  Powered by Linux