Bug#551078: libpq5: Possibility to specify the Kerberos keytab file

Wed, 11 Jan 2012 02:09:28 -0800 

>>>>> Denis Feklushkin <denis.feklush...@gmail.com> writes:
>>>>> В Срд, 11/01/2012 в 13:44 +0700, Ivan Shmakov пишет:
>>>>> Denis Feklushkin <denis.feklush...@gmail.com> writes:

[…]

 >>> Libpq often used for connect to the database without human assist.
 >>> In this case there is no opportunity to enter a password and get a
 >>> ticket for authentication in Kerberos.

 >>> Please add the ability to specify in a function
 >>> PQconnectdb(conninfo) path to the Kerberos 5 keytab file.

 >> Shouldn't libpq just assume whatever identity confirmed by the prior
 >> kinit(1) invocation when using Kerberos for authentication?

 > In general, ability to use a different keytab files would add some
 > flexibility - libpq will be able to connect to the different servers
 > in different realms at same time.  (I wanted it in 2009, as far as I
 > can remember)

        Please note that it's possible to store keys for multiple
        Kerberos identities in a single keytab file.

        Also, it's possible to make Kerberos KDC's for different realms
        trust each other.  Then, the client having an identity within,
        say, the EXAMPLE.ORG realm could authenticate to the server
        within, say, EXAMPLE.COM.

        Note, however, that this doesn't automatically give any
        EXAMPLE.ORG users the /authorization/ to use EXAMPLE.COM
        services.

 > But if this behavior violates ideology of the Kerberos then this
 > option is not necessary.

        I doubt for the ideology, but such an option is likely to
        introduce extra burden for every client for which such an option
        is desired.

        In particular, it's likely that for the clients with GUI it'd be
        necessary to introduce an extra “File open” dialog so that
        keytab file (or files) could then be specified by the user.

 >> And, kinit(1) (as of heimdal-clients, 1.4.0~git20100726.dfsg.1-1+b1)
 >> will accept a keytab file, like:

 >> $ kinit --keytab="$HOME"/.my.keytab --use-keytab \
 >>       my/ident...@realm.example.org 

 >> (Though I haven't actually tested the above.)

 > Confirmed, Heimdal's kinit with -t option works fine.

        … Is libpq then able to use these credentials?

-- 
FSF associate member #7257



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to