Skip site navigation (1) Skip section navigation (2)

Re: SSPI authentication - patch

From: Magnus Hagander <magnus(at)hagander(dot)net>
To: pgsql-patches <pgsql-patches(at)postgresql(dot)org>
Subject: Re: SSPI authentication - patch
Date: 2007-07-20 07:21:14
Message-ID: 20070720072114.GA22622@svr2.hagander.net (view raw or flat)
Thread:
Lists: pgsql-patches
On Thu, Jul 19, 2007 at 06:22:57PM -0400, Stephen Frost wrote:
> * Magnus Hagander (magnus(at)hagander(dot)net) wrote:
> > Here's an updated version of this patch. This version has full SSPI support
> > in the server as well, so I can do both kerberos and NTLM between two
> > windows machines using the negotiate method.
> 
> Great!  Also, I've tested that it works under Windows using
> PGGSSLIB=gssapi with the MIT GSS libraries.  I did have to set the
> PGKRBSRVNAME to 'postgres'.  It worked excellently. :)

Thanks!


> > Since SSPI and GSSAPI can now both be used, my plan is not to have an
> > autoconf to disable SSPI, but to just enable it unconditionally on win32.
> > Or does this seem like a bad idea?
> 
> My thinking would be to have the autoconf to disable it, but enable it
> by default.  I don't feel particularly strongly about it though.

Do you see a use-case where someone would disable it? I'll be happy to add
the switch if you do, it's not hard to do, but adding a switch just for the
sake of adding a switch is not something I lik e:-)

> 
> > Comments welcome.
> 
> It looks good in general to me (though I'm not super-familiar with
> SSPI).  My one big concern is this:
> 
> >   /* Define to the name of the default PostgreSQL service principal in Kerberos.
> >      (--with-krb-srvnam=NAME) */
> > ! #define PG_KRB_SRVNAM "postgres"
> >   
> >   /* A string containing the version number, platform, and C compiler */
> >   #define PG_VERSION_STR "Uninitialized version string (win32)"
> > --- 582,588 ----
> >   
> >   /* Define to the name of the default PostgreSQL service principal in Kerberos.
> >      (--with-krb-srvnam=NAME) */
> > ! #define PG_KRB_SRVNAM "POSTGRES"
> 
> I understand that SSPI is case-insensitive, or folds to uppercase, or
> whatever, but this is *not* used only by the SSPI code.  Please correct
> me if I'm wrong, but this will break existing krb-auth using client
> applications/setups that went with the previous default, no?  I realize
> it's on Windows, but there are people out there with that
> configuration (yes, like me... :)...

Ok, first to clearify the facts:
* SSPI is case-insensitive, case-preserving
* The problem is not from SSPI. It's Active Directory. If you use AD as the
KDC, you must use uppercase SPNs - regardless of SSPI. For example, it's
needed for anybody wanting to use the old krb5 auth in 8.x together with
Active Directory - like I do :-)

The change is there to because the majority of windows installs will
be using Active Directory, at least that's what I would expect. Certainly
not all, but most. It's a way of lowering the bar for the majority, at the
expense of the minority ;-)

That said, I actually intended to submit that as a separate patch for
separate discussion. If people are against it, I'll be happy to drop that
part.


> I don't particularly like it but, honestly, it seems like it might be
> better to set it based on what's being used (GSSAPI/SSPI/KRB5)?  This
> would be for the client-side, as I guess we've decided it's okay to just
> pick whatever keytab the users provide that's in our server-side
> keytab.

Again, it's not related to the library used, it's related to the KDC. And
we can't detect that, at least not early enough.

//Magnus

In response to

Responses

pgsql-patches by date

Next:From: Patrick WelcheDate: 2007-07-20 11:28:32
Subject: Re: configure.in / xml / quoting trouble
Previous:From: Tatsuo IshiiDate: 2007-07-20 03:03:02
Subject: Re: CREATE TABLE LIKE INCLUDING INDEXES support

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group