Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1kvj2C-0002Qq-QE for pgadmin-hackers@arkaria.postgresql.org; Sat, 02 Jan 2021 15:41:40 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.92) (envelope-from ) id 1kvj2B-0004WM-0G for pgadmin-hackers@arkaria.postgresql.org; Sat, 02 Jan 2021 15:41:39 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1kvj2A-0004VY-Qf for pgadmin-hackers@lists.postgresql.org; Sat, 02 Jan 2021 15:41:38 +0000 Received: from tamriel.snowman.net ([2001:470:e38f::11]) by magus.postgresql.org with esmtp (Exim 4.92) (envelope-from ) id 1kvj24-00020r-W0 for pgadmin-hackers@postgresql.org; Sat, 02 Jan 2021 15:41:38 +0000 Received: by tamriel.snowman.net (Postfix, from userid 1000) id 0FE9A5F799; Sat, 2 Jan 2021 10:41:31 -0500 (EST) Date: Sat, 2 Jan 2021 10:41:30 -0500 From: Stephen Frost To: Khushboo Vashi Cc: pgadmin-hackers Subject: Re: [pgAdmin4][Patch] - RM 5457 - Kerberos Authentication - Phase 1 Message-ID: <20210102154130.GO27507@tamriel.snowman.net> References: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="cebYKQG0P13XUdCa" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.24 (2015-08-30) List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Precedence: bulk --cebYKQG0P13XUdCa Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Greetings, * Khushboo Vashi (khushboo.vashi@enterprisedb.com) wrote: > Please find the attached patch to support Kerberos Authentication in > pgAdmin RM 5457. >=20 > The patch introduces a new pluggable option for Kerberos authentication, > using SPNEGO to forward kerberos tickets through a browser which will > bypass the login page entirely if the Kerberos Authentication succeeds. I've taken a (very short) look at this as it's certainly something that I'm interested in and glad to see work is being done on it. I notice that 'delegated_creds' is being set but it's unclear to me how they're actually being used (if at all), which is a very important part of Kerberos. What's commonly done with mod_auth_kerb/mod_auth_gss is that the delegated credentials are stored on the filesystem in a temporary directory and then an environment variable is set to signal to libpq / the Kerberos libraries that the delegated credentials can be found in the temporary file. I don't see any of that happening in this patch- is that already handled in some way? If not, what's the plan for making that work? Also important is to make sure that this approach will work for constrainted delegation implementations. Thanks! Stephen --cebYKQG0P13XUdCa Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJf8JQqAAoJEO1sijiDR2RVv50P/04gxijT9SV0gQ6p3c53dgQ9 Zdu75nsSE8iV2ss6sDdNnOvK6i4qC5t0tLpEJuNSszrsdz7Z9fFJuFb905Sd+9os x77KMWjiSVkU1/niUAUXeXZ/+qcOgwAEtV3cwY88edsX3J3vonHKOrwIP7eE/ktD vqAkbKW5IDfWmqXwae2nHpUmT5dOqIC4aN8XmqovfaKiRxbB2B7RH23+VdOcpqIb ZO0NkzZNIqx39q4Dv/jSwxqUoP9Vr+DMP380bYnlSAS0szFR6lYK8ss4CP0OY5v5 tDeKEDZPKGjerrMLoF5JbhaxmGs0g4xcY26BfWk7oIkc/3lsalVNKlaYxcpeUJH+ hrc0pwsYi3FfuBB+DkBaid57BckhIrkGWX1JC13lnQrQvwVd83tN8khwdKHXQJm7 eYhgj8kbHPPyVYTvH5g7lqeBmvG3Iv4McPkuXcDcKo19flf3Pn4RWgPBoA9irD9t wewfGPSGKcsgdFbuLOsrAJuv2TX970ShJxR4VMcOAj9YeJyZHE9tox60n3Th8Qfz ajWhWmcX4Jm5vFAVGXHxuWpb4jUuPanZJyayqHnmI0f2xnhspt4c58r2TEtnfPh+ aB2llKznB5GGcJsDhp5qVCBymaBxj1C6rmO8KqDYTWxSgZGynjl6S4MhjvHiM51h bg5rJhGatKc6tjZM1XrS =AKX2 -----END PGP SIGNATURE----- --cebYKQG0P13XUdCa--