Greetings, * Lentes, Bernd (bernd.lentes@xxxxxxxxxxxxxxxxxxxxx) wrote: > ----- Am 23. Nov 2018 um 22:44 schrieb Stephen Frost sfrost@xxxxxxxxxxx: > > No, Kerberos/GSSAPI *never* transmits the user's password to the server. > > The user's password is actually used as an encryption key and is known > > only to the KDC (your domain controllers) and the user. The KDC and the > > PG server then share a different encryption key (the service principal). > > When the user wants to connect to PG they ask the KDC for a ticket which > > the KDC returns to the user as a blob which contains some information > > for the PG server encrypted with the PG server's key and then encrypts > > that and sends it to the user, who then decrypts it and uses it to > > connect to the PG server. > > > > How all of that works is a bit complicated but thankfully you don't > > really need to worry about that- Windows and Active Directory handle > > almost all of it. All you need to do is create a service principal in > > active directory for the PG server and then export it and copy it over > > to the PG server and then enable gssapi in PG. > > thanks again for your answer. Does my client application (geneious, a bioinfromatic tool) > have to support Kerberos in any way ? Yes, but it might already have it, depending on what library is being used to talk to PostgreSQL. The C library interface for PG, libpq, for example, supports Kerberos and just has to be built with it (which most versions you'll find have been). If the application is JDBC and uses the PostgreSQL JDBC driver, that also supports Kerberos. If the application is written in another language like Perl or Python and is using the common libraries for those (DBD::Pg, psycopg2), which use libpq underneath, then it depends on the way that version of libpq was built, but, again, most of the libpq builds out there support Kerberos. I don't know anything about geneious, but hopefully it's using libpq or JDBC in some fashion and already has Kerberos support thanks to those libraries having it. Thanks! Stephen
Attachment:
signature.asc
Description: PGP signature