Re: SSPI authentication - Mailing list pgsql-hackers
| From | Magnus Hagander |
|---|---|
| Subject | Re: SSPI authentication |
| Date | |
| Msg-id | 469BBA1F.7020804@hagander.net Whole thread Raw |
| In response to | Re: SSPI authentication (Stephen Frost <sfrost@snowman.net>) |
| Responses |
Re: SSPI authentication
(Stephen Frost <sfrost@snowman.net>)
|
| List | pgsql-hackers |
Stephen Frost wrote: > * Magnus Hagander (magnus@hagander.net) wrote: >> I've set it up as a different way of doing GSSAPI authentication. This >> means that if you can't have both SSPI and MIT KRB GSSAPI in the same >> installation. I don't see a problem with this - 99.9% of windows users >> will just want the SSPI version anyway. But I figured I'd throw it out >> here to see if there are any objections to this? > > I'm not quite sure if that would affect what we do but it sounds like it > might. The main thing we use on the clients wrt Postgres is the ODBC > driver but I've used psql once or twice and have been trying to get > people to learn it. ODBC driver should work with it - I don't know exactly how they plug into libpqs auth, but IIRC they do some stuff to make that work. Note that I'm only talking about being mutually exclusiv ewith MIT KRB GSSAPI, not with MIT KRB in "krb5" mode. Though I very much want to deprecate the "native kerberos" auth in favor of GSSAPI as soon as possible for several reasons, so I'd suggest you don't use that once you go to 8.3 ;-) > We've got SSPI which is used for the Windows domain (and only the windows > resources) and then MIT Krb5 GSSAPI for the Unix resources. While > cross-realm is a nice idea it's less than easy to get going, especially > with even a half-way secure key (I'm not exactly a big fan of > arc/rc4...). I have my Unix machines in the Active Directory, so there's no cross realm. It works fine. And if you don't trust the key, put it over SSL? ;-) If you use SSL, GSSAPI packets actually go through the SSL tunnel, unlike krb5 auth. > Additionally, it seems likely to me that there will be cases when people > running Windows don't *want* to set up an Active Directory for their > Windows machines but want to use Kerberos to auth to certain resources > (perhaps a campus environment where student systems aren't joined to an > AD domain?). Would that be possible with this? I havn't done much w/ > SSPI so I'm not sure how deeply that's tied into things like that. Yes, there's still support for doing GSSAPI with MIT KRB5. It's just that you have to use it *instead* of SSPI. So a rebuild is necessary. But - IIRC, you can just join your windows machine to your unix kerberos realm and be done with it - SSPI APIs should work fine in that case. //Magnus
pgsql-hackers by date: