Re: Fwd: [PATCHES] Preliminary GSSAPI Patches

Excuse me for replying to myself, but maybe it would be clearer if I
said this the other way around:

The existing Kerberos support uses a C API that is not supported in
Java or on Windows, and probably never will be. If we want to
support Kerberos on *all* platforms (and if we want expandability to
non-Kerberos, non-password authentication methods) then Postgres
should use the GSSAPI instead. The submitted patches allow that.

I tend to regard this as a comparable migration to the Kerb4 -> Kerb5
one. In time it should be a complete replacement. In time we will
be able to rip out the existing Kerb5 code.

On Apr 30, 2007, at 3:23 PM, Henry B. Hotz wrote:

> OK, so posted. ;-)
>
> To clarify for the larger audience: without the plain "gss"
> mechanism, the "gss-np" mechanism provides exactly the same
> functionality as the existing krb5 mechanism. It will properly
> secure the initial connection, but will not do anything once the
> connection is established. If the Kerberos GSSAPI mechanism is
> used then it will follow exactly the same naming and file location
> conventions.
>
> What you gain is 1) it builds on Solaris 8+ with the built-in
> system Kerberos support (no separate Kerberos install needed), 2)
> the mechanism is portable to Java and native Windows clients, and
> 3) if you have a mechanism other than Kerberos available (e.g.
> SPKM, or SPNEGO/NTLM) in your GSSAPI then you could use it in place
> of Kerberos.
>
> I'm afraid that the politics at work that might have caused an
> adoption of a GSSAPI/JGSS Postgres Java client have changed, and
> they will be using MySQL instead. |-( Given what I've said here,
> I still feel obligated to provide Java mods, but your timeline will
> affect mine.
>
> Begin forwarded message:
>
>> From: Bruce Momjian <bruce(at)momjian(dot)us>
>> Date: April 30, 2007 2:22:08 PM PDT
>> To: "Henry B. Hotz" <hotz(at)jpl(dot)nasa(dot)gov>
>> Subject: Re: [PATCHES] Preliminary GSSAPI Patches
>>
>>
>> Please post this info to the hackers list and we will deal with
>> it. I
>> am thinking we might just keep this all for 8.4.
>>
>> ---------------------------------------------------------------------
>> ------
>>
>> Henry B. Hotz wrote:
>>> Thanks!
>>>
>>> As noted, the patch is incomplete w.r.t. the "gss" auth mech because
>>> it does not include code to actually encrypt the channel with the
>>> key
>>> derived from the auth mech. I confess I have so far been
>>> unsuccessful in inserting an additional layer of buffering to handle
>>> the block encryption.
>>>
>>> Would you like a new version of the patch with the incomplete
>>> functionality commented out (or otherwise removed)?
>>>
>>> Absent a volunteer to help, I think I should concentrate on getting
>>> the "gss-np" unprotected auth mech supported in the Java client.
>>>
>>> On Apr 26, 2007, at 4:09 PM, Bruce Momjian wrote:
>>>
>>>>
>>>> Your patch has been added to the PostgreSQL unapplied patches
>>>> list at:
>>>>
>>>> http://momjian.postgresql.org/cgi-bin/pgpatches
>>>>
>>>> It will be applied as soon as one of the PostgreSQL committers
>>>> reviews
>>>> and approves it.
>>>>
>>>> -------------------------------------------------------------------
>>>> ---
>>>> -----
>>>>
>>>>
>>>> Henry B. Hotz wrote:
>>>>> These patches have been reasonably tested (and cross-tested) on
>>>>> Solaris 9 (SPARC) and MacOS 10.4 (both G4 and Intel) with the
>>>>> native
>>>>> GSSAPI libraries. They implement the gss-np and (incompletely)
>>>>> the
>>>>> gss authentication methods. Unlike the current krb5 method gssapi
>>>>> has native support in Java and (with the SSPI) on Windows.
>>>>>
>>>>> I still have bugs in the security layer for the gss method.
>>>>> Hopefully will finish getting them ironed out today or tomorrow.
>>>>>
>>>>> Documentation is in the README.GSSAPI file. Make sure you get it
>>>>> created when you apply the patches.
>>>>>
>>>>
>>>> [ Attachment, skipping... ]
>>>>
>>>>>
>>>>>
>>>>> ------------------------------------------------------------------
>>>>> ---
>>>>> ---
>>>>> The opinions expressed in this message are mine,
>>>>> not those of Caltech, JPL, NASA, or the US Government.
>>>>> Henry(dot)B(dot)Hotz(at)jpl(dot)nasa(dot)gov, or hbhotz(at)oxy(dot)edu
>>>>>
>>>>>
>>>>>
>>>>> ---------------------------(end of
>>>>> broadcast)---------------------------
>>>>> TIP 7: You can help support the PostgreSQL project by donating at
>>>>>
>>>>> http://www.postgresql.org/about/donate
>>>>
>>>> --
>>>> Bruce Momjian <bruce(at)momjian(dot)us> http://momjian.us
>>>> EnterpriseDB http://
>>>> www.enterprisedb.com
>>>>
>>>> + If your life is a hard drive, Christ can be your backup. +
>>>
>>> --------------------------------------------------------------------
>>> ----
>>> The opinions expressed in this message are mine,
>>> not those of Caltech, JPL, NASA, or the US Government.
>>> Henry(dot)B(dot)Hotz(at)jpl(dot)nasa(dot)gov, or hbhotz(at)oxy(dot)edu
>>>
>>
>> --
>> Bruce Momjian <bruce(at)momjian(dot)us> http://momjian.us
>> EnterpriseDB http://
>> www.enterprisedb.com
>>
>> + If your life is a hard drive, Christ can be your backup. +
>
>
>
> ----------------------------------------------------------------------
> --
> The opinions expressed in this message are mine,
> not those of Caltech, JPL, NASA, or the US Government.
> Henry(dot)B(dot)Hotz(at)jpl(dot)nasa(dot)gov, or hbhotz(at)oxy(dot)edu
>
>
>
> ---------------------------(end of
> broadcast)---------------------------
> TIP 3: Have you checked our extensive FAQ?
>
> http://www.postgresql.org/docs/faq