Re: [HACKERS] Solution to the pg_user passwd problem !?? (c)

On Thu, Feb 26, 1998 at 04:35:18PM -0000, Goran Thyni wrote:

> Yes, just use ssh as-is and run psql etc in a ssh tunnel
> when running over insecure nets.

It is not the case that ssh is a complete replacement for anything and
everything in the way of authentication, authorization and encryption.
Among other things, "just use an ssh tunnel" means you have to have
had a previous out-of-band exchange of keys between the end-points for
the authentication to be completely secure. Thus, ssh does not by
itself scale very well. (This is, of course, the reason why Kerberos
is supported as an authentication method in recent versions of ssh.
This is good for people who use Kerberos 5, the version that ssh now
supports, but only people inside the US can legally do that, and for
those of us who still use Kerberos IV (I legally run the version from
KTH, in Sweden, both at home and at work), ssh won't always cut it.)

> IMHO, even Kerberous should be removed.

I strongly disagree. On the off chance that the ability to utilize
cryptographic software not even included in the release somehow makes
PosgreSQL a weapon in the eyes of the US government, I guess it would
be necessary to remove it, but I can't believe that their laws can be
so mind-bogglingly stupid? If this is the case, shouldn't /bin/cat be
export restricted, because you can use it to stuff text into software
that encrypts it?

Kerberos itself is export restricted, because it contains software
that implements cryptographic functions (specifically, the Top Secret
algorithm called DES, which it would mean the end of civilization as
we know it if anyone outside the US found out how it works), but this
surely cannot mean that anything that can use Kerberos is tainted?

The operating system I use the most, NetBSD, comes with the ability to
use Kerberos authentication present in various program sources, but
the actual Kerberos IV source code is in a separate, export restricted
package. At a US site, when this is installed, you can compile the
sources in question with proper -D flags to enable the calls to the
Kerberos functions. I've always understood this to be entirely legal.

Anyway, if it should at some point be decided to strip PostgreSQL of
any way of even calling user supplied cryptographic functions, PLEASE
don't do this without creating a clean, documented framework for
adding authentication methods to the system, so that those of us who
need secure authentication can reintegrate Kerberos and the like on
our own...

-tih
--
Popularity is the hallmark of mediocrity. --Niles Crane, "Frasier"