On Sat, 10 Oct 2009 14:35:40 +0100 Stephen Gran <sg...@debian.org> wrote:
> > > > This will be a severe boot strap problem - you'll need to be > > > logged in to run kinit to verify who you are before you can log > > > in. > > > > What about use a separate keytab-file specially for nss-pgsql, > > readable for all users, with 444 permissions? > > That's not my understanding of how kerberos works. You have a keytab > per user or service, and receive principals for access to services. > It's not really clear to me how you would have a shared keytab for all > users. It's also not clear to me that you can have a user access the > database as another user with kerberos - one of the points of > kerberos, after all, is to prove your identity. > I think we are talking about different things I propose authenticate through Kerberos dbuser who described in /etc/nss-pgsql.conf. Users now don't have access to a file /etc/nss-pgsql.conf with passwords and everything works - I think access to the keytab file also needs only for a root. > > > This software is bascially dead upstream as far as I can tell, > > > > :( Very strange, I thought that this is one of the most used server > > software > > Postgres yes, libnss-pgsql no. All people moved to LDAP? > > > > and I seem to be the only one looking after it in Debian at the > > > moment. I think that kerberos isn't suited for this, unless you > > > can convince me otherwise, so I'm not likely to spend any time on > > > this problem. If you can show me I'm misunderstanding how the > > > process can work, I'll be happy to look at how hard it would be > > > to add support. > > > > Kerberos is suitable, in principle, to authenticate all users, > > servers or services. He has a great advantage: it also > > automatically ensures that the server is not a fake. This warranty > > gives the same SSL-certificate, but using them is not convenient in > > comparison with Kerberos (they must be specifically generated and > > signed). > > I don't think I'm managing to communicate the problem here. Let me > try to restate the problem I see. > > On login, the login program will attempt to resolve your name to a > numeric uid (so that the running process can suid to your uid). This > resolution will invoke the code in libnss-pgsql _before the user has > logged in_. If access to the database is kerberos based, it cannot > access the database at this point, since it won't have a principal in > the user's keytab. Am I missing something? Yes, we are talking about different things. See before
signature.asc
Description: PGP signature
