Home > mailing lists

Re: BUG #9337: SSPI/GSSAPI with mismatched user names - Mailing list pgsql-bugs

From	Tom Lane
Subject	Re: BUG #9337: SSPI/GSSAPI with mismatched user names
Date	February 24, 2014 21:47:12
Msg-id	5500.1393267495@sss.pgh.pa.us Whole thread Raw
In response to	BUG #9337: SSPI/GSSAPI with mismatched user names (brian@fluggo.com)
Responses	Re: BUG #9337: SSPI/GSSAPI with mismatched user names
List	pgsql-bugs

Tree view

brian@fluggo.com writes:
> The short version is that Postgres requires two user names when using
> GSSAPI/SSPI: one from the startup packet, and one from the Kerberos ticket,
> and if these don't match exactly, the login fails. It's generally impossible
> to determine the correct user name to send in the startup packet.

> I think Postgres should either not require or ignore the user name in the
> startup packet for these two login types.

If we did that, wouldn't it mean that anyone with a working Kerberos login
could log in as *any* database user?  Even a superuser?

I'm prepared to grant that we might need to change the behavior somehow,
but it seems like not requiring any connection at all between the Kerberos
principal name and the database user name would be entirely unsafe.

            regards, tom lane

pgsql-bugs by date:

From: brian@fluggo.com
Date: 24 February 2014, 21:35:07
Subject: BUG #9337: SSPI/GSSAPI with mismatched user names

From: Brian Crowell
Date: 24 February 2014, 21:50:25
Subject: Re: BUG #9337: SSPI/GSSAPI with mismatched user names

Re: BUG #9337: SSPI/GSSAPI with mismatched user names - Mailing list pgsql-bugs

Previous

Next