Re: Future of krb5 authentication

On Wed, Jul 18, 2007 at 06:01:33PM -0400, Stephen Frost wrote:
> * Tom Lane (tgl(at)sss(dot)pgh(dot)pa(dot)us) wrote:
> > Oh, they're fully interchangeable at the wire level? Is this true both
> > with respect to the PG client/backend protocol and the protocol to the
> > authentication server?
>
> I believe that's the case, yes.

It is, as long as you use Kerberos auth.

It's of course not if you use SSPI with NTLM, but that's not surprising.

> > If there's no interoperability issues then I
> > agree that a configure-time choice is sufficient for selecting which
> > library to use.
>
> In general I agree, but I'd like to see builds for Windows which support
> them and I'm not sure that'll happen quite as regularly. :/

Well, again, that's fairly easy to do by setting up a buildfarm member.

> Aside from that issue though, if we're going to continue krb5 support
> (which I'd encourage unless we have some reason to stop) and it's not
> too much effort (I get the impression it's not) to support both
> concurrently, I'd really appreciate it. :) I'm not aware of any 'funny
> business' which would be involved in supporting them both at the same
> time, and I believe Magnus is working on it.

That is the point. It's going to be some more code, but that code will be
fairly trivial.

That's for client. How should we go about doing it on the server side?
Perhaps just add the ability to specify sspi as authentication method, to
differentiate it from gss?

//Magnus