Skip site navigation (1) Skip section navigation (2)

Re: SSPI authentication - patch

From: Stephen Frost <sfrost(at)snowman(dot)net>
To: Magnus Hagander <magnus(at)hagander(dot)net>
Cc: pgsql-patches <pgsql-patches(at)postgresql(dot)org>
Subject: Re: SSPI authentication - patch
Date: 2007-07-19 22:22:57
Message-ID: 20070719222257.GR4887@tamriel.snowman.net (view raw or flat)
Thread:
Lists: pgsql-patches
* Magnus Hagander (magnus(at)hagander(dot)net) wrote:
> Here's an updated version of this patch. This version has full SSPI support
> in the server as well, so I can do both kerberos and NTLM between two
> windows machines using the negotiate method.

Great!  Also, I've tested that it works under Windows using
PGGSSLIB=gssapi with the MIT GSS libraries.  I did have to set the
PGKRBSRVNAME to 'postgres'.  It worked excellently. :)

> Since SSPI and GSSAPI can now both be used, my plan is not to have an
> autoconf to disable SSPI, but to just enable it unconditionally on win32.
> Or does this seem like a bad idea?

My thinking would be to have the autoconf to disable it, but enable it
by default.  I don't feel particularly strongly about it though.

> Comments welcome.

It looks good in general to me (though I'm not super-familiar with
SSPI).  My one big concern is this:

>   /* Define to the name of the default PostgreSQL service principal in Kerberos.
>      (--with-krb-srvnam=NAME) */
> ! #define PG_KRB_SRVNAM "postgres"
>   
>   /* A string containing the version number, platform, and C compiler */
>   #define PG_VERSION_STR "Uninitialized version string (win32)"
> --- 582,588 ----
>   
>   /* Define to the name of the default PostgreSQL service principal in Kerberos.
>      (--with-krb-srvnam=NAME) */
> ! #define PG_KRB_SRVNAM "POSTGRES"

I understand that SSPI is case-insensitive, or folds to uppercase, or
whatever, but this is *not* used only by the SSPI code.  Please correct
me if I'm wrong, but this will break existing krb-auth using client
applications/setups that went with the previous default, no?  I realize
it's on Windows, but there are people out there with that
configuration (yes, like me... :)...

I don't particularly like it but, honestly, it seems like it might be
better to set it based on what's being used (GSSAPI/SSPI/KRB5)?  This
would be for the client-side, as I guess we've decided it's okay to just
pick whatever keytab the users provide that's in our server-side
keytab.

	Thanks again!

		Stephen

In response to

Responses

pgsql-patches by date

Next:From: Tatsuo IshiiDate: 2007-07-20 03:03:02
Subject: Re: CREATE TABLE LIKE INCLUDING INDEXES support
Previous:From: Magnus HaganderDate: 2007-07-19 11:53:15
Subject: Re: SSPI authentication - patch

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group