The current implementation of the kerberos 5
authentification in backend/libpq/auth.c truncates the
principal after the first '/' or failing that, after
the first '@', assuming the result to be the database
username. This implicitly allows crossrealm
autentification which is not good in many instances.
Even more seriously, it discards parts following any
'/' which is definatelly very bad in many instances.
This is not satisfactory for some (I would think most)
applications. A solution to this would be mapping
kerberos principals to usernames in the database. (As
e.g ~username/.k5login determines which principals are
authorized to login as username.) Idealy this mapping
table should be a system table in the database (and
not a specialized file like the current implementation
of pg_ident.conf). Is this a stupid idea? Any
comments?
I do have a few my questions regarding an
implementation of this.
Is there any existing way of making queries from
postmaster (other than setting up a client connection
from it)?
Is there a reason pg_ident.conf and pg_hba.conf are
files rather than tables?
Is there any reason not doing authentification of both
the client and the server?
Grateful for answers and comments
Daniel
__________________________________________________
Do You Yahoo!?
Everything you'll ever need on one web page
from News and Sport to Email and Music Charts
http://uk.my.yahoo.com
