Henry B. Hotz wrote:
> Well, that's why I was pushing SASL instead of GSSAPI. There are
> multiple mechanisms that are actually in use.
> PAM turned out not to be sufficiently specified for cross-platform
> behavioral compatibility, and it only does password checking anyway.
> Calling it a security solution is a big overstatement IMO. I guess a
> lot of people use PAM with SSL and don't worry about the gap between
> the two (which SASL or GSSAPI close).
> In defense of GSSAPI non-Kerberos mechanisms do exist. They just
> cost money and they aren't very cross-platform. AFAIK GSSAPI has no
> simple password mechanisms.
> There's a Microsoft-compatible SPNEGO mechanism for GSSAPI that's
> being implemented fairly widely now, but it's just a sub-negotiation
> mech that lets you choose between a Kerberos 5 (that's practically
> identical to the direct one), and NTLM. If you allow NTLM you'd
> better limit it to NTLMv2!
As already mentioned, the limitations of PAM weren't clear until after
we implemented it, so I expect the same to happen here, and the number
of acronyms flying around in this discussion is a bad sign too.
Bruce Momjian bruce(at)momjian(dot)us
+ If your life is a hard drive, Christ can be your backup. +
In response to
pgsql-hackers by date
|Next:||From: Bruce Momjian||Date: 2006-09-30 03:55:18|
|Subject: Re: Per-database search_path|
|Previous:||From: Joshua D. Drake||Date: 2006-09-30 02:31:21|
|Subject: Re: Win32 hard crash problem|