Re: BUG #9337: SSPI/GSSAPI with mismatched user names - Mailing list pgsql-bugs

From Brian Crowell
Subject Re: BUG #9337: SSPI/GSSAPI with mismatched user names
Date
Msg-id CAAQkdDrAn2znaGvBLE9BGYc=Yqz1VhW2=_ERndAHZAdgxQrUyg@mail.gmail.com
Whole thread Raw
In response to Re: BUG #9337: SSPI/GSSAPI with mismatched user names  (Tom Lane <tgl@sss.pgh.pa.us>)
Responses Re: BUG #9337: SSPI/GSSAPI with mismatched user names
List pgsql-bugs
On Mon, Feb 24, 2014 at 3:40 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
> If it's possible to get a name out of a ticket without contacting a
> realm server, I think what you're talking about would likely be all right.
> IIUC this approach would also save one round trip to the client to get
> the ticket once we've decided to use SSPI auth, so that seems like a
> potential benefit independently of where the username is coming from.

Well, for starters, it turns out I'm wrong about the principal. Only
the target principal (that of the Postgres server) is in clear text.
The source principal (my user name) is in the encrypted part of the
request, so that can _only_ be decrypted by the server. However, if I
remember right, the server will be in direct possession of the
decryption key (IIRC, its own password), and therefore should be able
to determine the user name without contacting a third server.

This will require more research.


> One question worth asking is whether exposing the ticket in the startup
> packet is problematic if the startup packet is unencrypted and can be
> snooped by third parties.

Kerberos takes care of encryption of the ticket. It's really just the
same mechanism that's already in place, and with the same encryption,
just pushed to Postgres instead of Postgres asking for it.

MD5 passwords, on the other hand, have to wait for a salt from the
server before they can be sent, so they can't take advantage of this
shortcut.

--Brian

pgsql-bugs by date:

Previous
From: Tom Lane
Date:
Subject: Re: BUG #9337: SSPI/GSSAPI with mismatched user names
Next
From: Tom Lane
Date:
Subject: Re: BUG #9337: SSPI/GSSAPI with mismatched user names