On Tue, Feb 25, 2014 at 11:07 AM, Stephen Frost <sfrost@snowman.net> wrote:
> I've not gone back to look at why we added multi-realm support, but I
> wonder if it might have specifically been to allow a PG server to be in
> both an AD realm and a Unix realm at the same time, without a cross
> realm trust between the two (which was problematic until AD got AES
> support since the only compatible encryption was quite weak).
What a wacky world :P
> On the other hand, Magnus removing the krb5 auth method also removed
> krb_server_hostname.. I'll ask him about that because we should
> probably make that available under 'gss' or we may end up leaving some
> of our users out in the cold when 9.4 comes out and that'd be quite
> unfortuante.
I'd be interested in why the principal needs to be specified ahead of
time, since it arrives in the ticket. Is it a limitation of the
Kerberos APIs? Or maybe it's to prevent using a different key from the
key file?
> If we decide to allow an option where we use the 'default cred' in
> GSSAPI to also determine the PG username we are authenticating to, we'll
> want to think about how we support that in libpq and psql and consider
> what to do about the limitations of not being able to specify different
> krb_server_hostname depending on the user which is attempting to
> authenicate.
I figured this would be an optional extension, something you could
request in the initial packet. You would explicitly ask for it using
some special invocation of psql, like "psql -K" the way ssh does. As
such, if there are going to be limitations, you could just choose to
authenticate the normal way.
> No complaints here, just a word of caution that we don't want to break
> existing setups and should consider what other systems do in this regard
> to avoid surprising behavior for users who are used to SSH or other
> Kerberos-enabled systems.
Agreed. I looked around, and I thought I saw setups where you could
authenticate using "ssh -K hostname" without having to specify a user.
I couldn't find any more details on it, though, so I'd have to
research that when the time comes.
--Brian