Re: Future of krb5 authentication - Mailing list pgsql-hackers

From Heikki Linnakangas
Subject Re: Future of krb5 authentication
Date
Msg-id 469E6DA7.1040202@enterprisedb.com
Whole thread Raw
In response to Re: Future of krb5 authentication  (Stephen Frost <sfrost@snowman.net>)
Responses Re: Future of krb5 authentication
List pgsql-hackers
Stephen Frost wrote:
> Honestly, for now I'm happy w/ it being a connectionstring option.  It
> seems the most appropriate place for it to go.  That does mean that
> applications may need to be modified to support gssapi (where they might
> not have to be for sspi since it's the default), but since we're going
> to keep krb5 support around for a bit there's time for those
> applications to catch up without breaking things explicitly for people
> migrating to 8.3.

Isn't it possible to open the socket, try GSSAPI handshaking with
protocol, and fall back to krb5 protocol if that fails? If that's not
possible, how about handling it like we handle postgres protocol 3 vs 2?
Connect using GSSAPI first, and if that fails, retry with krb5.


--  Heikki Linnakangas EnterpriseDB   http://www.enterprisedb.com


pgsql-hackers by date:

Previous
From: Stephen Frost
Date:
Subject: Re: Future of krb5 authentication
Next
From: Oleg Bartunov
Date:
Subject: Re: Updated tsearch documentation