Future of krb5 authentication - Mailing list pgsql-hackers

From Magnus Hagander
Subject Future of krb5 authentication
Date
Msg-id 20070718104035.GD3787@svr2.hagander.net
Whole thread Raw
Responses Re: Future of krb5 authentication
List pgsql-hackers
Now that we have working GSSAPI authentication, I'd like to see the
following done:

* Deprecate krb5 authentication in 8.3. At least in documentation, possibly
with a warning when loading pg_hba.conf?
* Remove krb5 authenticatino completely in 8.4.

The reasons for this is:
* krb5 auth doesn't do anything that gssapi doesn't.
* krb5 authentication doesn't follow a published standard. It follows API
examples from MIT later copied by Heimdal, but there is no documented
standard.
* krb5 authentication operates directly on the socket and as such violates
the libpq protocol. This means it's not protected by SSL if you have SSL on
your connection, and that it may misbehave with async sockets.


This was actually on the agenda when we first talked about doig gssapi, but
now that we have it it's time to bring it up again...

Comments?

//Magnus



pgsql-hackers by date:

Previous
From: Magnus Hagander
Date:
Subject: Re: SSPI authentication
Next
From: Magnus Hagander
Date:
Subject: Re: SSPI authentication