8.3 GSS Issues
От | Henry B. Hotz |
---|---|
Тема | 8.3 GSS Issues |
Дата | |
Msg-id | B38F2872-A55B-4063-A607-9DE384F30149@jpl.nasa.gov обсуждение исходный текст |
Ответы |
Re: 8.3 GSS Issues
(Bruce Momjian <bruce@momjian.us>)
Re: 8.3 GSS Issues (Bruce Momjian <bruce@momjian.us>) Re: 8.3 GSS Issues (Magnus Hagander <magnus@hagander.net>) |
Список | pgsql-hackers |
I know I haven't been very active for a while here, but I just got to testing the October 3 version a bit prior to getting back to the Java GSS client stuff I promised. There seem to be some funny things there. The only serious issue is that the server doesn't require the realm name to match. I haven't looked at how that broke yet, but I know I was careful of that point in my original patches because it's always been wrong in the Kerberos 5 auth method. If I set up a server I might conceivably get connections from: smith@JPL.NASA.GOV smith@STANFORD.EDU smith@ARC.NASA.GOV smith@GSFC.NASA.GOV smith@KSC.NASA.GOV <same for every other NASA center, HQ, plus a "fake" realm relating to how NASA set up AD> Now the only two of those that *might* be the same person are the first two, and that's only if the Stanford person has a grant to work on a JPL project and got put in our infrastructure as an affiliate, *and* the username wasn't already taken. It appears that you can just put a complete (realm-included) name into postgres, so that's obviously the way to support gssapi connections from non-default realms. In short this is a security hole. IMO it should be fixed prior to release. --------- I notice there are hba options for gss and sspi both. Why? Is there some windows-only functionality it enables? Shouldn't we be using Microsoft's advertised GSSAPI/SSPI compatibility? If you build on Windows then I'm sure you want to link the SSPI libraries rather than require installation of a separate package, but that shouldn't change the functionality or the wire protocol AFAIK. In other words I would expect this to be a build-time option. --------- At the risk of diluting my message: I still think it's a mistake to call it gss instead of something like gss-noprot. I believe this will cause misunderstandings in the future when we get the security layer of gssapi implemented. --------- There's no way to specify the gssapi library to use. I have three on my main development Sun: MIT, Sun, and Heimdal. I might have more than one version of one of those three at some times. Of course there's no way to specify which kerberos 5 library or openssl library you want either, so consider this a feature request for future development. ------------------------------------------------------------------------ The opinions expressed in this message are mine, not those of Caltech, JPL, NASA, or the US Government. Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu
В списке pgsql-hackers по дате отправления: