Re: [GENERAL] [HACKERS] [PATCHES] Removing Kerberos 4
On Thu, Jun 23, 2005 at 07:34:30PM +0200, Magnus Hagander wrote: > > Has Kerb4 been marked as depricated in the docs at all? If > > not it might be best to just do that and then yank it later. > > Yes, since 7.4. > > http://www.postgresql.org/docs/8.0/static/auth-methods.html#KERBEROS-AUT > H > http://www.postgresql.org/docs/7.4/static/auth-methods.html#KERBEROS-AUT > H > > "Kerberos 4 is considered insecure and no longer recommended for general > use." Just as a nitpick, in the future it would probably be better to explicitely say if something is considered depricated and will be removed in the future. Having said that, that statement means it's removal shouldn't come as a shock to anyone. -- Jim C. Nasby, Database Consultant [EMAIL PROTECTED] Give your computer some brain candy! www.distributed.net Team #1828 Windows: "Where do you want to go today?" Linux: "Where do you want to go tomorrow?" FreeBSD: "Are you guys coming, or what?" ---(end of broadcast)--- TIP 2: you can get off all lists at once with the unregister command (send "unregister YourEmailAddressHere" to [EMAIL PROTECTED])
Re: [GENERAL] [HACKERS] [PATCHES] Removing Kerberos 4
> Has Kerb4 been marked as depricated in the docs at all? If > not it might be best to just do that and then yank it later. Yes, since 7.4. http://www.postgresql.org/docs/8.0/static/auth-methods.html#KERBEROS-AUT H http://www.postgresql.org/docs/7.4/static/auth-methods.html#KERBEROS-AUT H "Kerberos 4 is considered insecure and no longer recommended for general use." //Magnus ---(end of broadcast)--- TIP 8: explain analyze is your friend
Re: [GENERAL] [HACKERS] [PATCHES] Removing Kerberos 4
On Wed, Jun 22, 2005 at 04:39:15PM -0400, Tom Lane wrote: > "Magnus Hagander" <[EMAIL PROTECTED]> writes: > > Yeah. But it has been declared dead by the Kerberos folks > > (http://www.faqs.org/faqs/kerberos-faq/general/section-7.html. And this > > document is from 2000, an dit was declared already then)... > > Right. The real question here is who's going to be using a 2005 > database release with a pre-2000 security system? There's a fair > amount of code there and no evidence that time spent on testing > and maintaining it is going to benefit anyone anymore. > > If someone wakes up and says "hey, I'm still ACTUALLY using that code", > I'm willing to forbear ... but otherwise I think its time is long gone. While I agree, if it's easy to just disable kerb without actually ripping the code out right now that might be a tad 'safer', as there might be some users who are using it but don't read the mailling lists. Has Kerb4 been marked as depricated in the docs at all? If not it might be best to just do that and then yank it later. -- Jim C. Nasby, Database Consultant [EMAIL PROTECTED] Give your computer some brain candy! www.distributed.net Team #1828 Windows: "Where do you want to go today?" Linux: "Where do you want to go tomorrow?" FreeBSD: "Are you guys coming, or what?" ---(end of broadcast)--- TIP 4: Don't 'kill -9' the postmaster
Re: [HACKERS] [PATCHES] Removing Kerberos 4
"Magnus Hagander" <[EMAIL PROTECTED]> writes: > Yeah. But it has been declared dead by the Kerberos folks > (http://www.faqs.org/faqs/kerberos-faq/general/section-7.html. And this > document is from 2000, an dit was declared already then)... Right. The real question here is who's going to be using a 2005 database release with a pre-2000 security system? There's a fair amount of code there and no evidence that time spent on testing and maintaining it is going to benefit anyone anymore. If someone wakes up and says "hey, I'm still ACTUALLY using that code", I'm willing to forbear ... but otherwise I think its time is long gone. regards, tom lane ---(end of broadcast)--- TIP 4: Don't 'kill -9' the postmaster
Re: [HACKERS] [PATCHES] Removing Kerberos 4
> > Last chance for any Kerberos 4 users to speak up --- otherwise I'll > > apply this soon. > > If you just want someone to test it I can do that. I don't > actually use it normally though. I don't think "just testing" is enough - somebody needs to actually maintain it... > As far as security issues the only issues I'm aware of is a) > it uses plain DES which is just a 56 bit key and crackable by > brute force and b) cross-domain authentication is broken. Yeah. But it has been declared dead by the Kerberos folks (http://www.faqs.org/faqs/kerberos-faq/general/section-7.html. And this document is from 2000, an dit was declared already then)... //Magnus ---(end of broadcast)--- TIP 9: In versions below 8.0, the planner will ignore your desire to choose an index scan if your joining column's datatypes do not match
Re: [HACKERS] [PATCHES] Removing Kerberos 4
Tom Lane <[EMAIL PROTECTED]> writes: > Last chance for any Kerberos 4 users to speak up --- otherwise I'll > apply this soon. If you just want someone to test it I can do that. I don't actually use it normally though. As far as security issues the only issues I'm aware of is a) it uses plain DES which is just a 56 bit key and crackable by brute force and b) cross-domain authentication is broken. But if you just have a single domain it's a lot simpler to set up than the poster child for second system effect, Kerberos 5. -- greg ---(end of broadcast)--- TIP 3: if posting/reading through Usenet, please send an appropriate subscribe-nomail command to [EMAIL PROTECTED] so that your message can get through to the mailing list cleanly
Re: [HACKERS] [PATCHES] Removing Kerberos 4
"Magnus Hagander" <[EMAIL PROTECTED]> writes: > This patch removes Kerberos version 4 support from the backend and > libpq. Per previous mail, I sent a mail to both hackers and -general > about a month ago asking for ppl who use it, for zero responses. I also > looked back in the archives and it seems it has been asked before and > also not responded, so I think it's safe to say it's not in widespread > use ATM. Finally, kerberos version 4 is deprecated by the kerberos > people - for security reasons amongst others. Last chance for any Kerberos 4 users to speak up --- otherwise I'll apply this soon. regards, tom lane ---(end of broadcast)--- TIP 4: Don't 'kill -9' the postmaster