Excuse me for replying to myself, but maybe it would be clearer if I
said this the other way around:
The existing Kerberos support uses a C API that is not supported in
Java or on Windows, and probably never will be. If we want to
support Kerberos on *all* platforms (and if we want expandability to
non-Kerberos, non-password authentication methods) then Postgres
should use the GSSAPI instead. The submitted patches allow that.
I tend to regard this as a comparable migration to the Kerb4 -> Kerb5
one. In time it should be a complete replacement. In time we will
be able to rip out the existing Kerb5 code.
On Apr 30, 2007, at 3:23 PM, Henry B. Hotz wrote:
OK, so posted. ;-)
To clarify for the larger audience: without the plain "gss"
mechanism, the "gss-np" mechanism provides exactly the same
functionality as the existing krb5 mechanism. It will properly
secure the initial connection, but will not do anything once the
connection is established. If the Kerberos GSSAPI mechanism is
used then it will follow exactly the same naming and file location
conventions.
What you gain is 1) it builds on Solaris 8+ with the built-in
system Kerberos support (no separate Kerberos install needed), 2)
the mechanism is portable to Java and native Windows clients, and
3) if you have a mechanism other than Kerberos available (e.g.
SPKM, or SPNEGO/NTLM) in your GSSAPI then you could use it in place
of Kerberos.
I'm afraid that the politics at work that might have caused an
adoption of a GSSAPI/JGSS Postgres Java client have changed, and
they will be using MySQL instead. |-( Given what I've said here,
I still feel obligated to provide Java mods, but your timeline will
affect mine.
Begin forwarded message:
From: Bruce Momjian <[EMAIL PROTECTED]>
Date: April 30, 2007 2:22:08 PM PDT
To: "Henry B. Hotz" <[EMAIL PROTECTED]>
Subject: Re: [PATCHES] Preliminary GSSAPI Patches
Please post this info to the hackers list and we will deal with
it. I
am thinking we might just keep this all for 8.4.
---------------------------------------------------------------------
------
Henry B. Hotz wrote:
Thanks!
As noted, the patch is incomplete w.r.t. the "gss" auth mech because
it does not include code to actually encrypt the channel with the
key
derived from the auth mech. I confess I have so far been
unsuccessful in inserting an additional layer of buffering to handle
the block encryption.
Would you like a new version of the patch with the incomplete
functionality commented out (or otherwise removed)?
Absent a volunteer to help, I think I should concentrate on getting
the "gss-np" unprotected auth mech supported in the Java client.
On Apr 26, 2007, at 4:09 PM, Bruce Momjian wrote:
Your patch has been added to the PostgreSQL unapplied patches
list at:
http://momjian.postgresql.org/cgi-bin/pgpatches
It will be applied as soon as one of the PostgreSQL committers
reviews
and approves it.
-------------------------------------------------------------------
---
-----
Henry B. Hotz wrote:
These patches have been reasonably tested (and cross-tested) on
Solaris 9 (SPARC) and MacOS 10.4 (both G4 and Intel) with the
native
GSSAPI libraries. They implement the gss-np and (incompletely)
the
gss authentication methods. Unlike the current krb5 method gssapi
has native support in Java and (with the SSPI) on Windows.
I still have bugs in the security layer for the gss method.
Hopefully will finish getting them ironed out today or tomorrow.
Documentation is in the README.GSSAPI file. Make sure you get it
created when you apply the patches.
[ Attachment, skipping... ]
------------------------------------------------------------------
---
---
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
[EMAIL PROTECTED], or [EMAIL PROTECTED]
---------------------------(end of
broadcast)---------------------------
TIP 7: You can help support the PostgreSQL project by donating at
http://www.postgresql.org/about/donate
--
Bruce Momjian <[EMAIL PROTECTED]> http://momjian.us
EnterpriseDB http://
www.enterprisedb.com
+ If your life is a hard drive, Christ can be your backup. +
--------------------------------------------------------------------
----
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
[EMAIL PROTECTED], or [EMAIL PROTECTED]
--
Bruce Momjian <[EMAIL PROTECTED]> http://momjian.us
EnterpriseDB http://
www.enterprisedb.com
+ If your life is a hard drive, Christ can be your backup. +
----------------------------------------------------------------------
--
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
[EMAIL PROTECTED], or [EMAIL PROTECTED]
---------------------------(end of
broadcast)---------------------------
TIP 3: Have you checked our extensive FAQ?
http://www.postgresql.org/docs/faq
---------------------------(end of broadcast)---------------------------
TIP 6: explain analyze is your friend
