Skip site navigation (1) Skip section navigation (2)

Re: Preliminary GSSAPI Patches

From: Magnus Hagander <magnus(at)hagander(dot)net>
To: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Cc: "Henry B(dot) Hotz" <hbhotz(at)oxy(dot)edu>, Stephen Frost <sfrost(at)snowman(dot)net>, pgsql-patches(at)postgresql(dot)org
Subject: Re: Preliminary GSSAPI Patches
Date: 2007-10-10 17:53:17
Message-ID: 470D118D.50300@hagander.net (view raw or flat)
Thread:
Lists: pgsql-patches
Tom Lane wrote:
> "Henry B. Hotz" <hbhotz(at)oxy(dot)edu> writes:
>> You know, I don't know what I was thinking when I sent this.  My  
>> apologies for the late correction.
>>
>> Anyone who has a copy of the "host" keys for a machine can  
>> manufacture kerberos tickets for the "host" service on that machine  
>> masquerading as absolutely anyone (including people who don't  
>> exist).  Same for the "postgres" keys, and if the postgres server can  
>> steal the host keys (or vice versa) then it's even worse.
>> [snip...]
> 
> Maybe I'm too dense, but I don't see a conclusion here.  Do we need to
> change our code, our docs, both, or neither?

I don't think we do. If you use service keys per our documentation, you
should be fine. And if someone owns your host keys, you lost already.

//Magnus


In response to

Responses

pgsql-patches by date

Next:From: Sergey V. KarpovDate: 2007-10-10 18:24:55
Subject: Re: Preliminary patch for tsearch example dictionaries/parsers in contrib
Previous:From: Tom LaneDate: 2007-10-10 17:06:32
Subject: Re: Preliminary GSSAPI Patches

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group