Skip site navigation (1) Skip section navigation (2)

Re: Patch to add Heimdal kerberos support

From: Bill Studenmund <wrstuden(at)netbsd(dot)org>
To: Peter Eisentraut <peter_e(at)gmx(dot)net>
Cc: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, <pgsql-patches(at)postgresql(dot)org>
Subject: Re: Patch to add Heimdal kerberos support
Date: 2001-11-14 22:42:37
Message-ID: Pine.NEB.4.33.0111141419020.29259-100000@vespasia.home-net.internetconnect.net (view raw or flat)
Thread:
Lists: pgsql-patches
On Wed, 14 Nov 2001, Peter Eisentraut wrote:

> No idea about the deprecatedness, but our Kerberos code does compile with
> the Kerberos V shipped in Red Hat 7.0 (MIT, I think), and the Kerberos IV
> code compiled successfully with KTH Kerberos last time I checked.
>
> However, most of the three people that ever mentioned anything detailed
> about the Kerberos support in PostgreSQL had the sound of "fundementally
> flawed", "totally insecure", etc.

I'll admit our kerberos support was NOT what I expected it to be when I
got it working; I was quite surprised to see all of the queries going by
in the clear.

It depends on what you want. If you want to not have clear-text passwords
go by and to have a very good idea who the person on the other side of the
session is, then this kerberos support does that. No one will be able to
sniff a password off of this. It's like kpop or telnet -a

If you expected an encrypted session, well, you don't get it. This isn't
telnet -ax. :-(

Is there interest in supporting encrypted sessions? I can think of two
ways to do it: 1) in addition to kerberos as an authentication, we also
add kerbers-priv which is the current kerberos but we switch to encryption
once we indicate successful authentication. 2) we add a start-encrypting
command to the protocol.

I dislike 2) as the best encryption key to use is the one we got with the
authentication step, which we'd have to hang onto for a while in case we
decided to start encrypting.

Take care,

Bill


In response to

Responses

pgsql-patches by date

Next:From: Tom LaneDate: 2001-11-14 22:52:02
Subject: Re: Patch to add Heimdal kerberos support
Previous:From: Bill StudenmundDate: 2001-11-14 22:18:57
Subject: Re: Patch to add Heimdal kerberos support

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group