Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps
 (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.92)
	(envelope-from <pgadmin-hackers-owner+archive@lists.postgresql.org>)
	id 1kvjJs-0002oh-Tv
	for pgadmin-hackers@arkaria.postgresql.org; Sat, 02 Jan 2021 15:59:56 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.92)
	(envelope-from <pgadmin-hackers-owner+archive@lists.postgresql.org>)
	id 1kvjJr-00011I-6S
	for pgadmin-hackers@arkaria.postgresql.org; Sat, 02 Jan 2021 15:59:55 +0000
Received: from makus.postgresql.org ([2001:4800:3e1:1::229])
	by malur.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.92)
	(envelope-from <sfrost@tamriel.snowman.net>)
	id 1kvjJr-00011B-16
	for pgadmin-hackers@lists.postgresql.org; Sat, 02 Jan 2021 15:59:55 +0000
Received: from tamriel.snowman.net ([2001:470:e38f::11])
	by makus.postgresql.org with esmtp (Exim 4.92)
	(envelope-from <sfrost@tamriel.snowman.net>)
	id 1kvjJk-0001Ij-9H
	for pgadmin-hackers@postgresql.org; Sat, 02 Jan 2021 15:59:53 +0000
Received: by tamriel.snowman.net (Postfix, from userid 1000)
	id 63FA35F799; Sat,  2 Jan 2021 10:59:47 -0500 (EST)
Date: Sat, 2 Jan 2021 10:59:47 -0500
From: Stephen Frost <sfrost@snowman.net>
To: Dave Page <dpage@pgadmin.org>
Cc: Khushboo Vashi <khushboo.vashi@enterprisedb.com>,
	pgadmin-hackers <pgadmin-hackers@postgresql.org>
Subject: Re: [pgAdmin4][Patch] - RM 5457 - Kerberos Authentication - Phase 1
Message-ID: <20210102155947.GQ27507@tamriel.snowman.net>
References: 
 <CAFOhELdXhWMR2zS4dnH+SudN0s7LiENH+vczC0YhuifPgm+G5g@mail.gmail.com>
 <20210102154130.GO27507@tamriel.snowman.net>
 <CA+OCxozp+n+Mq+t=hPH1ExwT-MJbrhY0ujgkf+UoUriHo1PpGA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
	protocol="application/pgp-signature"; boundary="r5dWi0AMUB6bXaTu"
Content-Disposition: inline
In-Reply-To: 
 <CA+OCxozp+n+Mq+t=hPH1ExwT-MJbrhY0ujgkf+UoUriHo1PpGA@mail.gmail.com>
User-Agent: Mutt/1.5.24 (2015-08-30)
List-Id: <pgadmin-hackers.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgadmin-hackers@lists.postgresql.org>
List-Owner: <mailto:pgadmin-hackers-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgadmin-hackers>
Precedence: bulk


--r5dWi0AMUB6bXaTu
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Greetings Dave!

* Dave Page (dpage@pgadmin.org) wrote:
> On Sat, 2 Jan 2021 at 15:41, Stephen Frost <sfrost@snowman.net> wrote:
> > * Khushboo Vashi (khushboo.vashi@enterprisedb.com) wrote:
> > > Please find the attached patch to support Kerberos Authentication in
> > > pgAdmin RM 5457.
> > >
> > > The patch introduces a new pluggable option for Kerberos authenticati=
on,
> > > using SPNEGO to forward kerberos tickets through a browser which will
> > > bypass the login page entirely if the Kerberos Authentication succeed=
s.
> >
> > I've taken a (very short) look at this as it's certainly something that
> > I'm interested in and glad to see work is being done on it.
> >
> > I notice that 'delegated_creds' is being set but it's unclear to me how
> > they're actually being used (if at all), which is a very important part
> > of Kerberos.
> >
> > What's commonly done with mod_auth_kerb/mod_auth_gss is that the
> > delegated credentials are stored on the filesystem in a temporary
> > directory and then an environment variable is set to signal to libpq /
> > the Kerberos libraries that the delegated credentials can be found in
> > the temporary file.  I don't see any of that happening in this patch- is
> > that already handled in some way?  If not, what's the plan for making
> > that work?  Also important is to make sure that this approach will work
> > for constrainted delegation implementations.
>=20
> Phase 1 of this project (which this patch aims to implement) is to handle
> Kerberos logins to pgAdmin when running in server mode (as we=E2=80=99ve =
already
> done for LDAP, except KRB authenticated users don=E2=80=99t see a login p=
age of
> course). Phase 2 will add support for logging into the PostgreSQL servers=
 -
> I believe that is where we=E2=80=99ll need to handle delegated credential=
s, correct?

Yes, though I sure hope there isn't a plan to release just 'phase 1'
since that would imply that the user is still sending their password to
pgAdmin in some form that pgAdmin then turns around and impersonates the
user, basically completely against how Kerberos auth should be working
in this kind of a intermediate service arrangement.

In other words, if just 'phase 1' is released, it'd probably be CVE
worthy right out of the gate...

Thanks,

Stephen

--r5dWi0AMUB6bXaTu
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJf8JhyAAoJEO1sijiDR2RVM7YP/35kcbMAO9n9akhyPHF2BuZR
Tj1IAsn0FIZSCW0zY/DGb/1lO1LtEfJJ8K3f/XegARkhdk9Vy9j0Uhdnck788vQU
Qy9DDF4DmT7Vak7I16pCcs0eUBVrettw3jZTlTl8h4SIjz69rBfIDdg6w45v64Gc
ZPxIyahP0/eWJr4eyLrPN+XUNwX74ylVR2Ut7xZp755YqbxyNpUpeVnK4D3nSG4o
pUpDwcc327AAUhDeb6tlGJr0uI/X/uyMJukXeRlALXH2u93sHF7VqMlS8cqzeY0x
exZM1jSZYSYkAeQYnRzw77JEPlBIlvGhHRKgCs37gCTDJOB9krUtvIPgEXbjRlFA
uVAX59LvzIVo2jcxwh9E7dt+lM8l4BbsM+/rFs3Ll88et9GdoJSbhCcn/X3bz3LF
uwar5kxY/uCRiPMDW02VwBI4ens3raQaKBPiBl/j02DlQKP2HQchzEKBaeeJ2dM0
cgD7DNp5nDLVnIythrVQfbBwBgHKZC0frqmfLyiuU5Oci4OBzqRVbT5QdQPXCwbM
Rea5iv+FazyVcXaGSSpTx4N4ou8SyqXXyyOac5eqRBWmDMIc7oad6R0vRQw32KrX
qXNkKqCUdPAvYTVzl4nN+rdUIDbz/iwSs0l9k696RprAVp495nvpp5maPOcuQNe1
eeIXgN0fh1/UsTJX0JDb
=UyHv
-----END PGP SIGNATURE-----

--r5dWi0AMUB6bXaTu--