Re: Fwd: [PATCHES] Preliminary GSSAPI Patches

Tom Lane wrote:
> "Henry B. Hotz" <hotz(at)jpl(dot)nasa(dot)gov> writes:
>> Don't you want to maintain some interoperability between 8.2 client/
>> server and 8.3 server/client at least?
>
> Hm, you mean that what you called a C API change actually
> break^H^H^H^H^Hchanges the on-the-wire protocol as well?
> That sounds not very nice :-(

It's a completely new authentication method, that just happens to use
Kerberos underneath it. And it uses the API/wireprotocol that's
recommended by the Kerberos folks. And in fact when talking to the MIT
folks back when I found that security issue two years back it seems
we're more or less the only ones other than sample apps taht use the
"native api".

Fact is that the way we do it now is not very "pretty". The GSSAPI way
lets PostgreSQL handle sending/receiving and wrapping in whatever we
want, whereas the current method we just pass in the socket. I think in
a lot of ways it's just pure luck that it works reasonably well
alongside OpenSSL for example.

I think the correct path is to put it in GSSAPI and deprecate krb5 for
at least one release, and then get rid of krb5 completely.

Oh, and I do think putting in GSSAPI authentication only (and not
encryption) is the way to go for now, since we can do encryption with
OpenSSL. It'll make the changes localized to just the authentication.

//Magnus