Skip site navigation (1) Skip section navigation (2)

Re: GSSAPI/KRB5 and JDBC (again)

From: Stephen Frost <sfrost(at)snowman(dot)net>
To: Peter Koczan <pjkoczan(at)gmail(dot)com>
Cc: pgsql-jdbc(at)postgresql(dot)org
Subject: Re: GSSAPI/KRB5 and JDBC (again)
Date: 2008-07-25 22:20:21
Message-ID: 20080725222021.GE16005@tamriel.snowman.net (view raw or flat)
Thread:
Lists: pgsql-jdbc
* Peter Koczan (pjkoczan(at)gmail(dot)com) wrote:
> On Thu, Jul 24, 2008 at 7:50 PM, Stephen Frost <sfrost(at)snowman(dot)net> wrote:
> > So you know, that generally means "wrong password".  Have you tried
> > kinit'ing first?  Is it prompting you for a password?
> 
> I tried kinit, and it didn't work, but putting my real Kerberos
> password in the password field worked. It looks like it's trying to
> get a new set of credentials/tickets when authenticating, instead of
> using stashed or readily available credentials.

Ah, yes, I have some recollection of that.  I forget how, exactly, but I
thought that I found a way around that.

> This is better than nothing, but it would be very nice to not force
> users to specify a password when connecting. It kinda defeats the
> purpose of a single-sign-on authentication system, and I'd really
> prefer not having users put their password in plaintext files, as it
> seems rather insecure. At the very least, the password should be able
> to be obscured or encrypted somehow in the connection, but even this
> is less than ideal.

I agree 110%.  It really needs to use the existing credentials, though
it's nice that this shows the basic capability working.

> Is there any way to tell JDBC to use available KRB5/GSSAPI credentials?

I'll try to find some time to test my setup again and see if I can find
a way to do that.  Of course, part of the problem here will end up being
silly applications that insist on being given a username and password.
It'd be nice if those could be left blank, but even so, users will end
up being annoyed by it. :(  My primary JDBC app at the moment is uDig,
in case anyone's listening. ;)

> > I'm *really* anxious to have GSSAPI support in JDBC and fully
> > supported..  I've got it working in a test rig, but I need it working
> > under Linux and Windows for a number of clients and I havn't had time to
> > make sure all the issues are worked through. :/
> 
> Me too. Now I just have to get SSL working, too.

Please update us on how that goes. :)

	Thanks,

		Stephen

In response to

pgsql-jdbc by date

Next:From: Feng KelvinDate: 2008-07-28 02:45:50
Subject: New to pgsql-jdbc
Previous:From: Peter KoczanDate: 2008-07-25 17:40:43
Subject: Re: GSSAPI/KRB5 and JDBC (again)

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group