[Nsspampgsql-devel] Bug#550332: Bug#550332: libnss-pgsql2: Need possibility to authenticate pgsql user via Kerberos
Denis Feklushkin
denis.feklushkin at gmail.com
Sat Oct 10 13:55:42 UTC 2009
On Sat, 10 Oct 2009 14:35:40 +0100
Stephen Gran <sgran at debian.org> wrote:
>
> > > This will be a severe boot strap problem - you'll need to be
> > > logged in to run kinit to verify who you are before you can log
> > > in.
> >
> > What about use a separate keytab-file specially for nss-pgsql,
> > readable for all users, with 444 permissions?
>
> That's not my understanding of how kerberos works. You have a keytab
> per user or service, and receive principals for access to services.
> It's not really clear to me how you would have a shared keytab for all
> users. It's also not clear to me that you can have a user access the
> database as another user with kerberos - one of the points of
> kerberos, after all, is to prove your identity.
>
I think we are talking about different things
I propose authenticate through Kerberos dbuser who described
in /etc/nss-pgsql.conf.
Users now don't have access to a file /etc/nss-pgsql.conf with
passwords and everything works - I think access to the keytab file also
needs only for a root.
> > > This software is bascially dead upstream as far as I can tell,
> >
> > :( Very strange, I thought that this is one of the most used server
> > software
>
> Postgres yes, libnss-pgsql no.
All people moved to LDAP?
>
> > > and I seem to be the only one looking after it in Debian at the
> > > moment. I think that kerberos isn't suited for this, unless you
> > > can convince me otherwise, so I'm not likely to spend any time on
> > > this problem. If you can show me I'm misunderstanding how the
> > > process can work, I'll be happy to look at how hard it would be
> > > to add support.
> >
> > Kerberos is suitable, in principle, to authenticate all users,
> > servers or services. He has a great advantage: it also
> > automatically ensures that the server is not a fake. This warranty
> > gives the same SSL-certificate, but using them is not convenient in
> > comparison with Kerberos (they must be specifically generated and
> > signed).
>
> I don't think I'm managing to communicate the problem here. Let me
> try to restate the problem I see.
>
> On login, the login program will attempt to resolve your name to a
> numeric uid (so that the running process can suid to your uid). This
> resolution will invoke the code in libnss-pgsql _before the user has
> logged in_. If access to the database is kerberos based, it cannot
> access the database at this point, since it won't have a principal in
> the user's keytab. Am I missing something?
Yes, we are talking about different things. See before
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/nsspampgsql-devel/attachments/20091010/620247a9/attachment.pgp>
More information about the Nsspampgsql-devel
mailing list