MIME-Version: 1.0
References: 
 <CAFOhELdXhWMR2zS4dnH+SudN0s7LiENH+vczC0YhuifPgm+G5g@mail.gmail.com>
 <20210102154130.GO27507@tamriel.snowman.net>
 <CA+OCxozp+n+Mq+t=hPH1ExwT-MJbrhY0ujgkf+UoUriHo1PpGA@mail.gmail.com>
 <20210102155947.GQ27507@tamriel.snowman.net>
 <CA+OCxoydYmasD36n7Zk5_UPh9x03-QRqF53=sYbx3-rSYxPZsQ@mail.gmail.com>
 <20210103173112.GR27507@tamriel.snowman.net>
 <CABUevEztMrWc9bxxDSL=1d8hCwPRu=HzM0wTLYBYoQwdQvKhzg@mail.gmail.com>
 <CA+OCxoxMGiqVr1xoy6AKB0iuHiSp77ODeLJM_HFZ4fnUux+8rQ@mail.gmail.com>
 <20210111165011.GP27507@tamriel.snowman.net>
In-Reply-To: <20210111165011.GP27507@tamriel.snowman.net>
From: Dave Page <dpage@pgadmin.org>
Date: Mon, 11 Jan 2021 16:59:47 +0000
Message-ID: 
 <CA+OCxoyF3w+3bdQpCFnMeUrSpjkyX=a1XkudGz9Ep4PQNeSmvA@mail.gmail.com>
Subject: Re: [pgAdmin4][Patch] - RM 5457 - Kerberos Authentication - Phase 1
To: Stephen Frost <sfrost@snowman.net>
Cc: Magnus Hagander <magnus@hagander.net>,
 Khushboo Vashi <khushboo.vashi@enterprisedb.com>,
	pgadmin-hackers <pgadmin-hackers@postgresql.org>
Content-Type: multipart/alternative; boundary="000000000000ff2b8105b8a2d5a5"
Precedence: bulk

--000000000000ff2b8105b8a2d5a5
Content-Type: text/plain; charset="UTF-8"

On Mon, Jan 11, 2021 at 4:50 PM Stephen Frost <sfrost@snowman.net> wrote:

> Greetings,
>
> * Dave Page (dpage@pgadmin.org) wrote:
> > On Mon, Jan 11, 2021 at 1:15 PM Magnus Hagander <magnus@hagander.net>
> wrote:
> > > One question around that though -- when I click "save password" on a
> > > database connection in pgadmin, it gets stored on the pgadmin server.
> > > Isn't the key used to encrypt that derived from my password?  If I'm
> > > logging into pgadmin without a password (using kerberos),what would
> > > that key be derived from?
> >
> > Also correct - and right now, the plan is to disable password saving if
> > logged in using Kerberos.
>
> Disable password *saving*, or disable password *using*?
>

I'm pretty sure I wrote "saving".


>
> If you're saying that, when Kerberos is enabled, users will never be
> prompted to provide a password because password-based auth has been
> disabled, then perhaps that's reasonable.  I don't know how useful such
> a pgadmin setup would be, but at least it wouldn't be violating one of
> the core values that using Kerberos brings.
>
> If you're saying that this is just disabling password *saving*, then
> that implies that if someone actually wants to use pgadmin to, uh, log
> into a PostgreSQL server which is configured for md5 or SCRAM auth or
> LDAP based auth that the way that'll work is that pgadmin will prompt
> the user for a password, which the user will provide and which will
> then be sent from the client to the pgadmin system in the clear, and
> which pgadmin will turn around and use to log into PG with, right?
>

Yes.


>
> It's the latter than I'm concerned with because it just wouldn't be
> appropriate for a Kerberized service which is set up to use Kerberos to
> then prompt the user for a password.
>

Well you never answered my previous question about that. Why is it
appropriate for an FDW to do that, but not pgAdmin? Or for a user on a
kerberised machine to use a web browser to access a non-kerberised site? Or
frankly pretty much anything outside of a windows domain or kerberos
environment that a user inside the environment might want to use?

You basically seem to be saying that once a user logs into something using
Kerberos, *everything* else they login to from there must also be done
using Kerberos - which clearly will not be the case in the vast majority of
deployments.

-- 
Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnake

EDB: http://www.enterprisedb.com

--000000000000ff2b8105b8a2d5a5
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div dir=3D"ltr"><br></div><br><div class=3D"gmail_quote">=
<div dir=3D"ltr" class=3D"gmail_attr">On Mon, Jan 11, 2021 at 4:50 PM Steph=
en Frost &lt;<a href=3D"mailto:sfrost@snowman.net">sfrost@snowman.net</a>&g=
t; wrote:<br></div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0p=
x 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Greeti=
ngs,<br>
<br>
* Dave Page (<a href=3D"mailto:dpage@pgadmin.org" target=3D"_blank">dpage@p=
gadmin.org</a>) wrote:<br>
&gt; On Mon, Jan 11, 2021 at 1:15 PM Magnus Hagander &lt;<a href=3D"mailto:=
magnus@hagander.net" target=3D"_blank">magnus@hagander.net</a>&gt; wrote:<b=
r>
&gt; &gt; One question around that though -- when I click &quot;save passwo=
rd&quot; on a<br>
&gt; &gt; database connection in pgadmin, it gets stored on the pgadmin ser=
ver.<br>
&gt; &gt; Isn&#39;t the key used to encrypt that derived from my password?=
=C2=A0 If I&#39;m<br>
&gt; &gt; logging into pgadmin without a password (using kerberos),what wou=
ld<br>
&gt; &gt; that key be derived from?<br>
&gt; <br>
&gt; Also correct - and right now, the plan is to disable password saving i=
f<br>
&gt; logged in using Kerberos.<br>
<br>
Disable password *saving*, or disable password *using*?<br></blockquote><di=
v><br></div><div>I&#39;m pretty sure I wrote &quot;saving&quot;.</div><div>=
=C2=A0</div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0=
.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
If you&#39;re saying that, when Kerberos is enabled, users will never be<br=
>
prompted to provide a password because password-based auth has been<br>
disabled, then perhaps that&#39;s reasonable.=C2=A0 I don&#39;t know how us=
eful such<br>
a pgadmin setup would be, but at least it wouldn&#39;t be violating one of<=
br>
the core values that using Kerberos brings.<br>
<br>
If you&#39;re saying that this is just disabling password *saving*, then<br=
>
that implies that if someone actually wants to use pgadmin to, uh, log<br>
into a PostgreSQL server which is configured for md5 or SCRAM auth or<br>
LDAP based auth that the way that&#39;ll work is that pgadmin will prompt<b=
r>
the user for a password, which the user will provide and which will<br>
then be sent from the client to the pgadmin system in the clear, and<br>
which pgadmin will turn around and use to log into PG with, right?<br></blo=
ckquote><div><br></div><div>Yes.</div><div>=C2=A0</div><blockquote class=3D=
"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(2=
04,204,204);padding-left:1ex">
<br>
It&#39;s the latter than I&#39;m concerned with because it just wouldn&#39;=
t be<br>
appropriate for a Kerberized service which is set up to use Kerberos to<br>
then prompt the user for a password.<br></blockquote><div><br></div><div>We=
ll you never answered my previous question about that. Why is it appropriat=
e for an FDW to do that, but not pgAdmin? Or for a user on a kerberised=C2=
=A0machine to use a web browser to access a non-kerberised=C2=A0site? Or fr=
ankly pretty much anything outside of a windows domain or kerberos environm=
ent that a user inside the environment might want to use?</div><div><br></d=
iv><div>You basically seem to be saying that once a user logs into somethin=
g using Kerberos, *everything* else they login to from there must also be d=
one using Kerberos - which clearly will not be the case in the vast majorit=
y of deployments.</div></div><div><br></div>-- <br><div dir=3D"ltr" class=
=3D"gmail_signature"><div dir=3D"ltr">Dave Page<br>Blog: <a href=3D"http://=
pgsnake.blogspot.com" target=3D"_blank">http://pgsnake.blogspot.com</a><br>=
Twitter: @pgsnake<br><br>EDB: <a href=3D"http://www.enterprisedb.com" targe=
t=3D"_blank">http://www.enterprisedb.com</a><br><br></div></div></div>

--000000000000ff2b8105b8a2d5a5--