Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps
 (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.92)
	(envelope-from <pgadmin-hackers-owner+archive@lists.postgresql.org>)
	id 1kz0OW-00048k-JM
	for pgadmin-hackers@arkaria.postgresql.org; Mon, 11 Jan 2021 16:50:16 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.92)
	(envelope-from <pgadmin-hackers-owner+archive@lists.postgresql.org>)
	id 1kz0OV-00083s-HK
	for pgadmin-hackers@arkaria.postgresql.org; Mon, 11 Jan 2021 16:50:15 +0000
Received: from makus.postgresql.org ([2001:4800:3e1:1::229])
	by malur.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.92)
	(envelope-from <sfrost@tamriel.snowman.net>)
	id 1kz0OV-00083l-Bv
	for pgadmin-hackers@lists.postgresql.org; Mon, 11 Jan 2021 16:50:15 +0000
Received: from tamriel.snowman.net ([2001:470:e38f::11])
	by makus.postgresql.org with esmtp (Exim 4.92)
	(envelope-from <sfrost@tamriel.snowman.net>)
	id 1kz0OT-0007F5-2y
	for pgadmin-hackers@postgresql.org; Mon, 11 Jan 2021 16:50:14 +0000
Received: by tamriel.snowman.net (Postfix, from userid 1000)
	id 7D7B05F799; Mon, 11 Jan 2021 11:50:11 -0500 (EST)
Date: Mon, 11 Jan 2021 11:50:11 -0500
From: Stephen Frost <sfrost@snowman.net>
To: Dave Page <dpage@pgadmin.org>
Cc: Magnus Hagander <magnus@hagander.net>,
	Khushboo Vashi <khushboo.vashi@enterprisedb.com>,
	pgadmin-hackers <pgadmin-hackers@postgresql.org>
Subject: Re: [pgAdmin4][Patch] - RM 5457 - Kerberos Authentication - Phase 1
Message-ID: <20210111165011.GP27507@tamriel.snowman.net>
References: 
 <CAFOhELdXhWMR2zS4dnH+SudN0s7LiENH+vczC0YhuifPgm+G5g@mail.gmail.com>
 <20210102154130.GO27507@tamriel.snowman.net>
 <CA+OCxozp+n+Mq+t=hPH1ExwT-MJbrhY0ujgkf+UoUriHo1PpGA@mail.gmail.com>
 <20210102155947.GQ27507@tamriel.snowman.net>
 <CA+OCxoydYmasD36n7Zk5_UPh9x03-QRqF53=sYbx3-rSYxPZsQ@mail.gmail.com>
 <20210103173112.GR27507@tamriel.snowman.net>
 <CABUevEztMrWc9bxxDSL=1d8hCwPRu=HzM0wTLYBYoQwdQvKhzg@mail.gmail.com>
 <CA+OCxoxMGiqVr1xoy6AKB0iuHiSp77ODeLJM_HFZ4fnUux+8rQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
	protocol="application/pgp-signature"; boundary="zL7g4HaX89HhN13a"
Content-Disposition: inline
In-Reply-To: 
 <CA+OCxoxMGiqVr1xoy6AKB0iuHiSp77ODeLJM_HFZ4fnUux+8rQ@mail.gmail.com>
User-Agent: Mutt/1.5.24 (2015-08-30)
List-Id: <pgadmin-hackers.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgadmin-hackers@lists.postgresql.org>
List-Owner: <mailto:pgadmin-hackers-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgadmin-hackers>
Precedence: bulk


--zL7g4HaX89HhN13a
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Greetings,

* Dave Page (dpage@pgadmin.org) wrote:
> On Mon, Jan 11, 2021 at 1:15 PM Magnus Hagander <magnus@hagander.net> wro=
te:
> > One question around that though -- when I click "save password" on a
> > database connection in pgadmin, it gets stored on the pgadmin server.
> > Isn't the key used to encrypt that derived from my password?  If I'm
> > logging into pgadmin without a password (using kerberos),what would
> > that key be derived from?
>=20
> Also correct - and right now, the plan is to disable password saving if
> logged in using Kerberos.

Disable password *saving*, or disable password *using*?

If you're saying that, when Kerberos is enabled, users will never be
prompted to provide a password because password-based auth has been
disabled, then perhaps that's reasonable.  I don't know how useful such
a pgadmin setup would be, but at least it wouldn't be violating one of
the core values that using Kerberos brings.

If you're saying that this is just disabling password *saving*, then
that implies that if someone actually wants to use pgadmin to, uh, log
into a PostgreSQL server which is configured for md5 or SCRAM auth or
LDAP based auth that the way that'll work is that pgadmin will prompt
the user for a password, which the user will provide and which will
then be sent from the client to the pgadmin system in the clear, and
which pgadmin will turn around and use to log into PG with, right?

It's the latter than I'm concerned with because it just wouldn't be
appropriate for a Kerberized service which is set up to use Kerberos to
then prompt the user for a password.

In any case, I have a really hard time seeing this as being something
that it'd be good for the pgAdmin team to publish as "we now have
Kerberos support!" because, either way, it doesn't seem like it would be
usable in a secure manner in a Kerberized environment.  Once "phase 2"
is done (which hopefully will include both traditional credential
delegating and constrainted delegation support...), then it'll be a game
changer imv and something that everyone should be shouting from the
rooftops about and I'll be right there cheering it on too..

Thanks,

Stephen

--zL7g4HaX89HhN13a
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJf/IHDAAoJEO1sijiDR2RVrlYQALTRgOkDP73Cbpj1tZNsuwLs
P3tPfuLQyoaju68hMc8aNWN8sFO+qTKLw2IFK2yH6cIqYyOFjHU5ze1Iw5YktbC9
47fYNRNcrPr1pGCf8qBQq/pol/o8X0Mnjs4RobLW4Bhk0A8av/JbqCURLAssVPQx
+w9hlNPsO1fSHQL9gtXWehM5xUOUYbHRSoCYrR342bToZRG+ymlZvDYvLZSiK5O2
06Lz34GD0bRMou/6meoDoJHKTnLbHoyX1a7jlqCQNSSYPUffcv4dAIyKVhg5G1sb
ceA3HanpYYnQyg2Ikv2VUGAQg5cgg+LAgYGbevLPUhJMPUson/d3B+78GJSM5E9z
pdYwlcsnCJLhK5b56oRIUpCiPxeBv5Bhgh/nFWEW7Hnrj6dIf2cPT8RUjwLzBKLi
ki1HApCiGZURzJVukfU2A6IeAUk0CnL1CReLcoa0MZ8hOLmRtX8YQksky2S7Q0RS
wUNqWWjDTbRIUJJVd0hnLxJST4qcUifqR0oBoSv3hgspaf5CIRGaIU7GI39xbjrk
G2S2VueiCLmuneUJefX6FAiDbDaGlrvI1Sux3VMxaXrRw1gq5dbuTaxKsLYWlDfa
HfCzVZMoELe7N7qMeahRbPPnV41d00ZLBw2WERLHtpChTmAFCySa1qhUuHszhQY7
r37FiL1dR6g+tx5UFKhx
=zJ+1
-----END PGP SIGNATURE-----

--zL7g4HaX89HhN13a--