[Nsspampgsql-devel] Bug#550332: Bug#550332: libnss-pgsql2: Need possibility to authenticate pgsql user via Kerberos
Stephen Gran
sgran at debian.org
Sat Oct 10 12:13:42 UTC 2009
This one time, at band camp, Denis Feklushkin said:
> Need possibility to authenticate pgsql user via Kerberos.
>
> Currently option for passing path to kerberos keytab file don't
> exist and before start using of nss-pgsql2 root needs to execute
> kerberos command kinit on the host where nss-pgsql2 installed.
>
> (Perhaps this is not a problem in libnss-pgsql2 package, but I could
> not determine where it, may be in libpq5?)
I can't imagine that relying on kereros for NSS is going to work well
for you. NSS resolution happens in the context of the user running the
process, so each user will need a keytab to access the database before
name resolution will work for them. This will be a severe boot strap
problem - you'll need to be logged in to run kinit to verify who you are
before you can log in.
This software is bascially dead upstream as far as I can tell, and I
seem to be the only one looking after it in Debian at the moment. I
think that kerberos isn't suited for this, unless you can convince me
otherwise, so I'm not likely to spend any time on this problem. If you
can show me I'm misunderstanding how the process can work, I'll be happy
to look at how hard it would be to add support.
Cheers,
--
-----------------------------------------------------------------
| ,''`. Stephen Gran |
| : :' : sgran at debian.org |
| `. `' Debian user, admin, and developer |
| `- http://www.debian.org |
-----------------------------------------------------------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/nsspampgsql-devel/attachments/20091010/26a8daad/attachment.pgp>
More information about the Nsspampgsql-devel
mailing list