Re: 8.3 GSS Issues - Mailing list pgsql-hackers

From Bruce Momjian
Subject Re: 8.3 GSS Issues
Date
Msg-id 200710202359.l9KNxve12908@momjian.us
Whole thread Raw
In response to 8.3 GSS Issues  ("Henry B. Hotz" <hotz@jpl.nasa.gov>)
List pgsql-hackers
Sorry, wrong email.  Nothing applied.

---------------------------------------------------------------------------

Henry B. Hotz wrote:
> I know I haven't been very active for a while here, but I just got to  
> testing the October 3 version a bit prior to getting back to the Java  
> GSS client stuff I promised.  There seem to be some funny things there.
> 
> The only serious issue is that the server doesn't require the realm  
> name to match.  I haven't looked at how that broke yet, but I know I  
> was careful of that point in my original patches because it's always  
> been wrong in the Kerberos 5 auth method.
> 
> If I set up a server I might conceivably get connections from:
> 
> smith@JPL.NASA.GOV
> smith@STANFORD.EDU
> smith@ARC.NASA.GOV
> smith@GSFC.NASA.GOV
> smith@KSC.NASA.GOV
> <same for every other NASA center, HQ, plus a "fake" realm relating  
> to how NASA set up AD>
> 
> Now the only two of those that *might* be the same person are the  
> first two, and that's only if the Stanford person has a grant to work  
> on a JPL project and got put in our infrastructure as an affiliate,  
> *and* the username wasn't already taken.
> 
> It appears that you can just put a complete (realm-included) name  
> into postgres, so that's obviously the way to support gssapi  
> connections from non-default realms.
> 
> In short this is a security hole.  IMO it should be fixed prior to  
> release.
> 
> ---------
> 
> I notice there are hba options for gss and sspi both.  Why?
> 
> Is there some windows-only functionality it enables?  Shouldn't we be  
> using Microsoft's advertised GSSAPI/SSPI compatibility?  If you build  
> on Windows then I'm sure you want to link the SSPI libraries rather  
> than require installation of a separate package, but that shouldn't  
> change the functionality or the wire protocol AFAIK.  In other words  
> I would expect this to be a build-time option.
> 
> ---------
> 
> At the risk of diluting my message:  I still think it's a mistake to  
> call it gss instead of something like gss-noprot.  I believe this  
> will cause misunderstandings in the future when we get the security  
> layer of gssapi implemented.
> 
> ---------
> 
> There's no way to specify the gssapi library to use.  I have three on  
> my main development Sun:  MIT, Sun, and Heimdal.  I might have more  
> than one version of one of those three at some times.  Of course  
> there's no way to specify which kerberos 5 library or openssl library  
> you want either, so consider this a feature request for future  
> development.
> 
> ------------------------------------------------------------------------
> The opinions expressed in this message are mine,
> not those of Caltech, JPL, NASA, or the US Government.
> Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu
> 
> 
> 
> ---------------------------(end of broadcast)---------------------------
> TIP 3: Have you checked our extensive FAQ?
> 
>                http://www.postgresql.org/docs/faq

--  Bruce Momjian  <bruce@momjian.us>        http://momjian.us EnterpriseDB
http://postgres.enterprisedb.com
 + If your life is a hard drive, Christ can be your backup. +


pgsql-hackers by date:

Previous
From: Bruce Momjian
Date:
Subject: Re: 8.3 GSS Issues
Next
From: Tom Lane
Date:
Subject: Re: Ready for beta2?