Skip site navigation (1) Skip section navigation (2)

Re: Preliminary GSSAPI Patches

From: Magnus Hagander <magnus(at)hagander(dot)net>
To: "Henry B(dot) Hotz" <hbhotz(at)oxy(dot)edu>, sfrost(at)snowman(dot)net, pgsql-patches(at)postgresql(dot)org
Subject: Re: Preliminary GSSAPI Patches
Date: 2007-06-23 12:53:03
Message-ID: 467D17AF.5020500@hagander.net (view raw or flat)
Thread:
Lists: pgsql-patches
Magnus Hagander wrote:
> Stephen Frost wrote:
>> * Henry B. Hotz (hbhotz(at)oxy(dot)edu) wrote:
>>> On Jun 22, 2007, at 9:56 AM, Magnus Hagander wrote:
>>>> Most likely it's just checking the keytab to find a principal with the
>>>> same name as the one presented from the client. Since one is  
>>>> present, it
>>>> loads it up automatically, and verifies against it.
>>> Bingo!
>>>
>>> The server uses the keytab to decrypt the token provided by the  
>>> client.  By using the GSS_C_NO_CREDENTIAL arg on the server anything  
>>> put in the keytab is OK.  (The server doesn't need to authenticate  
>>> itself to Kerberos, it just accepts authentication.  Mutual  
>>> authentication is done using the same keys.)  The documentation needs  
>>> to reflect that.
>> I agree there's some disconnect there between the documentation and the
>> apparent implementation but I'm not sure I'm in favor of changing the
>> documentation on this one.  Personally, I'd rather it return an error if
>> someone tries to use GSS_C_NO_CREDENTIAL when accepting a context than
>> to just be happy using anything in the keytab.
> 
> How about doing both, then? Set the principal name if it's specified in
> the config file. If it's explicitly set to an empty string, use
> GSS_C_NO_CREDENTIAL. Seems straightforward enough to me, and shouldn't
> be hard to implement.

Here's an updated patch that does this.

//Magnus

Attachment: gssapi.patch
Description: text/x-patch (29.6 KB)

In response to

pgsql-patches by date

Next:From: Simon RiggsDate: 2007-06-24 09:23:59
Subject: Re: Load Distributed Checkpoints, take 3
Previous:From: Greg SmithDate: 2007-06-23 08:59:27
Subject: Re: Load Distributed Checkpoints, take 3

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group