Magnus Hagander wrote:
> Stephen Frost wrote:
>> * Henry B. Hotz (hbhotz(at)oxy(dot)edu) wrote:
>>> On Jun 22, 2007, at 9:56 AM, Magnus Hagander wrote:
>>>> Most likely it's just checking the keytab to find a principal with the
>>>> same name as the one presented from the client. Since one is
>>>> present, it
>>>> loads it up automatically, and verifies against it.
>>> The server uses the keytab to decrypt the token provided by the
>>> client. By using the GSS_C_NO_CREDENTIAL arg on the server anything
>>> put in the keytab is OK. (The server doesn't need to authenticate
>>> itself to Kerberos, it just accepts authentication. Mutual
>>> authentication is done using the same keys.) The documentation needs
>>> to reflect that.
>> I agree there's some disconnect there between the documentation and the
>> apparent implementation but I'm not sure I'm in favor of changing the
>> documentation on this one. Personally, I'd rather it return an error if
>> someone tries to use GSS_C_NO_CREDENTIAL when accepting a context than
>> to just be happy using anything in the keytab.
> How about doing both, then? Set the principal name if it's specified in
> the config file. If it's explicitly set to an empty string, use
> GSS_C_NO_CREDENTIAL. Seems straightforward enough to me, and shouldn't
> be hard to implement.
Here's an updated patch that does this.
Description: text/x-patch (29.6 KB)
In response to
pgsql-patches by date
|Next:||From: Simon Riggs||Date: 2007-06-24 09:23:59|
|Subject: Re: Load Distributed Checkpoints, take 3|
|Previous:||From: Greg Smith||Date: 2007-06-23 08:59:27|
|Subject: Re: Load Distributed Checkpoints, take 3 |