Peter Koczan <pjkoczan@gmail.com> writes:
> This is trust authentication with one rather inconsequential bit of
> verification, that's a fundamental breakage. One of the major points
> of Kerberos is that, for anything that talks Kerberos, you are the
> principal in that ticket. I understand the desire to change some of
> that old code, but why is that principal being ignored?
Well, the reason for that change was that the libpq code was absorbing
userid from any available Kerberos ticket, even if the server
subsequently issued a non-Kerberos authentication challenge. I still
think that was wrong. What your complaint seems to suggest is that
the server-side Kerberos auth code should be insisting that the supplied
principal's first component match the requested database userid.
I kinda thought we *had* been doing that, but can't claim to have read
that code closely. Magnus?
regards, tom lane