Skip site navigation (1) Skip section navigation (2)

Re: Postgres 8.1.x and MIT Kerberos 5

From: Mohan K <mohan(dot)anon(at)gmail(dot)com>
To: Magnus Hagander <mha(at)sollentuna(dot)net>
Cc: pgsql-hackers(at)postgresql(dot)org, pgsql-admin(at)postgresql(dot)org
Subject: Re: Postgres 8.1.x and MIT Kerberos 5
Date: 2006-02-06 15:10:34
Message-ID: 655c73580602060710q29517camf200af8cd010d61a@mail.gmail.com (view raw or flat)
Thread:
Lists: pgsql-adminpgsql-hackers
Hello Magnus,

Regarding the configure issue:
 The platform is Tru64 Unix 5.1b, the problem I had was we have
compiled our Kerberos build statically and is installed in a
directory other than the standard location. The trick adding to LIBS
did not work as it (krb5support) library needs to come after the
other libs (is there a way to control that?).


As far as the security issue with Kerberos, here is the relevant thread

http://mailman.mit.edu/pipermail/kerberos/2002-October/002043.html

I am sorry it was in Kerberos mailing list not Postgres.


On 2/5/06, Magnus Hagander <mha(at)sollentuna(dot)net> wrote:
> > Greetings,
> >  I was trying to build source build postgres 8.1.x with MIT
> > Kerberos 5 1.4.x implementation.
> > The whole thing bombs out. After some digging, I had to hack
> > the autoconf script (configure.in) to properly account for
> > the way the libraries are built for 1.4.x. I don't know
> > whether an earlier post had the same issue. I think it boils
> > down to adding the 'libkrb5support' when all the krb5 libs
> > are checked in the configure script.
>
> (This is better asked in -hackers, I htink, copying there)
>
> What platform is this? I use it with krb5 1.4.3 on Linux (slackware)
> without any modifications at all. Perhaps platform specific behaviour?
>
> The postmaster is linked to libkrb5support, but I only have "-lkrb5" in
> my LIBS as generated by configure. However, if I do "ldd" on libkrb5.so
> I see that one pulls in libkrb5support.
>
>
> > On another note, is the kerberos authentication secure, I had
> > searched some old threads, where it was indicated the
> > principal is not checked by the db as a valid user. Is this
> > still the case?
>
> The principal name is definitly checked by the db as a valid user, and
> AFAIK it always has been (do you have a reference to where it says it
> doesn't?)
>
> The *REALM* is not checked, however. This can cause problems if you have
> a multi-realm system (where the realms already trust each other, because
> the KDC has to give out the service ticket) where you have the same
> username existing in multiple realms representing different users.
>
> If you're in a single realm, it's definitly secure.
>
> //Magnus
>

In response to

Responses

pgsql-hackers by date

Next:From: Magnus HaganderDate: 2006-02-06 15:20:12
Subject: Re: Postgres 8.1.x and MIT Kerberos 5
Previous:From: Mark WoodwardDate: 2006-02-06 14:43:44
Subject: Re: Shared memory and memory context question

pgsql-admin by date

Next:From: Magnus HaganderDate: 2006-02-06 15:20:12
Subject: Re: Postgres 8.1.x and MIT Kerberos 5
Previous:From: Magnus HaganderDate: 2006-02-06 12:36:04
Subject: Re: pgAdminII download

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group