Re: [HACKERS] Testing, Hello?
От | Henry B. Hotz |
---|---|
Тема | Re: [HACKERS] Testing, Hello? |
Дата | |
Msg-id | v03130317b288855a9c16@[137.78.84.130] обсуждение исходный текст |
Ответ на | Re: [HACKERS] Testing, Hello? (Tom Lane <tgl@sss.pgh.pa.us>) |
Ответы |
Re: [HACKERS] Testing, Hello?
Re: [HACKERS] Testing, Hello? |
Список | pgsql-hackers |
At 4:18 PM -0800 11/25/98, Tom Lane wrote: >"Henry B. Hotz" <hotz@jpl.nasa.gov> writes: >> I'm still testing, but basically it looks like if you have kerberos 4 then >> you need to disable use of the system crypt routines. This *should* be >> handled in the configure stuff. > >That's fairly unpleasant, since it's not out of the question that a >given site might need to support both auth methods to cope with varying >clients. Yeah. I note that if you use the Solaris built-in kerberos support the conflict should not exist. For Postgres this problem is specific to the KTH kerberos implementation I think, but it also exists with SSL. I have no information about MIT kerberos IV or V. >> The function des_encrypt exists in both the KTH kerberos and the system >> crypt libraries with different arguments. > >Not everywhere --- there's no such routine in my crypt library, for >instance. I would not like to see kerberos + crypt disabled everywhere >because it does not work on your machine. This is Solaris 2.5, presumably 2.6 and 7 have the same problem. >Ideally we'd need an autoconf test to discover whether kerberos and >crypt libraries are compatible on a given machine, and an autoconf >--with switch to allow the user to decide which one to include if >they're not. Do you have any ideas about a simple way to check whether >this problem exists on a given platform? If you include <crypt.h> and <krb.h> from the system and /usr/athena/include respectively then you get a compile error. My problem may actually be a bit obscure. I'm using the KTH implementation of kerberos IV because I want to be able to use the JPL AFS kerberos server. (AFS kerberos is an incompatable variant of MIT kerberos IV for those who don't know. Solaris and NetBSD come with MIT kerberos IV support built-in. MIT kerberos V can support both kerberos IV variants, but Postgres is a client.) I will put in a plug for autoconf support for kerberos in any case. We need a --with-kerberos[={4,5}] option and --with-kerberos-include=.., --with-kerberos-lib=.., and --with-kerberos-srvtab=.. options. The administrator guide says support for kerberos IV will disappear when 5 is released. I think there should be a fairly long delay in that. Many people will need to use kerberos IV in order to use an institutional capability, like AFS accounting. Many people should prefer to use the built-in capabilities of their OS and all current bundled kerberos support is at version IV. This will take a *long* time. Finally let me put in a big public thank-you to Tom Ivar Helbekkmo for patiently explaining many things that I should have understood from the documentation. Signature failed Preliminary Design Review. Feasibility of a new signature is currently being evaluated. h.b.hotz@jpl.nasa.gov, or hbhotz@oxy.edu
В списке pgsql-hackers по дате отправления: