Re: 8.3 GSS Issues - Mailing list pgsql-hackers
| From | Bruce Momjian |
|---|---|
| Subject | Re: 8.3 GSS Issues |
| Date | |
| Msg-id | 200710202359.l9KNxve12908@momjian.us Whole thread Raw |
| In response to | 8.3 GSS Issues ("Henry B. Hotz" <hotz@jpl.nasa.gov>) |
| List | pgsql-hackers |
Sorry, wrong email. Nothing applied. --------------------------------------------------------------------------- Henry B. Hotz wrote: > I know I haven't been very active for a while here, but I just got to > testing the October 3 version a bit prior to getting back to the Java > GSS client stuff I promised. There seem to be some funny things there. > > The only serious issue is that the server doesn't require the realm > name to match. I haven't looked at how that broke yet, but I know I > was careful of that point in my original patches because it's always > been wrong in the Kerberos 5 auth method. > > If I set up a server I might conceivably get connections from: > > smith@JPL.NASA.GOV > smith@STANFORD.EDU > smith@ARC.NASA.GOV > smith@GSFC.NASA.GOV > smith@KSC.NASA.GOV > <same for every other NASA center, HQ, plus a "fake" realm relating > to how NASA set up AD> > > Now the only two of those that *might* be the same person are the > first two, and that's only if the Stanford person has a grant to work > on a JPL project and got put in our infrastructure as an affiliate, > *and* the username wasn't already taken. > > It appears that you can just put a complete (realm-included) name > into postgres, so that's obviously the way to support gssapi > connections from non-default realms. > > In short this is a security hole. IMO it should be fixed prior to > release. > > --------- > > I notice there are hba options for gss and sspi both. Why? > > Is there some windows-only functionality it enables? Shouldn't we be > using Microsoft's advertised GSSAPI/SSPI compatibility? If you build > on Windows then I'm sure you want to link the SSPI libraries rather > than require installation of a separate package, but that shouldn't > change the functionality or the wire protocol AFAIK. In other words > I would expect this to be a build-time option. > > --------- > > At the risk of diluting my message: I still think it's a mistake to > call it gss instead of something like gss-noprot. I believe this > will cause misunderstandings in the future when we get the security > layer of gssapi implemented. > > --------- > > There's no way to specify the gssapi library to use. I have three on > my main development Sun: MIT, Sun, and Heimdal. I might have more > than one version of one of those three at some times. Of course > there's no way to specify which kerberos 5 library or openssl library > you want either, so consider this a feature request for future > development. > > ------------------------------------------------------------------------ > The opinions expressed in this message are mine, > not those of Caltech, JPL, NASA, or the US Government. > Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu > > > > ---------------------------(end of broadcast)--------------------------- > TIP 3: Have you checked our extensive FAQ? > > http://www.postgresql.org/docs/faq -- Bruce Momjian <bruce@momjian.us> http://momjian.us EnterpriseDB http://postgres.enterprisedb.com + If your life is a hard drive, Christ can be your backup. +
pgsql-hackers by date: