Database authentication (as in RT_SiteConfig.pm) using a kerberos principal

hi,

Using postgresql (or oracle possibly) it is possible to use kerberos/gssapi
to log in the database.

If I create a kerberos service principal rt/myserver.domain.tld/MYREALM.TLD
I can login the postgresql database with a keytab for this principal.

How can I tell the request tracker application it has to use this keytab
instead of setting a username/password in clear text in a config file? This
would be a huge security improvement IMO.

With other apps I can use the KRB5CCNAME variable to specify where the
ticket cache file is and use that.

Could something like this be possible?

TIA,
Groeten,
natxo

Using postgresql (or oracle possibly) it is possible to use kerberos/gssapi to log in the
database.

If I create a kerberos service principal rt/myserver.domain.tld/MYREALM.TLD I can login the
postgresql database with a keytab for this principal.

How can I tell the request tracker application it has to use this keytab instead of setting a
username/password in clear text in a config file? This would be a huge security improvement
IMO.

With other apps I can use the KRB5CCNAME variable to specify where the ticket cache file is
and use that.

If DBD::Pg or DBD::Oracle can do it, then RT should be able to
leverage that. You’ll need to review the driver documentation for how
the configuration needs to be set up.

-kevin

Using postgresql (or oracle possibly) it is possible to use
kerberos/gssapi to log in the
database.

If I create a kerberos service principal
rt/myserver.domain.tld/MYREALM.TLD I can login the
postgresql database with a keytab for this principal.

How can I tell the request tracker application it has to use this
keytab instead of setting a
username/password in clear text in a config file? This would be a
huge security improvement
IMO.

With other apps I can use the KRB5CCNAME variable to specify where
the ticket cache file is
and use that.

If DBD::Pg or DBD::Oracle can do it, then RT should be able to
leverage that. You’ll need to review the driver documentation for how
the configuration needs to be set up.

DBI with the postgres driver can do it (I suppose that is DBD::Pg, correct
me if I am wrong).

I have created a service principal rt/webserver01.ipa.asenjo.nx and added a
postgresql login role in the postgresql server with the same name, no
passwords.

After that I retrieved the keytab for the service principal and saved it in
a file rt.keytab.

Then I wrote this snippet:

use strict;
use warnings;

use Authen::Krb5::Easy qw( kinit kdestroy kerror );

my $keytab = ‘/home/admin/rt.keytab’;
my $ccache = ‘/tmp/rt.ccache’;
my $principal = ‘rt/webserver01.ipa.asenjo.nx’;

print $principal, “\n”;

$ENV{KRB5CCNAME} = $ccache;

kinit( $keytab, $principal ) || die kerror();

use DBI;

my $dbhost = “postgres.ipa.asenjo.nx”;

my $dbh = DBI->connect(
“DBI:Pg:dbname=template1;host=$dbhost”,$principal,‘’);

my $sth = $dbh->prepare(“select usename from pg_catalog.pg_user”) ;

$sth->execute();

save the postgres roles in value of hash, key not important

my %postgres_roles;
while ( my @data = $sth->fetchrow_array() ) {
$postgres_roles{$data[0]} = $data[0];
}

print %postgres_roles;

And I see the list of roles in the postgresql server, so it works using the
kerberos principal.

So how can I tell rt to look in the kerberos cache file for its kerberos
credentials?

TIA,
natxo

Hi,

Looks like you have to configure DatabaseHost, DatabaseUser and
DatabasePassword properly and KRB5CCNAME environment variable. As I
recall we cleanup ENV somewhere. Try putting it directly in
ConnectToDatabase function in RT.pm.On Mon, Jun 25, 2012 at 9:33 PM, Natxo Asenjo natxo.asenjo@gmail.com wrote:

On Mon, Jun 25, 2012 at 4:32 PM, Kevin Falcone falcone@bestpractical.com wrote:

On Sat, Jun 23, 2012 at 04:49:25PM +0200, Natxo Asenjo wrote:

Using postgresql (or oracle possibly) it is possible to use
kerberos/gssapi to log in the
database.

If I create a kerberos service principal
rt/myserver.domain.tld/MYREALM.TLD I can login the
postgresql database with a keytab for this principal.

How can I tell the request tracker application it has to use this
keytab instead of setting a
username/password in clear text in a config file? This would be a
huge security improvement
IMO.

With other apps I can use the KRB5CCNAME variable to specify where
the ticket cache file is
and use that.

If DBD::Pg or DBD::Oracle can do it, then RT should be able to
leverage that. You’ll need to review the driver documentation for how
the configuration needs to be set up.

DBI with the postgres driver can do it (I suppose that is DBD::Pg, correct
me if I am wrong).

I have created a service principal rt/webserver01.ipa.asenjo.nx and added a
postgresql login role in the postgresql server with the same name, no
passwords.

After that I retrieved the keytab for the service principal and saved it in
a file rt.keytab.

Then I wrote this snippet:

use strict;
use warnings;

use Authen::Krb5::Easy qw( kinit kdestroy kerror );

my $keytab = ‘/home/admin/rt.keytab’;
my $ccache = ‘/tmp/rt.ccache’;
my $principal = ‘rt/webserver01.ipa.asenjo.nx’;

print $principal, “\n”;

$ENV{KRB5CCNAME} = $ccache;

kinit( $keytab, $principal ) || die kerror();

use DBI;

my $dbhost = “postgres.ipa.asenjo.nx”;

my $dbh = DBI->connect(
“DBI:Pg:dbname=template1;host=$dbhost”,$principal,‘’);

my $sth = $dbh->prepare(“select usename from pg_catalog.pg_user”) ;

$sth->execute();

save the postgres roles in value of hash, key not important

my %postgres_roles;
while ( my @data = $sth->fetchrow_array() ) {
$postgres_roles{$data[0]} = $data[0];
}

print %postgres_roles;

And I see the list of roles in the postgresql server, so it works using the
kerberos principal.

So how can I tell rt to look in the kerberos cache file for its kerberos
credentials?

TIA,

natxo

Best regards, Ruslan.

hi,

a bit late response.

This works! I had to make the kerberos credentials cache file apache
readable as well, and it works.

Thanks for the tip. Another password bites the dust :slight_smile:

groet,
natxoOn Wed, Jun 27, 2012 at 11:04 PM, Ruslan Zakirov ruz@bestpractical.comwrote:

Hi,

Looks like you have to configure DatabaseHost, DatabaseUser and
DatabasePassword properly and KRB5CCNAME environment variable. As I
recall we cleanup ENV somewhere. Try putting it directly in
ConnectToDatabase function in RT.pm.