Re: LibreOffice driver 2: MIT Kerberos vs Microsoft Kerberos

(See part 1 for general introduction)

LibreOffice currently - when it rebuilds libpq, such as for our
official MS Windows binaries - links libpq against only the MS
Windows built-in SSPI stuff, which if I understand well is an "embrace
and extend" Kerberos 5 implementation.

I wanted to understand the limitations (if any) of building libpq on
Windows only with the MS Windows-builtin Kerberos and not additionally
with MIT Kerberos.

The "gsslib" parameter in the connection string won't work, but will
that keep users from authenticating to some Kerberos domains, and/or
are there other (interoperability?) issues that make it strongly
desirable to link libpq with *both* SSPI *and* MIT krb5 (and its
gssapi_krb5 library)?

--
Lionel

* Lionel Elie Mamane (lionel(at)mamane(dot)lu) wrote:
> The "gsslib" parameter in the connection string won't work, but will
> that keep users from authenticating to some Kerberos domains, and/or
> are there other (interoperability?) issues that make it strongly
> desirable to link libpq with *both* SSPI *and* MIT krb5 (and its
> gssapi_krb5 library)?

The MIT KRB5 library on Windows is more-or-less defunct now, as I
understand it. pgAdmin3 hasn't been linking against it due to unfixed
security bugs (that don't seem likely to ever be fixed) and because it's
horribly painful to maintain.

The gist of the limitation is this- if you need to support decent
encryption in a cross-realm environment on Windows XP-age systems, you
need MIT KRB5. If you're on Windows 7 or something else recent, the
built-in Windows stuff w/ AES works fine.

Thanks,

Stephen

On 12/13/2011 09:18 AM, Stephen Frost wrote:
> The gist of the limitation is this- if you need to support decent
> encryption in a cross-realm environment on Windows XP-age systems, you
> need MIT KRB5. If you're on Windows 7 or something else recent, the
> built-in Windows stuff w/ AES works fine.
>

This answers Lionel's question, but I'm curious for a more user impact
opinion from you. Given that pgAdmin III has given up on MIT KRB5,
would you feel doing the same is appropriate for LibreOffice too? It
sounds like they really shouldn't take on either the build cruft or the
potential security issues of pulling that in at this point.

--
Greg Smith 2ndQuadrant US greg(at)2ndQuadrant(dot)com Baltimore, MD
PostgreSQL Training, Services, and 24x7 Support www.2ndQuadrant.us

* Greg Smith (greg(at)2ndQuadrant(dot)com) wrote:
> This answers Lionel's question, but I'm curious for a more user
> impact opinion from you. Given that pgAdmin III has given up on MIT
> KRB5, would you feel doing the same is appropriate for LibreOffice
> too? It sounds like they really shouldn't take on either the build
> cruft or the potential security issues of pulling that in at this
> point.

Yes, I'd encourage LibreOffice to drop MIT "Kerberos for Windows" from
their configure/install of libpq on Windows. It's just too painful and
evil and, today, it might almost be better to just use the built-in
Windows stuff (even on XP with the crappy encryption..) than deal with
the headaches and known security flaws in the ancient MIT KfW build.

Thanks,

Stephen

On Tue, Dec 13, 2011 at 05:09:01PM -0500, Stephen Frost wrote:
> * Greg Smith (greg(at)2ndQuadrant(dot)com) wrote:

>> Given that pgAdmin III has given up on MIT KRB5, would you feel
>> doing the same is appropriate for LibreOffice too?

> Yes, I'd encourage LibreOffice to drop MIT "Kerberos for Windows"
> from their configure/install of libpq on Windows.

Thanks for the advice, we won't enable it.

--
Lionel