Re: Postgres 8.1.x and MIT Kerberos 5

* Magnus Hagander (mha@sollentuna.net) wrote:

The *REALM* is not checked, however. This can cause problems if you have
a multi-realm system (where the realms already trust each other, because
the KDC has to give out the service ticket) where you have the same
username existing in multiple realms representing different users.

This brings up the issue again that it'd be nice to be able to have what
amounts to a '.k5login' in PostgreSQL somehow. Ideally, this would be
something an idividual user could set up but at good first step would be
to have something along the lines of pg_ident.conf for Kerberos
connections where the admin could implement a mapping.

We should probably also have a configurable option to check the realm or
to not check the realm. I'd like to look into doing this for 8.2 but,
as usual, I'm not sure I'll have time. Anyone else looking into this?

Thanks,

Stephen

The *REALM* is not checked, however. This can cause problems if you
have a multi-realm system (where the realms already trust

each other,

because the KDC has to give out the service ticket) where

you have the

same username existing in multiple realms representing

different users.

This brings up the issue again that it'd be nice to be able
to have what amounts to a '.k5login' in PostgreSQL somehow.
Ideally, this would be something an idividual user could set
up but at good first step would be to have something along
the lines of pg_ident.conf for Kerberos connections where the
admin could implement a mapping.

We should probably also have a configurable option to check
the realm or to not check the realm. I'd like to look into
doing this for 8.2 but, as usual, I'm not sure I'll have
time. Anyone else looking into this?

They're both on my personal TODO (not .k5login, but a
pg_ident-kind-of-mapping), but with the same disclaimer as you - I don't
know if I'll have enough time.

//Magnus

Hello Magnus,

Regarding the configure issue:
The platform is Tru64 Unix 5.1b, the problem I had was we have
compiled our Kerberos build statically and is installed in a
directory other than the standard location. The trick adding to LIBS
did not work as it (krb5support) library needs to come after the
other libs (is there a way to control that?).

As far as the security issue with Kerberos, here is the relevant thread

http://mailman.mit.edu/pipermail/kerberos/2002-October/002043.html

I am sorry it was in Kerberos mailing list not Postgres.

Hello Magnus,

Regarding the configure issue:
The platform is Tru64 Unix 5.1b, the problem I had was we
have compiled our Kerberos build statically and is installed
in a directory other than the standard location. The trick
adding to LIBS did not work as it (krb5support) library needs
to come after the other libs (is there a way to control that?).

Ok. Someone more autoconfy than me will have to say something about that
:-)

As far as the security issue with Kerberos, here is the
relevant thread

http://mailman.mit.edu/pipermail/kerberos/2002-October/002043.
html
<http://mailman.mit.edu/pipermail/kerberos/2002-October/002043.html&gt;

I am sorry it was in Kerberos mailing list not Postgres.

Ah, that explains me not seeing it.

If you need protection against mitm and connection security, you should
use TLS. We don't use Kerberos for encryption.

//Magnus

Thanks.

As far as using TLS, it is good approach. Although, we don't need complete
channel encryption for every transaction or query. I am looking at a more
granular approach where
I can decide depending on the security of information exchange whether to
encrypt the
channel or not (like using maybe GSSAPI). Is this something that will be
considered down
the line?

Mohan

Mohan K wrote:

Regarding the configure issue:
The platform is Tru64 Unix 5.1b, the problem I had was we have
compiled our Kerberos build statically and is installed in a
directory other than the standard location. The trick adding to LIBS
did not work as it (krb5support) library needs to come after the
other libs (is there a way to control that?).

I think what this comes down to is that we don't support static builds
very well at all. So you will have to resort to editing
Makefile.global yourself after configuring.

--
Peter Eisentraut
http://developer.postgresql.org/~petere/

Peter,
It is chicken and egg problem, I still need to enable kerberos in the
configure script to make sure proper pieces are picked up. But of course
the configure script fails :).
If I provide the relevant patches to configure.in script is that acceptable?
thanks

Mohan K wrote:

Peter,
It is chicken and egg problem, I still need to enable kerberos in the
configure script to make sure proper pieces are picked up. But of course
the configure script fails :).
If I provide the relevant patches to configure.in script is that acceptable?
thanks

Probably if it isn't too ugly.

---------------------------------------------------------------------------

On 2/6/06, Peter Eisentraut <peter_e@gmx.net> wrote:

Mohan K wrote:

Regarding the configure issue:
The platform is Tru64 Unix 5.1b, the problem I had was we have
compiled our Kerberos build statically and is installed in a
directory other than the standard location. The trick adding to LIBS
did not work as it (krb5support) library needs to come after the
other libs (is there a way to control that?).

I think what this comes down to is that we don't support static builds
very well at all. So you will have to resort to editing
Makefile.global yourself after configuring.

--
Peter Eisentraut
http://developer.postgresql.org/~petere/

-- 
  Bruce Momjian                        |  http://candle.pha.pa.us
  pgman@candle.pha.pa.us               |  (610) 359-1001
  +  If your life is a hard drive,     |  13 Roberts Road
  +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073