public inbox for [email protected]
help / color / mirror / Atom feedFrom: Dave Page <[email protected]>
To: Stephen Frost <[email protected]>
Cc: Magnus Hagander <[email protected]>
Cc: Khushboo Vashi <[email protected]>
Cc: pgadmin-hackers <[email protected]>
Subject: Re: [pgAdmin4][Patch] - RM 5457 - Kerberos Authentication - Phase 1
Date: Mon, 11 Jan 2021 16:59:47 +0000
Message-ID: <CA+OCxoyF3w+3bdQpCFnMeUrSpjkyX=a1XkudGz9Ep4PQNeSmvA@mail.gmail.com> (raw)
In-Reply-To: <[email protected]>
References: <CAFOhELdXhWMR2zS4dnH+SudN0s7LiENH+vczC0YhuifPgm+G5g@mail.gmail.com>
<[email protected]>
<CA+OCxozp+n+Mq+t=hPH1ExwT-MJbrhY0ujgkf+UoUriHo1PpGA@mail.gmail.com>
<[email protected]>
<CA+OCxoydYmasD36n7Zk5_UPh9x03-QRqF53=sYbx3-rSYxPZsQ@mail.gmail.com>
<[email protected]>
<CABUevEztMrWc9bxxDSL=1d8hCwPRu=HzM0wTLYBYoQwdQvKhzg@mail.gmail.com>
<CA+OCxoxMGiqVr1xoy6AKB0iuHiSp77ODeLJM_HFZ4fnUux+8rQ@mail.gmail.com>
<[email protected]>
On Mon, Jan 11, 2021 at 4:50 PM Stephen Frost <[email protected]> wrote:
> Greetings,
>
> * Dave Page ([email protected]) wrote:
> > On Mon, Jan 11, 2021 at 1:15 PM Magnus Hagander <[email protected]>
> wrote:
> > > One question around that though -- when I click "save password" on a
> > > database connection in pgadmin, it gets stored on the pgadmin server.
> > > Isn't the key used to encrypt that derived from my password? If I'm
> > > logging into pgadmin without a password (using kerberos),what would
> > > that key be derived from?
> >
> > Also correct - and right now, the plan is to disable password saving if
> > logged in using Kerberos.
>
> Disable password *saving*, or disable password *using*?
>
I'm pretty sure I wrote "saving".
>
> If you're saying that, when Kerberos is enabled, users will never be
> prompted to provide a password because password-based auth has been
> disabled, then perhaps that's reasonable. I don't know how useful such
> a pgadmin setup would be, but at least it wouldn't be violating one of
> the core values that using Kerberos brings.
>
> If you're saying that this is just disabling password *saving*, then
> that implies that if someone actually wants to use pgadmin to, uh, log
> into a PostgreSQL server which is configured for md5 or SCRAM auth or
> LDAP based auth that the way that'll work is that pgadmin will prompt
> the user for a password, which the user will provide and which will
> then be sent from the client to the pgadmin system in the clear, and
> which pgadmin will turn around and use to log into PG with, right?
>
Yes.
>
> It's the latter than I'm concerned with because it just wouldn't be
> appropriate for a Kerberized service which is set up to use Kerberos to
> then prompt the user for a password.
>
Well you never answered my previous question about that. Why is it
appropriate for an FDW to do that, but not pgAdmin? Or for a user on a
kerberised machine to use a web browser to access a non-kerberised site? Or
frankly pretty much anything outside of a windows domain or kerberos
environment that a user inside the environment might want to use?
You basically seem to be saying that once a user logs into something using
Kerberos, *everything* else they login to from there must also be done
using Kerberos - which clearly will not be the case in the vast majority of
deployments.
--
Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnake
EDB: http://www.enterprisedb.com
view thread (32+ messages) latest in thread
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected], [email protected], [email protected]
Subject: Re: [pgAdmin4][Patch] - RM 5457 - Kerberos Authentication - Phase 1
In-Reply-To: <CA+OCxoyF3w+3bdQpCFnMeUrSpjkyX=a1XkudGz9Ep4PQNeSmvA@mail.gmail.com>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox