From: | Bruce Momjian <bruce(at)momjian(dot)us> |
---|---|
To: | "Henry B(dot) Hotz" <hotz(at)jpl(dot)nasa(dot)gov> |
Cc: | pgsql-hackers <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: 8.3 GSS Issues |
Date: | 2007-10-20 23:59:57 |
Message-ID: | 200710202359.l9KNxve12908@momjian.us |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
Sorry, wrong email. Nothing applied.
---------------------------------------------------------------------------
Henry B. Hotz wrote:
> I know I haven't been very active for a while here, but I just got to
> testing the October 3 version a bit prior to getting back to the Java
> GSS client stuff I promised. There seem to be some funny things there.
>
> The only serious issue is that the server doesn't require the realm
> name to match. I haven't looked at how that broke yet, but I know I
> was careful of that point in my original patches because it's always
> been wrong in the Kerberos 5 auth method.
>
> If I set up a server I might conceivably get connections from:
>
> smith(at)JPL(dot)NASA(dot)GOV
> smith(at)STANFORD(dot)EDU
> smith(at)ARC(dot)NASA(dot)GOV
> smith(at)GSFC(dot)NASA(dot)GOV
> smith(at)KSC(dot)NASA(dot)GOV
> <same for every other NASA center, HQ, plus a "fake" realm relating
> to how NASA set up AD>
>
> Now the only two of those that *might* be the same person are the
> first two, and that's only if the Stanford person has a grant to work
> on a JPL project and got put in our infrastructure as an affiliate,
> *and* the username wasn't already taken.
>
> It appears that you can just put a complete (realm-included) name
> into postgres, so that's obviously the way to support gssapi
> connections from non-default realms.
>
> In short this is a security hole. IMO it should be fixed prior to
> release.
>
> ---------
>
> I notice there are hba options for gss and sspi both. Why?
>
> Is there some windows-only functionality it enables? Shouldn't we be
> using Microsoft's advertised GSSAPI/SSPI compatibility? If you build
> on Windows then I'm sure you want to link the SSPI libraries rather
> than require installation of a separate package, but that shouldn't
> change the functionality or the wire protocol AFAIK. In other words
> I would expect this to be a build-time option.
>
> ---------
>
> At the risk of diluting my message: I still think it's a mistake to
> call it gss instead of something like gss-noprot. I believe this
> will cause misunderstandings in the future when we get the security
> layer of gssapi implemented.
>
> ---------
>
> There's no way to specify the gssapi library to use. I have three on
> my main development Sun: MIT, Sun, and Heimdal. I might have more
> than one version of one of those three at some times. Of course
> there's no way to specify which kerberos 5 library or openssl library
> you want either, so consider this a feature request for future
> development.
>
> ------------------------------------------------------------------------
> The opinions expressed in this message are mine,
> not those of Caltech, JPL, NASA, or the US Government.
> Henry(dot)B(dot)Hotz(at)jpl(dot)nasa(dot)gov, or hbhotz(at)oxy(dot)edu
>
>
>
> ---------------------------(end of broadcast)---------------------------
> TIP 3: Have you checked our extensive FAQ?
>
> http://www.postgresql.org/docs/faq
--
Bruce Momjian <bruce(at)momjian(dot)us> http://momjian.us
EnterpriseDB http://postgres.enterprisedb.com
+ If your life is a hard drive, Christ can be your backup. +
From | Date | Subject | |
---|---|---|---|
Next Message | Tom Lane | 2007-10-21 03:11:09 | Re: Ready for beta2? |
Previous Message | Bruce Momjian | 2007-10-20 23:59:18 | Re: 8.3 GSS Issues |