8.3 GSS Issues

I know I haven't been very active for a while here, but I just got to  
testing the October 3 version a bit prior to getting back to the Java  
GSS client stuff I promised.  There seem to be some funny things there.

The only serious issue is that the server doesn't require the realm  
name to match.  I haven't looked at how that broke yet, but I know I  
was careful of that point in my original patches because it's always  
been wrong in the Kerberos 5 auth method.

If I set up a server I might conceivably get connections from:

smith@JPL.NASA.GOV
smith@STANFORD.EDU
smith@ARC.NASA.GOV
smith@GSFC.NASA.GOV
smith@KSC.NASA.GOV
<same for every other NASA center, HQ, plus a "fake" realm relating  
to how NASA set up AD>

Now the only two of those that *might* be the same person are the  
first two, and that's only if the Stanford person has a grant to work  
on a JPL project and got put in our infrastructure as an affiliate,  
*and* the username wasn't already taken.

It appears that you can just put a complete (realm-included) name  
into postgres, so that's obviously the way to support gssapi  
connections from non-default realms.

In short this is a security hole.  IMO it should be fixed prior to  
release.

---------

I notice there are hba options for gss and sspi both.  Why?

Is there some windows-only functionality it enables?  Shouldn't we be  
using Microsoft's advertised GSSAPI/SSPI compatibility?  If you build  
on Windows then I'm sure you want to link the SSPI libraries rather  
than require installation of a separate package, but that shouldn't  
change the functionality or the wire protocol AFAIK.  In other words  
I would expect this to be a build-time option.

---------

At the risk of diluting my message:  I still think it's a mistake to  
call it gss instead of something like gss-noprot.  I believe this  
will cause misunderstandings in the future when we get the security  
layer of gssapi implemented.

---------

There's no way to specify the gssapi library to use.  I have three on  
my main development Sun:  MIT, Sun, and Heimdal.  I might have more  
than one version of one of those three at some times.  Of course  
there's no way to specify which kerberos 5 library or openssl library  
you want either, so consider this a feature request for future  
development.

------------------------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu