[QGIS-Developer] Auth-config and single sign-on with Windows login

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

[QGIS-Developer] Auth-config and single sign-on with Windows login

Andreas Neumann-4

Hi,

Is it possible to use the Windows-Login as a login for PostgreSQL/WMS in the auth-cfg manager?

We have our PG-Server configured in a way that it integrates with the Windows AD. Could we use that login directly in the QGIS auth manager, rather than creating a separate auth-cfg where we need to also change the password in the QGIS auth-manager when the Windows login password changes?

Is this already possible somehow or if not, would it be feasible to implement this?

Thanks,
Andreas


_______________________________________________
QGIS-Developer mailing list
[hidden email]
List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer
Reply | Threaded
Open this post in threaded view
|

Re: Auth-config and single sign-on with Windows login

Jürgen E. Fischer
Hi Andreas,

On Wed, 20. Nov 2019 at 14:38:49 +0100, Andreas Neumann wrote:
> Is it possible to use the Windows-Login as a login for PostgreSQL/WMS in the
> auth-cfg manager?

Are you sure support is even required?  I'd expect it to be handled
transparently.


Jürgen

--
Jürgen E. Fischer           norBIT GmbH             Tel. +49-4931-918175-31
Dipl.-Inf. (FH)             Rheinstraße 13          Fax. +49-4931-918175-50
Software Engineer           D-26506 Norden            https://www.norbit.de

norBIT Gesellschaft fuer Unternehmensberatung und Informationssysteme mbH
Rheinstrasse 13, 26506 Norden
GF: Juergen Fischer, Nils Kutscher HR: Amtsgericht Aurich HRB 100827
Datenschutzerklaerung: https://www.norbit.de/83/

_______________________________________________
QGIS-Developer mailing list
[hidden email]
List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer

signature.asc (844 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Auth-config and single sign-on with Windows login

Andreas Neumann-4

Hi Jürgen,

I wouldn't know how this works. When I create a new PG connection, it forces me to add a username and password. I can't create a new connection without specifying one. Even if the Windows password manager already knows my windows credentials, which are the same as the PG credentials. As a "stupid user" I would either expect:

- not being asked for credentials (means that QGIS would automagically forward the Windows credentials)

- or when creating a new auth-conf, having a choice like "use windows credentials" and then not being asked for username/password, because QGIS already knows it from Windows.

But maybe I am just not correctly handling it.

The one thing I noticed is that the Windows password manager automatically loads the master password of the QGIS password manager. So that one seems to work.

Andreas

On 2019-11-20 15:41, Jürgen E. Fischer wrote:

Hi Andreas,

On Wed, 20. Nov 2019 at 14:38:49 +0100, Andreas Neumann wrote:
Is it possible to use the Windows-Login as a login for PostgreSQL/WMS in the
auth-cfg manager?

Are you sure support is even required?  I'd expect it to be handled
transparently.


Jürgen



_______________________________________________
QGIS-Developer mailing list
[hidden email]
List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer
Reply | Threaded
Open this post in threaded view
|

Re: Auth-config and single sign-on with Windows login

Alessandro Pasotti-2


On Wed, Nov 20, 2019 at 5:10 PM Andreas Neumann <[hidden email]> wrote:

Hi Jürgen,

I wouldn't know how this works. When I create a new PG connection, it forces me to add a username and password. I can't create a new connection without specifying one. Even if the Windows password manager already knows my windows credentials, which are the same as the PG credentials. As a "stupid user" I would either expect:

- not being asked for credentials (means that QGIS would automagically forward the Windows credentials)


What if your DNS has been poisoned to hit evil.hacker.com instead? Would you still want your credentials to be automatically sent?

- or when creating a new auth-conf, having a choice like "use windows credentials" and then not being asked for username/password, because QGIS already knows it from Windows.


I don't get this point: when you enter you credentials in the OS wallet (password manager) it does not leak them to QGIS, or that would be another huge security hole.

But maybe I am just not correctly handling it.

The one thing I noticed is that the Windows password manager automatically loads the master password of the QGIS password manager. So that one seems to work.


That's the currently supported way to manage credentials: you store them into the encrypted QGIS auth DB and (optionally) store the master password in your OS wallet.

In any event, the QGIS auth system is plugin based (C++ plugins) and other/custom auth methods could be developed if needed.

Cheers

--
Alessandro Pasotti
w3:   www.itopen.it

_______________________________________________
QGIS-Developer mailing list
[hidden email]
List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer
Reply | Threaded
Open this post in threaded view
|

Re: Auth-config and single sign-on with Windows login

Andreas Neumann-4

Hi Alessandro,

To be honest - I don't know much about this single sign-on on Windows. I just noticed that with some software, one doesn't have to login a second time. One Login into the Windows system is enough and the other software can - somehow (I don't know how) - authenticate the user from the Windwos-Login, without a second log-in. But I don't know how that works.

It is not super important, but would be somehow convenient, if it doesn't sacrifice security. Maybe it isn't possible at all.

Andreas

Am 20.11.19 um 17:24 schrieb Alessandro Pasotti:


On Wed, Nov 20, 2019 at 5:10 PM Andreas Neumann <[hidden email]> wrote:

Hi Jürgen,

I wouldn't know how this works. When I create a new PG connection, it forces me to add a username and password. I can't create a new connection without specifying one. Even if the Windows password manager already knows my windows credentials, which are the same as the PG credentials. As a "stupid user" I would either expect:

- not being asked for credentials (means that QGIS would automagically forward the Windows credentials)


What if your DNS has been poisoned to hit evil.hacker.com instead? Would you still want your credentials to be automatically sent?

- or when creating a new auth-conf, having a choice like "use windows credentials" and then not being asked for username/password, because QGIS already knows it from Windows.


I don't get this point: when you enter you credentials in the OS wallet (password manager) it does not leak them to QGIS, or that would be another huge security hole.

But maybe I am just not correctly handling it.

The one thing I noticed is that the Windows password manager automatically loads the master password of the QGIS password manager. So that one seems to work.


That's the currently supported way to manage credentials: you store them into the encrypted QGIS auth DB and (optionally) store the master password in your OS wallet.

In any event, the QGIS auth system is plugin based (C++ plugins) and other/custom auth methods could be developed if needed.

Cheers

--
Alessandro Pasotti
w3:   www.itopen.it

_______________________________________________
QGIS-Developer mailing list
[hidden email]
List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer
Reply | Threaded
Open this post in threaded view
|

Re: Auth-config and single sign-on with Windows login

3nids
Hi,

I believe the situation is different for PG and WMS authentication.

For PG, if you have LDAP connection or so, you basically don't need to have any credentials in QGIS. You will always connect through the same "user".

For WMS, I don't see this possible if I understand correctly how works the auth, otherwise that would mean, as Alessandro pointed, that your user/password would leak.
The safe way would be that the authentication on the WMS server actually checks the AD. I have no idea if that's possible and it's totally independent from QGIS.

Don't hesitate to correct me if I missed something.

Denis



Le mer. 20 nov. 2019 à 22:59, Andreas Neumann <[hidden email]> a écrit :

Hi Alessandro,

To be honest - I don't know much about this single sign-on on Windows. I just noticed that with some software, one doesn't have to login a second time. One Login into the Windows system is enough and the other software can - somehow (I don't know how) - authenticate the user from the Windwos-Login, without a second log-in. But I don't know how that works.

It is not super important, but would be somehow convenient, if it doesn't sacrifice security. Maybe it isn't possible at all.

Andreas

Am 20.11.19 um 17:24 schrieb Alessandro Pasotti:


On Wed, Nov 20, 2019 at 5:10 PM Andreas Neumann <[hidden email]> wrote:

Hi Jürgen,

I wouldn't know how this works. When I create a new PG connection, it forces me to add a username and password. I can't create a new connection without specifying one. Even if the Windows password manager already knows my windows credentials, which are the same as the PG credentials. As a "stupid user" I would either expect:

- not being asked for credentials (means that QGIS would automagically forward the Windows credentials)


What if your DNS has been poisoned to hit evil.hacker.com instead? Would you still want your credentials to be automatically sent?

- or when creating a new auth-conf, having a choice like "use windows credentials" and then not being asked for username/password, because QGIS already knows it from Windows.


I don't get this point: when you enter you credentials in the OS wallet (password manager) it does not leak them to QGIS, or that would be another huge security hole.

But maybe I am just not correctly handling it.

The one thing I noticed is that the Windows password manager automatically loads the master password of the QGIS password manager. So that one seems to work.


That's the currently supported way to manage credentials: you store them into the encrypted QGIS auth DB and (optionally) store the master password in your OS wallet.

In any event, the QGIS auth system is plugin based (C++ plugins) and other/custom auth methods could be developed if needed.

Cheers

--
Alessandro Pasotti
w3:   www.itopen.it
_______________________________________________
QGIS-Developer mailing list
[hidden email]
List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer

_______________________________________________
QGIS-Developer mailing list
[hidden email]
List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer
Reply | Threaded
Open this post in threaded view
|

Re: Auth-config and single sign-on with Windows login

Bo Victor Thomsen
In reply to this post by Andreas Neumann-4

If you have a "clean" windows setup (i.e. both the client and server is Windows based) you can use the SSPI single sign setup on the server - equivalent to "Integrated security" for MS-SQLServer.

In simple terms it means that your windows logon identity automatically is reused as a postgres user identity without any further setup.

Very popular with my "Always Windows-only !!" customers and a forceful argument for switching them from MS-SQLServer to Postgres/PostGIS for spatial data.

https://wiki.postgresql.org/wiki/Configuring_for_single_sign-on_using_SSPI_on_Windows

-- 
Med venlig hilsen / Kind regards

Bo Victor Thomsen
Den 20-11-2019 kl. 22:59 skrev Andreas Neumann:

Hi Alessandro,

To be honest - I don't know much about this single sign-on on Windows. I just noticed that with some software, one doesn't have to login a second time. One Login into the Windows system is enough and the other software can - somehow (I don't know how) - authenticate the user from the Windwos-Login, without a second log-in. But I don't know how that works.

It is not super important, but would be somehow convenient, if it doesn't sacrifice security. Maybe it isn't possible at all.

Andreas

Am 20.11.19 um 17:24 schrieb Alessandro Pasotti:


On Wed, Nov 20, 2019 at 5:10 PM Andreas Neumann <[hidden email]> wrote:

Hi Jürgen,

I wouldn't know how this works. When I create a new PG connection, it forces me to add a username and password. I can't create a new connection without specifying one. Even if the Windows password manager already knows my windows credentials, which are the same as the PG credentials. As a "stupid user" I would either expect:

- not being asked for credentials (means that QGIS would automagically forward the Windows credentials)


What if your DNS has been poisoned to hit evil.hacker.com instead? Would you still want your credentials to be automatically sent?

- or when creating a new auth-conf, having a choice like "use windows credentials" and then not being asked for username/password, because QGIS already knows it from Windows.


I don't get this point: when you enter you credentials in the OS wallet (password manager) it does not leak them to QGIS, or that would be another huge security hole.

But maybe I am just not correctly handling it.

The one thing I noticed is that the Windows password manager automatically loads the master password of the QGIS password manager. So that one seems to work.


That's the currently supported way to manage credentials: you store them into the encrypted QGIS auth DB and (optionally) store the master password in your OS wallet.

In any event, the QGIS auth system is plugin based (C++ plugins) and other/custom auth methods could be developed if needed.

Cheers

--
Alessandro Pasotti
w3:   www.itopen.it

_______________________________________________
QGIS-Developer mailing list
[hidden email]
List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer

  


_______________________________________________
QGIS-Developer mailing list
[hidden email]
List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer
Reply | Threaded
Open this post in threaded view
|

Re: Auth-config and single sign-on with Windows login

Jürgen E. Fischer
Hi,

On Thu, 21. Nov 2019 at 10:01:16 +0100, Bo Victor Thomsen wrote:
> Very popular with my "Always Windows-only !!" customers and a forceful
> argument for switching them from MS-SQLServer to Postgres/PostGIS for
> spatial data.
>
> https://wiki.postgresql.org/wiki/Configuring_for_single_sign-on_using_SSPI_on_Windows

"Windows-to-unix a bit more work"

https://www.hagander.net/talks/Deploying%20PostgreSQL%20in%20a%20Windows%20Enterprise.pdf



Jürgen
--
Jürgen E. Fischer           norBIT GmbH             Tel. +49-4931-918175-31
Dipl.-Inf. (FH)             Rheinstraße 13          Fax. +49-4931-918175-50
Software Engineer           D-26506 Norden            https://www.norbit.de

_______________________________________________
QGIS-Developer mailing list
[hidden email]
List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer

signature.asc (844 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Auth-config and single sign-on with Windows login

Bo Victor Thomsen

You're right Jürgen; the problem using integrated security in a mixed environment is not impossible, just some more work.

However, trying to convince the segment of my customers - who pray to the "one-and-only Windows" god or whatever - to

  • switch to Postgres from MS-SQLServer or Oracle (very hard but possible)
  • and switch to Linux from MS-Windows on the server (Iiiiiimmmmmpossible !!)

overwhelms my limited "salesman" skills. I leave this option to people who is adept in selling sand in Sahara.

Getting them to switch to Postgres is a big "win" from my point of view. And, by the way, Postgres is not "awful" on Windows any more. Just ordinary "Windows bad" compared to the Linux version :-).

-- 
Med venlig hilsen / Kind regards

Bo Victor Thomsen

Den 21-11-2019 kl. 11:30 skrev Jürgen E. Fischer:
Hi,

On Thu, 21. Nov 2019 at 10:01:16 +0100, Bo Victor Thomsen wrote:
Very popular with my "Always Windows-only !!" customers and a forceful
argument for switching them from MS-SQLServer to Postgres/PostGIS for
spatial data.

https://wiki.postgresql.org/wiki/Configuring_for_single_sign-on_using_SSPI_on_Windows
"Windows-to-unix a bit more work"

https://www.hagander.net/talks/Deploying%20PostgreSQL%20in%20a%20Windows%20Enterprise.pdf



Jürgen

_______________________________________________
QGIS-Developer mailing list
[hidden email]
List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer

  


_______________________________________________
QGIS-Developer mailing list
[hidden email]
List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer
Reply | Threaded
Open this post in threaded view
|

Re: Auth-config and single sign-on with Windows login

Andreas Neumann-4
In reply to this post by Jürgen E. Fischer

Hi Jürgen and Bo,

Thanks for sharing that information about the single sign on. I'll have a look at it.

So on the QGIS side this would require a Kerberos configuration for the auth-config - in the mixed Win-Client Lin-PG-Server scenario - right?

Andreas

On 2019-11-21 11:30, Jürgen E. Fischer wrote:

Hi,

On Thu, 21. Nov 2019 at 10:01:16 +0100, Bo Victor Thomsen wrote:
Very popular with my "Always Windows-only !!" customers and a forceful
argument for switching them from MS-SQLServer to Postgres/PostGIS for
spatial data.

https://wiki.postgresql.org/wiki/Configuring_for_single_sign-on_using_SSPI_on_Windows

"Windows-to-unix a bit more work"

https://www.hagander.net/talks/Deploying%20PostgreSQL%20in%20a%20Windows%20Enterprise.pdf



Jürgen

_______________________________________________
QGIS-Developer mailing list
[hidden email]
List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer



_______________________________________________
QGIS-Developer mailing list
[hidden email]
List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer