Skip site navigation (1) Skip section navigation (2)

Re: Preliminary GSSAPI Patches

From: "Henry B(dot) Hotz" <hbhotz(at)oxy(dot)edu>
To: Magnus Hagander <magnus(at)hagander(dot)net>
Cc: sfrost(at)snowman(dot)net, pgsql-patches(at)postgresql(dot)org
Subject: Re: Preliminary GSSAPI Patches
Date: 2007-06-25 07:31:44
Message-ID: 4D7E3242-EBED-4E95-881A-92BAC2E891A1@oxy.edu (view raw or flat)
Thread:
Lists: pgsql-patches
On Jun 24, 2007, at 11:03 PM, Magnus Hagander wrote:

>> I'm told that the way Apple's equivalent to mod_auth_kerb works is it
>> uses GSS_C_NO_CREDENTIAL and then does a case-insensitive compare of
>> the resulting match to "HTTP".  We could do the same thing, if you
>> think it's worth it.
>
> Do you know if this is documented somewhere? It's always nice with  
> references.

Not as far as I know, publicly.

I heard most of it from an Apple developer at the 2005 WWDC (and I  
inferred the rest from things Sam Hartman has said).  I guess that  
technically puts it under NDA, except I think the code in question is  
open source.  I don't know which project it's in so I haven't been  
able to locate it to verify what I said for sure.

What I can say for certain concerns the client side.  Apple's Safari  
browser went through at least two iterations before they got it  
right:  1) in OSX 10.3 Safari would ask for a "server/ 
server.example.com" service ticket.  2) in early 10.4 Safari would  
ask for a "http/server.example.com" service ticket (this actually  
works fine if have Active Directory as your Kerberos server, and IIS,  
or Apple as your web server).  3) in later 10.4 Safari asks for a  
"HTTP/server.example.com" service ticket.  This is the correct thing  
to do.

Due to the numbers of people talking to Apple about the situation  
(state 2) during that WWDC, they publicly acknowledged the problem  
and promised to fix it during the same WWDC.  If you have access to  
the video recordings you can probably find the relevant session in  
the latter half of the week.

The key technical point is that Kerberos is case sensitive, but  
Windows Kerberos isn't.  We can deal with that how we choose, but I  
kind of like Apple's solution.  It's annoying to have to put two  
service principals in the keytab, but I personally prefer that to  
going upper-case only just 'cause that's the only way Windows SSPI  
clients can work with non-Windows servers.

------------------------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry(dot)B(dot)Hotz(at)jpl(dot)nasa(dot)gov, or hbhotz(at)oxy(dot)edu



In response to

Responses

pgsql-patches by date

Next:From: Dave PageDate: 2007-06-25 08:14:08
Subject: Re: msvc and vista fun
Previous:From: Zeugswetter Andreas ADI SDDate: 2007-06-25 07:19:37
Subject: Re: msvc and vista fun

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group