| From: | Nico Williams <nico(at)cryptonector(dot)com> |
|---|---|
| To: | Chris Gooch <cgooch(at)bamfunds(dot)com> |
| Cc: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Jacob Champion <jacob(dot)champion(at)enterprisedb(dot)com>, "pgsql-bugs(at)lists(dot)postgresql(dot)org" <pgsql-bugs(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: [EXT] Re: GSS Auth issue when user member of lots of AD groups |
| Date: | 2025-05-24 23:42:16 |
| Message-ID: | aDJZWBZZc25xBDX9@ubby |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs pgsql-committers |
On Thu, May 22, 2025 at 05:04:32PM +0000, Chris Gooch wrote:
> It now makes sense to me. I believe the KDC will not allow tokens
> larger than 65535 bytes, so feel it is safe from a GSS perspective.
The KDC protocol over TCP uses 32-bit unsigned PDU lengths in network
byte order, of which the high bit is reserved and must be zero. ASN.1
supports much larger lengths still. The protocol easily supports very
large tickets, therefore very large initial security context tokens.
The architecture of having the user's SIDs be included in the user's
service tickets was very useful as an optimization for a long time, but
as the number of SIDs increases this optimization becomes more of an
albatross.
Nico
--
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Hayato Kuroda (Fujitsu) | 2025-05-25 04:55:16 | RE: Logical replication 'invalid memory alloc request size 1585837200' after upgrading to 17.5 |
| Previous Message | Tom Lane | 2025-05-24 19:38:48 | Re: [EXT] Re: GSS Auth issue when user member of lots of AD groups |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Chris Gooch | 2025-05-25 07:52:49 | Re: [EXT] Re: GSS Auth issue when user member of lots of AD groups |
| Previous Message | Tom Lane | 2025-05-24 19:38:48 | Re: [EXT] Re: GSS Auth issue when user member of lots of AD groups |