MIME-Version: 1.0
References: 
 <CAFOhELdXhWMR2zS4dnH+SudN0s7LiENH+vczC0YhuifPgm+G5g@mail.gmail.com>
 <20210102154130.GO27507@tamriel.snowman.net>
In-Reply-To: <20210102154130.GO27507@tamriel.snowman.net>
From: Dave Page <dpage@pgadmin.org>
Date: Sat, 2 Jan 2021 15:56:19 +0000
Message-ID: 
 <CA+OCxozp+n+Mq+t=hPH1ExwT-MJbrhY0ujgkf+UoUriHo1PpGA@mail.gmail.com>
Subject: Re: [pgAdmin4][Patch] - RM 5457 - Kerberos Authentication - Phase 1
To: Stephen Frost <sfrost@snowman.net>
Cc: Khushboo Vashi <khushboo.vashi@enterprisedb.com>,
	pgadmin-hackers <pgadmin-hackers@postgresql.org>
Content-Type: multipart/alternative; boundary="0000000000007925b805b7ece607"
Precedence: bulk

--0000000000007925b805b7ece607
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Hi Stephen

On Sat, 2 Jan 2021 at 15:41, Stephen Frost <sfrost@snowman.net> wrote:

> Greetings,
>
> * Khushboo Vashi (khushboo.vashi@enterprisedb.com) wrote:
> > Please find the attached patch to support Kerberos Authentication in
> > pgAdmin RM 5457.
> >
> > The patch introduces a new pluggable option for Kerberos authentication=
,
> > using SPNEGO to forward kerberos tickets through a browser which will
> > bypass the login page entirely if the Kerberos Authentication succeeds.
>
> I've taken a (very short) look at this as it's certainly something that
> I'm interested in and glad to see work is being done on it.
>
> I notice that 'delegated_creds' is being set but it's unclear to me how
> they're actually being used (if at all), which is a very important part
> of Kerberos.
>
> What's commonly done with mod_auth_kerb/mod_auth_gss is that the
> delegated credentials are stored on the filesystem in a temporary
> directory and then an environment variable is set to signal to libpq /
> the Kerberos libraries that the delegated credentials can be found in
> the temporary file.  I don't see any of that happening in this patch- is
> that already handled in some way?  If not, what's the plan for making
> that work?  Also important is to make sure that this approach will work
> for constrainted delegation implementations.


Phase 1 of this project (which this patch aims to implement) is to handle
Kerberos logins to pgAdmin when running in server mode (as we=E2=80=99ve al=
ready
done for LDAP, except KRB authenticated users don=E2=80=99t see a login pag=
e of
course). Phase 2 will add support for logging into the PostgreSQL servers -
I believe that is where we=E2=80=99ll need to handle delegated credentials,=
 correct?

> --
--=20
Dave Page
https://pgsnake.blogspot.com

EDB Postgres
https://www.enterprisedb.com

--0000000000007925b805b7ece607
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"auto">Hi Stephen=C2=A0</div><div><br><div class=3D"gmail_quote"=
><div dir=3D"ltr" class=3D"gmail_attr">On Sat, 2 Jan 2021 at 15:41, Stephen=
 Frost &lt;<a href=3D"mailto:sfrost@snowman.net">sfrost@snowman.net</a>&gt;=
 wrote:<br></div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px =
0px 0.8ex;border-left-width:1px;border-left-style:solid;padding-left:1ex;bo=
rder-left-color:rgb(204,204,204)" dir=3D"auto">Greetings,<br>
<br>
* Khushboo Vashi (<a href=3D"mailto:khushboo.vashi@enterprisedb.com" target=
=3D"_blank">khushboo.vashi@enterprisedb.com</a>) wrote:<br>
&gt; Please find the attached patch to support Kerberos Authentication in<b=
r>
&gt; pgAdmin RM 5457.<br>
&gt; <br>
&gt; The patch introduces a new pluggable option for Kerberos authenticatio=
n,<br>
&gt; using SPNEGO to forward kerberos tickets through a browser which will<=
br>
&gt; bypass the login page entirely if the Kerberos Authentication succeeds=
.<br>
<br>
I&#39;ve taken a (very short) look at this as it&#39;s certainly something =
that<br>
I&#39;m interested in and glad to see work is being done on it.<br>
<br>
I notice that &#39;delegated_creds&#39; is being set but it&#39;s unclear t=
o me how<br>
they&#39;re actually being used (if at all), which is a very important part=
<br>
of Kerberos.<br>
<br>
What&#39;s commonly done with mod_auth_kerb/mod_auth_gss is that the<br>
delegated credentials are stored on the filesystem in a temporary<br>
directory and then an environment variable is set to signal to libpq /<br>
the Kerberos libraries that the delegated credentials can be found in<br>
the temporary file.=C2=A0 I don&#39;t see any of that happening in this pat=
ch- is<br>
that already handled in some way?=C2=A0 If not, what&#39;s the plan for mak=
ing<br>
that work?=C2=A0 Also important is to make sure that this approach will wor=
k<br>
for constrainted delegation implementations.</blockquote><div dir=3D"auto">=
<br></div><div dir=3D"auto">Phase 1 of this project (which this patch aims =
to implement) is to handle Kerberos logins to pgAdmin when running in serve=
r mode (as we=E2=80=99ve already done for LDAP, except KRB authenticated us=
ers don=E2=80=99t see a login page of course). Phase 2 will add support for=
 logging into the PostgreSQL servers - I believe that is where we=E2=80=99l=
l need to handle delegated credentials, correct?</div><blockquote class=3D"=
gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left-width:1px;border=
-left-style:solid;padding-left:1ex;border-left-color:rgb(204,204,204)" dir=
=3D"auto"></blockquote></div></div>-- <br><div dir=3D"ltr" class=3D"gmail_s=
ignature" data-smartmail=3D"gmail_signature">-- <br>Dave Page<br><a href=3D=
"https://pgsnake.blogspot.com">https://pgsnake.blogspot.com</a><br><br>EDB =
Postgres<br><a href=3D"https://www.enterprisedb.com">https://www.enterprise=
db.com</a></div>

--0000000000007925b805b7ece607--