Re: [SOLVED] Re: pgAdmin 4 + python wheel + kerberos - Mailing list pgadmin-support
| From | Stephen Frost |
|---|---|
| Subject | Re: [SOLVED] Re: pgAdmin 4 + python wheel + kerberos |
| Date | |
| Msg-id | 20200507160042.GD13712@tamriel.snowman.net Whole thread Raw |
| In response to | Re: [SOLVED] Re: pgAdmin 4 + python wheel + kerberos (Dave Page <dpage@pgadmin.org>) |
| List | pgadmin-support |
Greetings, * Dave Page (dpage@pgadmin.org) wrote: > On Thu, May 7, 2020 at 3:52 PM Stephen Frost <sfrost@snowman.net> wrote: > > * Dave Page (dpage@pgadmin.org) wrote: > > > On Wed, May 6, 2020 at 5:20 PM Stephen Frost <sfrost@snowman.net> wrote: > > > > Any chance you could share that patch..? Considering that pgAdmin4 > > has, > > > > sadly, decided to go the (broken) route of adding LDAP basic-user auth, > > > > > > Less secure != broken, unless you know something I don't (and bear in > > mind > > > I've seen your talk on the subject :-p ) > > > > You could make the same distinction and argument when talking about > > NTLM, LANMAN, or even hash algorithms like MD5. There's good reasons > > for why Microsoft moved away from NTLM and why all of their applications > > use Kerberos and explicitly not LDAP-simple-bind for authentication. > > I'm not saying it's the best option or anything close, simply that it's not > broken in the dictionary sense of the word. No hash algorithm's ever been broken in the dictionary sense of the word. :) > Maybe that person is confused (and certainly some others are), but I don't > see anything in that particular message to indicate they're using AD. For > all I can see they're using OpenLDAP or 389-ds. > > Regardless; it's clearly not feasible for us to persuade every user of > non-AD LDAP to stop doing so. I hear this argument time and time again and it just strikes me as a complete cop-out and justification to continue supporting a horrible auth method. Not only that, but both the LDAP protocol and OpenLDAP have supported SASL-based auth for a very long time, which can be (and often is) Kerberos underneath. There's really no good reason to use simple binds with OpenLDAP any more than there's good reason to do so with AD. > > The poster even claims that with ldap auth: "But the user credentials > > will not be sent to Postgresql server to authenticate", which is clearly > > wrong. > > Yeah, definitely. Sadly though, they're not alone, not in the least. If we actually threw a warning or a complaint of some kind in the PG client, as was contemplated on that thread, about sending the user's credentials to the server, I bet we'd see a sudden up-tick in questions about how to get proper authentication implemented as people start to realize what's actually happening. > > > > it'd really be good to, out of the box, make it support Kerberos-based > > > > auth, even with the limitations you've described here. > > > > > > We already have a Kerberos module on our plan to follow on from the LDAP > > > one. Following that we plan to also add support for Kerberos > > authentication > > > to the database servers themselves. > > > > Glad to hear it, I'd be happy to help with Kerberos auth support. > > Sounds like it's actually rather easy to implement it, based on Peter's > > comments (which isn't surprising, really, it's actually *not* very hard > > to enable for a web app thanks to modules like mod_auth_kerb- probably a > > great deal less code than the LDAP auth needed, in fact). > > Our problem here is likely to be that we can't rely on mod_auth_krb. In a > container we're running under Gunicorn for example (perhaps with a reverse > proxy or Traefik in a different container), and users will often host under > Nginx rather than Apache. Ok, so I went and looked up a few things- first is that there's actually a new module 'mod_auth_gss' for Apache, and there's an Nginx module for SPNEGO which does GSSAPI: https://github.com/stnoonan/spnego-http-auth-nginx-module Unfortunately, for reasons that aren't very clear, it doesn't appear to be set up to accept delegated credentials, so while you could use it to authenticate a user connecting with GSS, you wouldn't be able to use that to turn around and then connect to PG with it. Now, that Apache mod_auth_gss module, on the other hand, looks like it supports both delegated credentials and constrained credential delegation, which is even better. For pgAdmin4's roadmap, I'd argue that it'd make the most sense to get things working with mod_auth_gss, while also putting pressure on the nginx author to add support for delegated credentials and, ideally, constrainted credential delegation. I'm hoping to work on both of the latter items for PG in the near future, to support connecting to other services via FDWs, and so I could probably help with the nginx module if needed. Thanks, Stephen
Attachment
pgadmin-support by date: