Re: Kerberos v5 support - Mailing list pgsql-patches

From Garrett Wollman
Subject Re: Kerberos v5 support
Date
Msg-id 200011061816.NAA74145@khavrinen.lcs.mit.edu
Whole thread Raw
In response to Re: Kerberos v5 support  (Bruce Momjian <pgman@candle.pha.pa.us>)
Responses Re: Kerberos v5 support  (Bruce Momjian <pgman@candle.pha.pa.us>)
List pgsql-patches
<<On Mon, 6 Nov 2000 12:05:01 -0500 (EST), Bruce Momjian <pgman@candle.pha.pa.us> said:

> I have applied some kerberos changes to the current snapshot a few
> months ago.  Can you grab that and let me know what you would like
> changed?  Thanks.

My code has much better error handing (``Kerberos error %d'' is vile!)
and uses the correct API to determine the client's authenticated
name.  My version also checks the IP addresses in the client's ticket
to protect against certain kinds of attacks.  On the other hand, the
-current code is configurable with respect to the name of the keytab.
(I don't personally see much value in allowing the keytab name to be
changed at run time, but whatever floats your boat....)

Both versions still sweep the an_to_ln problem under the carpet.  This
is a SERIOUS flaw for anyone who needs to operate in an environment
with cross-realm authentication.  I don't know the innards of pgsql
well-enough to be able to code the internal table-lookup that would be
necessary to perform proper an_to_ln mapping -- hopefully someone else
out there does.

Since I'm working in a near-production environment, I'm not presently
able to combine my functionality with that provided in pgsql-current.
When it becomes a release, you may well hear back from me.

-GAWollman


pgsql-patches by date:

Previous
From: Bruce Momjian
Date:
Subject: Re: Minor make bug on AIX
Next
From: Bruce Momjian
Date:
Subject: Re: Kerberos v5 support