Re: SSPI authentication - Mailing list pgsql-hackers

From Magnus Hagander
Subject Re: SSPI authentication
Date
Msg-id 469BBA1F.7020804@hagander.net
Whole thread Raw
In response to Re: SSPI authentication  (Stephen Frost <sfrost@snowman.net>)
Responses Re: SSPI authentication
List pgsql-hackers
Stephen Frost wrote:
> * Magnus Hagander (magnus@hagander.net) wrote:
>> I've set it up as a different way of doing GSSAPI authentication. This
>> means that if you can't have both SSPI and MIT KRB GSSAPI in the same
>> installation. I don't see a problem with this - 99.9% of windows users
>> will just want the SSPI version anyway. But I figured I'd throw it out
>> here to see if there are any objections to this?
> 
> I'm not quite sure if that would affect what we do but it sounds like it
> might.   The main thing we use on the clients wrt Postgres is the ODBC
> driver but I've used psql once or twice and have been trying to get
> people to learn it.

ODBC driver should work with it - I don't know exactly how they plug
into libpqs auth, but IIRC they do some stuff to make that work.

Note that I'm only talking about being mutually exclusiv ewith MIT KRB
GSSAPI, not with MIT KRB in "krb5" mode. Though I very much want to
deprecate the "native kerberos" auth in favor of GSSAPI as soon as
possible for several reasons, so I'd suggest you don't use that once you
go to 8.3 ;-)


> We've got SSPI which is used for the Windows domain (and only the windows
> resources) and then MIT Krb5 GSSAPI for the Unix resources.  While
> cross-realm is a nice idea it's less than easy to get going, especially
> with even a half-way secure key (I'm not exactly a big fan of
> arc/rc4...).

I have my Unix machines in the Active Directory, so there's no cross
realm. It works fine.
And if you don't trust the key, put it over SSL? ;-) If you use SSL,
GSSAPI packets actually go through the SSL tunnel, unlike krb5 auth.


> Additionally, it seems likely to me that there will be cases when people
> running Windows don't *want* to set up an Active Directory for their
> Windows machines but want to use Kerberos to auth to certain resources
> (perhaps a campus environment where student systems aren't joined to an
> AD domain?).  Would that be possible with this?  I havn't done much w/
> SSPI so I'm not sure how deeply that's tied into things like that.

Yes, there's still support for doing GSSAPI with MIT KRB5. It's just
that you have to use it *instead* of SSPI. So a rebuild is necessary.

But - IIRC, you can just join your windows machine to your unix kerberos
realm and be done with it - SSPI APIs should work fine in that case.

//Magnus


pgsql-hackers by date:

Previous
From: Stephen Frost
Date:
Subject: Re: SSPI authentication
Next
From: Andrew Sullivan
Date:
Subject: Re: bit string functions