Postgres Pro
Downloads
Home   >   mailing lists

Re: Postgresql 8.4 GSSAPI auth with fallback to password prompting? - Mailing list pgsql-admin

From Tim Watts
Subject Re: Postgresql 8.4 GSSAPI auth with fallback to password prompting?
Date
Msg-id 51502949.6000903@kcl.ac.uk
Whole thread Raw
In response to Postgresql 8.4 GSSAPI auth with fallback to password prompting?  (Tim Watts <tim.j.watts@kcl.ac.uk>)
Responses Re: Postgresql 8.4 GSSAPI auth with fallback to password prompting?  (Stephen Frost <sfrost@snowman.net>)
List pgsql-admin
Tree view 
On 24/03/13 18:47, Stephen Frost wrote:
> Tim,
>
> * Tim Watts (tim.j.watts@kcl.ac.uk) wrote:
>> Is it possible to specify GSSAPI auth (with MIT kerberos as the
>> backend) but get Postgresql to fallback to prompting for a password
>> if a kerberos ticket cannot be supplied by the client - eg because
>> the client cannot do GSSAPI or because the client is not part of the
>> kerberos realm?
>
> You're right- it's a 'no'.  It would also really degrade the security
> which you get with Kerberos as you'd undoubtably end up with clients
> storing those passwords and using them routinely instead of using
> Kerberos.
>
>     Thanks,
>
>         Stephen
>

Thank you Stephen, for confirming that.

I would have to respectfully take another point of view: that that
particular judgement is probably better placed with the sysadmin rather
than a blanket decision by the devs.

Reason: Whilst the argument is solid in an ideal world (all clients are
part of the kerberos realm), in reality it means that I cannot gain
partial security improvements and I have to leave it running with PAM
auth which ensures that passwords are chucked around 100% of the time.

My solution regarding scripts is that those *MUST* have a separate user
account that is a member of "role_apps" and uses Postgresql local
authentication. Those are expect to have passwords in config files, so
the domain of attack is limited of the password leaks (one database is
at risk typically).

I definitely do not want user account passwords in config files.

But it would be nice to be able to use kerberos tickets *where
available* and fallback to password-interactive login where not. On
about about 50% of the connections (those where a dev has ssh-ed into a
server that is kerberized) they would not need to retype passwords, so
the temptation to stuff them into .pgpass files would be much reduced :)

Cheers :)

Tim

--
Tim Watts                               Tel (VOIP): +44 (0)1580 848360
Systems Manager              Digital Humanities, King's College London

Systems Messages and Notifications: https://systemsblog.cch.kcl.ac.uk/
Personal Blog:                         http://squiddy.blog.dionic.net/

http://www.sensorly.com/ Crowd mapping of 2G/3G/4G mobile signal coverage

pgsql-admin by date:

Previous
From: Andrzej Zawadzki
Date:
Subject: Re: Problem with data migration from 9.1 to 9.2
Next
From: Stephen Frost
Date:
Subject: Re: Postgresql 8.4 GSSAPI auth with fallback to password prompting?