Henry B. Hotz wrote: > Well, that's why I was pushing SASL instead of GSSAPI. There are > multiple mechanisms that are actually in use. > > PAM turned out not to be sufficiently specified for cross-platform > behavioral compatibility, and it only does password checking anyway. > Calling it a security solution is a big overstatement IMO. I guess a > lot of people use PAM with SSL and don't worry about the gap between > the two (which SASL or GSSAPI close). > > In defense of GSSAPI non-Kerberos mechanisms do exist. They just > cost money and they aren't very cross-platform. AFAIK GSSAPI has no > simple password mechanisms. > > There's a Microsoft-compatible SPNEGO mechanism for GSSAPI that's > being implemented fairly widely now, but it's just a sub-negotiation > mech that lets you choose between a Kerberos 5 (that's practically > identical to the direct one), and NTLM. If you allow NTLM you'd > better limit it to NTLMv2!
As already mentioned, the limitations of PAM weren't clear until after we implemented it, so I expect the same to happen here, and the number of acronyms flying around in this discussion is a bad sign too. -- Bruce Momjian [EMAIL PROTECTED] EnterpriseDB http://www.enterprisedb.com + If your life is a hard drive, Christ can be your backup. + ---------------------------(end of broadcast)--------------------------- TIP 2: Don't 'kill -9' the postmaster