Re: Kerberos v5 support

From: Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us>
To: Garrett Wollman <wollman(at)khavrinen(dot)lcs(dot)mit(dot)edu>
Cc: pgsql-patches(at)postgresql(dot)org
Subject: Re: Kerberos v5 support
Date: 2000-11-06 18:25:16
Message-ID: 200011061825.NAA28132@candle.pha.pa.us
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-patches

OK.

> <<On Mon, 6 Nov 2000 12:05:01 -0500 (EST), Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us> said:
>
> > I have applied some kerberos changes to the current snapshot a few
> > months ago. Can you grab that and let me know what you would like
> > changed? Thanks.
>
> My code has much better error handing (``Kerberos error %d'' is vile!)
> and uses the correct API to determine the client's authenticated
> name. My version also checks the IP addresses in the client's ticket
> to protect against certain kinds of attacks. On the other hand, the
> -current code is configurable with respect to the name of the keytab.
> (I don't personally see much value in allowing the keytab name to be
> changed at run time, but whatever floats your boat....)
>
> Both versions still sweep the an_to_ln problem under the carpet. This
> is a SERIOUS flaw for anyone who needs to operate in an environment
> with cross-realm authentication. I don't know the innards of pgsql
> well-enough to be able to code the internal table-lookup that would be
> necessary to perform proper an_to_ln mapping -- hopefully someone else
> out there does.
>
> Since I'm working in a near-production environment, I'm not presently
> able to combine my functionality with that provided in pgsql-current.
> When it becomes a release, you may well hear back from me.
>
> -GAWollman
>
>

--
Bruce Momjian | http://candle.pha.pa.us
pgman(at)candle(dot)pha(dot)pa(dot)us | (610) 853-3000
+ If your life is a hard drive, | 830 Blythe Avenue
+ Christ can be your backup. | Drexel Hill, Pennsylvania 19026

In response to

Browse pgsql-patches by date

  From Date Subject
Next Message Peter Eisentraut 2000-11-06 18:43:24 Re: Kerberos v5 support
Previous Message Garrett Wollman 2000-11-06 18:16:48 Re: Kerberos v5 support