On Sep 28, 2006, at 9:35 PM, Tom Lane wrote:
> "Joshua D. Drake" <jd@commandprompt.com> writes:
>> Is there any reason why we haven't built a generic authentication
>> API?
>> Something like PAM, except cross platform?
>
> We're database geeks, not security/crypto/authentication geeks. What
> makes you think we have any particular competence to do the above?
>
> Actually, the part of this proposal that raised my hackles the most
> was
> the claim that GSSAPI provides a generic auth API, because that was
> exactly the bill of goods we were sold in connection with PAM. (So
> why
> is this our problem at all --- can't you make a PAM plugin for it??)
> It didn't help any that that was shortly followed by the lame
> admission
> that no one has ever implemented anything except Kerberos
> underneath it.
> Word to the wise, guys: go *real* soft on vaporware claims for auth
> stuff, because we've seen enough of those before.
Well, that's why I was pushing SASL instead of GSSAPI. There are
multiple mechanisms that are actually in use.
PAM turned out not to be sufficiently specified for cross-platform
behavioral compatibility, and it only does password checking anyway.
Calling it a security solution is a big overstatement IMO. I guess a
lot of people use PAM with SSL and don't worry about the gap between
the two (which SASL or GSSAPI close).
In defense of GSSAPI non-Kerberos mechanisms do exist. They just
cost money and they aren't very cross-platform. AFAIK GSSAPI has no
simple password mechanisms.
There's a Microsoft-compatible SPNEGO mechanism for GSSAPI that's
being implemented fairly widely now, but it's just a sub-negotiation
mech that lets you choose between a Kerberos 5 (that's practically
identical to the direct one), and NTLM. If you allow NTLM you'd
better limit it to NTLMv2!
------------------------------------------------------------------------
----
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu