How can i specify keytab file when connecting to postgres with golang pq using kerberos?

huangapple go评论78阅读模式
英文:

How can i specify keytab file when connecting to postgres with golang pq using kerberos?

问题

我目前正在使用golang的pq库连接到PostgreSQL数据库。我成功地使用Kerberos主体进行连接,但是我无法确定在哪里可以指定要使用的keytab文件。在源代码中,它似乎是通过某个第三方库来实现的。它实际上可以工作,但我需要确切地知道它是如何知道我的keytab存储在哪里,以便可以请求初始票证。

英文:

I am currently using golang pq library to connect to postgres database. I am successfully connecting using kerberos principal, but i can't figure out where can i specify keytab file to use to. In the source code it kinda happens magically, using some third-party library. It actually works, but i need to know for sure how does it know where my keytab is stored, so it can request initial ticket.

答案1

得分: 0

通常,Kerberos客户端不直接使用keytab;它们期望已经获取并存在于环境中的初始票据。也就是说,在运行程序之前,你需要先使用kinit命令获取票据,然后客户端的GSSAPI库会查找KRB5CCNAME环境变量,该变量指向一个文件,其中包含由kinit生成的票据缓存。

(通常情况下,使用MIT Kerberos或Heimdal时,缓存可以是文件之外的其他形式...但是,pq库使用的是一个非常简化的纯Go Kerberos实现,它只接受基于传统文件的ccache。因此,如果你的发行版上的Krb5设置为使用DIRKEYRINGKCM缓存类型,请小心,这些类型在这里不起作用。)

如果初始票据不存在,MIT Krb5实现实际上会自动使用keytab获取票据,前提是KRB5_CLIENT_KTNAME环境变量指向一个keytab文件。不幸的是,pq库不使用系统的Kerberos库,所以这种方法在这里也不起作用。(但是,如果你的操作系统使用的是Heimdal Kerberos,这种方法也不起作用;它是MIT的特定扩展。)

因此,一种始终有效的方法是将KRB5CCNAME设置为临时路径,然后在运行程序之前使用kinitk5start从keytab获取票据。(k5start工具还可以在票据过期之前自动续订或重新获取票据,而无需使用cron。)


实际上,整个krb_unix.go文件令人失望。如果他们可以在Windows上调用本机SSPI,那么他们肯定可以在Linux上调用本机GSSAPI...

英文:

Usually Kerberos clients do not directly use a keytab; they expect the initial ticket to be already acquired and present in the environment. That is, you're expected to kinit before running the program, and afterwards the client's GSSAPI library looks for the KRB5CCNAME environment variable, which points at a file containing the ticket cache left by kinit.

(Normally with MIT Kerberos or Heimdal it could be many other things besides a file... but the 'pq' library uses a very minimal pure-Go Kerberos implementation which only accepts a traditional file-based ccache. So be careful if Krb5 on your distro was set up to use 'DIR' or 'KEYRING' or 'KCM' cache types, those aren't going to work here.)

If the initial ticket isn't present, the MIT Krb5 implementation will in fact automatically use a keytab to acquire the ticket if the KRB5_CLIENT_KTNAME environment variable is pointing to one. Unfortunately, the 'pq' library doesn't use the system Kerberos library, so that won't work here either. (But it also wouldn't work if your OS was using Heimdal Kerberos; it's a MIT-specific extension.)

So the approach that will always work is to set KRB5CCNAME to a temporary path, then use either kinit or k5start to acquire a ticket from the keytab, before running your program. (The k5start tool will also keep automatically renewing or re-acquiring the ticket before it expires, without needing to use cron.)


Really, the whole krb_unix.go file is disappointing. If they can call the native SSPI on Windows, surely they could call the native GSSAPI on Linux...

huangapple
  • 本文由 发表于 2022年4月21日 14:35:32
  • 转载请务必保留本文链接:https://go.coder-hub.com/71949897.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定