Garrett Wollman writes:
> Enclosed please find a set of patches, relative to 7.0.2, which will
> result in Kerberos v5 support which both compiles and works (as in,
> I've successfully authenticated as a remote client).
The 7.0 series is not so interesting at this point but you might have a
few days yet to get stuff into 7.1. :) (Especially stuff that's #ifdef
KRB5 ought to be safe.)
'configure' support for Kerberos (and OpenSSL) has been implemented
meanwhile.
> local all trust
> host all 0.0.0.0 0.0.0.0 krb5
>
> However, that `trust' is tempered by changes to the startup scripts
> (not included here) which force the local-domain socket to mode 600,
We also got that in 7.1-to-be, even without race conditions. :)
> You can see from some of the comments that I'd like this to be made
> stronger in a number of ways. This patch set simply gets pgsql up to
> the minimum acceptable level of security for our environment and
> application.
Well, not a lot of people really know and use the Kerberos support, so
anything that can be done to improve it should be okay. Some better
documentation would also be appreciated. :)
--
Peter Eisentraut peter_e@gmx.net http://yi.org/peter-e/