Henry B. Hotz wrote:
> Well, that's why I was pushing SASL instead of GSSAPI. There are
> multiple mechanisms that are actually in use.
>
> PAM turned out not to be sufficiently specified for cross-platform
> behavioral compatibility, and it only does password checking anyway.
> Calling it a security solution is a big overstatement IMO. I guess a
> lot of people use PAM with SSL and don't worry about the gap between
> the two (which SASL or GSSAPI close).
>
> In defense of GSSAPI non-Kerberos mechanisms do exist. They just
> cost money and they aren't very cross-platform. AFAIK GSSAPI has no
> simple password mechanisms.
>
> There's a Microsoft-compatible SPNEGO mechanism for GSSAPI that's
> being implemented fairly widely now, but it's just a sub-negotiation
> mech that lets you choose between a Kerberos 5 (that's practically
> identical to the direct one), and NTLM. If you allow NTLM you'd
> better limit it to NTLMv2!
As already mentioned, the limitations of PAM weren't clear until after
we implemented it, so I expect the same to happen here, and the number
of acronyms flying around in this discussion is a bad sign too.
-- Bruce Momjian bruce@momjian.us EnterpriseDB http://www.enterprisedb.com
+ If your life is a hard drive, Christ can be your backup. +