Fwd: [PATCHES] Preliminary GSSAPI Patches

OK, so posted. ;-)

To clarify for the larger audience: without the plain "gss"
mechanism, the "gss-np" mechanism provides exactly the same
functionality as the existing krb5 mechanism. It will properly
secure the initial connection, but will not do anything once the
connection is established. If the Kerberos GSSAPI mechanism is used
then it will follow exactly the same naming and file location
conventions.

What you gain is 1) it builds on Solaris 8+ with the built-in system
Kerberos support (no separate Kerberos install needed), 2) the
mechanism is portable to Java and native Windows clients, and 3) if
you have a mechanism other than Kerberos available (e.g. SPKM, or
SPNEGO/NTLM) in your GSSAPI then you could use it in place of Kerberos.

I'm afraid that the politics at work that might have caused an
adoption of a GSSAPI/JGSS Postgres Java client have changed, and they
will be using MySQL instead. |-( Given what I've said here, I still
feel obligated to provide Java mods, but your timeline will affect mine.

Begin forwarded message:

> From: Bruce Momjian <bruce(at)momjian(dot)us>
> Date: April 30, 2007 2:22:08 PM PDT
> To: "Henry B. Hotz" <hotz(at)jpl(dot)nasa(dot)gov>
> Subject: Re: [PATCHES] Preliminary GSSAPI Patches
>
>
> Please post this info to the hackers list and we will deal with it. I
> am thinking we might just keep this all for 8.4.
>
> ----------------------------------------------------------------------
> -----
>
> Henry B. Hotz wrote:
>> Thanks!
>>
>> As noted, the patch is incomplete w.r.t. the "gss" auth mech because
>> it does not include code to actually encrypt the channel with the key
>> derived from the auth mech. I confess I have so far been
>> unsuccessful in inserting an additional layer of buffering to handle
>> the block encryption.
>>
>> Would you like a new version of the patch with the incomplete
>> functionality commented out (or otherwise removed)?
>>
>> Absent a volunteer to help, I think I should concentrate on getting
>> the "gss-np" unprotected auth mech supported in the Java client.
>>
>> On Apr 26, 2007, at 4:09 PM, Bruce Momjian wrote:
>>
>>>
>>> Your patch has been added to the PostgreSQL unapplied patches
>>> list at:
>>>
>>> http://momjian.postgresql.org/cgi-bin/pgpatches
>>>
>>> It will be applied as soon as one of the PostgreSQL committers
>>> reviews
>>> and approves it.
>>>
>>> --------------------------------------------------------------------
>>> --
>>> -----
>>>
>>>
>>> Henry B. Hotz wrote:
>>>> These patches have been reasonably tested (and cross-tested) on
>>>> Solaris 9 (SPARC) and MacOS 10.4 (both G4 and Intel) with the
>>>> native
>>>> GSSAPI libraries. They implement the gss-np and (incompletely) the
>>>> gss authentication methods. Unlike the current krb5 method gssapi
>>>> has native support in Java and (with the SSPI) on Windows.
>>>>
>>>> I still have bugs in the security layer for the gss method.
>>>> Hopefully will finish getting them ironed out today or tomorrow.
>>>>
>>>> Documentation is in the README.GSSAPI file. Make sure you get it
>>>> created when you apply the patches.
>>>>
>>>
>>> [ Attachment, skipping... ]
>>>
>>>>
>>>>
>>>> -------------------------------------------------------------------
>>>> --
>>>> ---
>>>> The opinions expressed in this message are mine,
>>>> not those of Caltech, JPL, NASA, or the US Government.
>>>> Henry(dot)B(dot)Hotz(at)jpl(dot)nasa(dot)gov, or hbhotz(at)oxy(dot)edu
>>>>
>>>>
>>>>
>>>> ---------------------------(end of
>>>> broadcast)---------------------------
>>>> TIP 7: You can help support the PostgreSQL project by donating at
>>>>
>>>> http://www.postgresql.org/about/donate
>>>
>>> --
>>> Bruce Momjian <bruce(at)momjian(dot)us> http://momjian.us
>>> EnterpriseDB http://
>>> www.enterprisedb.com
>>>
>>> + If your life is a hard drive, Christ can be your backup. +
>>
>> ---------------------------------------------------------------------
>> ---
>> The opinions expressed in this message are mine,
>> not those of Caltech, JPL, NASA, or the US Government.
>> Henry(dot)B(dot)Hotz(at)jpl(dot)nasa(dot)gov, or hbhotz(at)oxy(dot)edu
>>
>
> --
> Bruce Momjian <bruce(at)momjian(dot)us> http://momjian.us
> EnterpriseDB http://
> www.enterprisedb.com
>
> + If your life is a hard drive, Christ can be your backup. +

------------------------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry(dot)B(dot)Hotz(at)jpl(dot)nasa(dot)gov, or hbhotz(at)oxy(dot)edu