OK.
> <<On Mon, 6 Nov 2000 12:05:01 -0500 (EST), Bruce Momjian <pgman@candle.pha.pa.us> said:
>
> > I have applied some kerberos changes to the current snapshot a few
> > months ago. Can you grab that and let me know what you would like
> > changed? Thanks.
>
> My code has much better error handing (``Kerberos error %d'' is vile!)
> and uses the correct API to determine the client's authenticated
> name. My version also checks the IP addresses in the client's ticket
> to protect against certain kinds of attacks. On the other hand, the
> -current code is configurable with respect to the name of the keytab.
> (I don't personally see much value in allowing the keytab name to be
> changed at run time, but whatever floats your boat....)
>
> Both versions still sweep the an_to_ln problem under the carpet. This
> is a SERIOUS flaw for anyone who needs to operate in an environment
> with cross-realm authentication. I don't know the innards of pgsql
> well-enough to be able to code the internal table-lookup that would be
> necessary to perform proper an_to_ln mapping -- hopefully someone else
> out there does.
>
> Since I'm working in a near-production environment, I'm not presently
> able to combine my functionality with that provided in pgsql-current.
> When it becomes a release, you may well hear back from me.
>
> -GAWollman
>
>
--
Bruce Momjian | http://candle.pha.pa.us
pgman@candle.pha.pa.us | (610) 853-3000
+ If your life is a hard drive, | 830 Blythe Avenue
+ Christ can be your backup. | Drexel Hill, Pennsylvania 19026
