|From:||"Henry B(dot) Hotz" <hotz(at)jpl(dot)nasa(dot)gov>|
|To:||"Peter Koczan" <pjkoczan(at)gmail(dot)com>|
|Cc:||"Kris Jurka" <books(at)ejurka(dot)com>, pgsql-jdbc(at)postgresql(dot)org|
|Subject:||Re: JDBC and GSSAPI/Krb5|
|Views:||Raw Message | Whole Thread | Download mbox|
On Dec 6, 2007, at 11:47 AM, Peter Koczan wrote:
> On Dec 6, 2007 1:10 PM, Henry B. Hotz <hotz(at)jpl(dot)nasa(dot)gov> wrote:
>> Thank you. I'm looking at it.
>> I think the changes *should* be localized to v3/
>> ConnectionFactoryImpl.java. I need to see how Magnus changed the
>> wire protocol (he did it differently from what I did), and I need to
>> try a sample program first so I can debug wire/API issues
>> independently from PG issues.
>> I will not even attempt to address the SSPI auth mechanism since I
>> don't understand fully why it exists. SSPI is supposed to just be an
>> alternate C binding for the GSSAPI wire protocol, but there are other
>> issues that confound that statement. I believe that Java should
>> stick to the standard, at least initially.
> According to this, SSPI is a Windows-only thing (for both clients and
> servers). Apparently each can authenticate against a "gss" entry in
> I don't know what implications that has for support in the JDBC
> driver. I'll let you figure that out :-).
What he says about not verifying the domain is a serious security bug
IMO, but it's been discussed. I think it's a little more complex
than that posting indicates.
If they are wire-compatible then there is no reason to use a
different value on the wire to differentiate them. This is the point
that I said I didn't understand.
This is the wrong audience for these complaints though.
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry(dot)B(dot)Hotz(at)jpl(dot)nasa(dot)gov, or hbhotz(at)oxy(dot)edu
|Next Message||Kris Jurka||2007-12-06 20:05:52||Re: JDBC and GSSAPI/Krb5|
|Previous Message||Peter Koczan||2007-12-06 19:50:06||Re: JDBC and GSSAPI/Krb5|