Re: Fwd: [PATCHES] Preliminary GSSAPI Patches

Excuse me for replying to myself, but maybe it would be clearer if I  
said this the other way around:

The existing Kerberos support uses a C API that is not supported in  
Java or on Windows, and probably never will be.  If we want to  
support Kerberos on *all* platforms (and if we want expandability to  
non-Kerberos, non-password authentication methods) then Postgres  
should use the GSSAPI instead.  The submitted patches allow that.

I tend to regard this as a comparable migration to the Kerb4 -> Kerb5  
one.  In time it should be a complete replacement.  In time we will  
be able to rip out the existing Kerb5 code.

On Apr 30, 2007, at 3:23 PM, Henry B. Hotz wrote:

> OK, so posted.  ;-)
>
> To clarify for the larger audience:  without the plain "gss"  
> mechanism, the "gss-np" mechanism provides exactly the same  
> functionality as the existing krb5 mechanism.  It will properly  
> secure the initial connection, but will not do anything once the  
> connection is established.  If the Kerberos GSSAPI mechanism is  
> used then it will follow exactly the same naming and file location  
> conventions.
>
> What you gain is 1) it builds on Solaris 8+ with the built-in  
> system Kerberos support (no separate Kerberos install needed), 2)  
> the mechanism is portable to Java and native Windows clients, and  
> 3) if you have a mechanism other than Kerberos available (e.g.  
> SPKM, or SPNEGO/NTLM) in your GSSAPI then you could use it in place  
> of Kerberos.
>
> I'm afraid that the politics at work that might have caused an  
> adoption of a GSSAPI/JGSS Postgres Java client have changed, and  
> they will be using MySQL instead.  |-(  Given what I've said here,  
> I still feel obligated to provide Java mods, but your timeline will  
> affect mine.
>
> Begin forwarded message:
>
>> From: Bruce Momjian <bruce@momjian.us>
>> Date: April 30, 2007 2:22:08 PM PDT
>> To: "Henry B. Hotz" <hotz@jpl.nasa.gov>
>> Subject: Re: [PATCHES] Preliminary GSSAPI Patches
>>
>>
>> Please post this info to the hackers list and we will deal with  
>> it.  I
>> am thinking we might just keep this all for 8.4.
>>
>> --------------------------------------------------------------------- 
>> ------
>>
>> Henry B. Hotz wrote:
>>> Thanks!
>>>
>>> As noted, the patch is incomplete w.r.t. the "gss" auth mech because
>>> it does not include code to actually encrypt the channel with the  
>>> key
>>> derived from the auth mech.  I confess I have so far been
>>> unsuccessful in inserting an additional layer of buffering to handle
>>> the block encryption.
>>>
>>> Would you like a new version of the patch with the incomplete
>>> functionality commented out (or otherwise removed)?
>>>
>>> Absent a volunteer to help, I think I should concentrate on getting
>>> the "gss-np" unprotected auth mech supported in the Java client.
>>>
>>> On Apr 26, 2007, at 4:09 PM, Bruce Momjian wrote:
>>>
>>>>
>>>> Your patch has been added to the PostgreSQL unapplied patches  
>>>> list at:
>>>>
>>>>     http://momjian.postgresql.org/cgi-bin/pgpatches
>>>>
>>>> It will be applied as soon as one of the PostgreSQL committers  
>>>> reviews
>>>> and approves it.
>>>>
>>>> ------------------------------------------------------------------- 
>>>> ---
>>>> -----
>>>>
>>>>
>>>> Henry B. Hotz wrote:
>>>>> These patches have been reasonably tested (and cross-tested) on
>>>>> Solaris 9 (SPARC) and MacOS 10.4 (both G4 and Intel) with the  
>>>>> native
>>>>> GSSAPI libraries.  They implement the gss-np and (incompletely)  
>>>>> the
>>>>> gss authentication methods.  Unlike the current krb5 method gssapi
>>>>> has native support in Java and (with the SSPI) on Windows.
>>>>>
>>>>> I still have bugs in the security layer for the gss method.
>>>>> Hopefully will finish getting them ironed out today or tomorrow.
>>>>>
>>>>> Documentation is in the README.GSSAPI file.  Make sure you get it
>>>>> created when you apply the patches.
>>>>>
>>>>
>>>> [ Attachment, skipping... ]
>>>>
>>>>>
>>>>>
>>>>> ------------------------------------------------------------------ 
>>>>> ---
>>>>> ---
>>>>> The opinions expressed in this message are mine,
>>>>> not those of Caltech, JPL, NASA, or the US Government.
>>>>> Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu
>>>>>
>>>>>
>>>>>
>>>>> ---------------------------(end of
>>>>> broadcast)---------------------------
>>>>> TIP 7: You can help support the PostgreSQL project by donating at
>>>>>
>>>>>                 http://www.postgresql.org/about/donate
>>>>
>>>> -- 
>>>>   Bruce Momjian  <bruce@momjian.us>          http://momjian.us
>>>>   EnterpriseDB                               http://
>>>> www.enterprisedb.com
>>>>
>>>>   + If your life is a hard drive, Christ can be your backup. +
>>>
>>> -------------------------------------------------------------------- 
>>> ----
>>> The opinions expressed in this message are mine,
>>> not those of Caltech, JPL, NASA, or the US Government.
>>> Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu
>>>
>>
>> -- 
>>   Bruce Momjian  <bruce@momjian.us>          http://momjian.us
>>   EnterpriseDB                               http:// 
>> www.enterprisedb.com
>>
>>   + If your life is a hard drive, Christ can be your backup. +
>
>
>
> ---------------------------------------------------------------------- 
> --
> The opinions expressed in this message are mine,
> not those of Caltech, JPL, NASA, or the US Government.
> Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu
>
>
>
> ---------------------------(end of  
> broadcast)---------------------------
> TIP 3: Have you checked our extensive FAQ?
>
>               http://www.postgresql.org/docs/faq