Re: JDBC and GSSAPI/Krb5

On Dec 6, 2007, at 11:47 AM, Peter Koczan wrote:

> On Dec 6, 2007 1:10 PM, Henry B. Hotz <hotz@jpl.nasa.gov> wrote:
>> Thank you.  I'm looking at it.
>>
>> I think the changes *should* be localized to v3/
>> ConnectionFactoryImpl.java.  I need to see how Magnus changed the
>> wire protocol (he did it differently from what I did), and I need to
>> try a sample program first so I can debug wire/API issues
>> independently from PG issues.
>>
>> I will not even attempt to address the SSPI auth mechanism since I
>> don't understand fully why it exists.  SSPI is supposed to just be an
>> alternate C binding for the GSSAPI wire protocol, but there are other
>> issues that confound that statement.  I believe that Java should
>> stick to the standard, at least initially.
>
> http://people.planetpostgresql.org/mha/index.php?/archives/155-
> Integrated-Security-in-PostgreSQL-8.3.html
>
> According to this, SSPI is a Windows-only thing (for both clients and
> servers). Apparently each can authenticate against a "gss" entry in
> pg_hba.conf.
>
> I don't know what implications that has for support in the JDBC
> driver. I'll let you figure that out :-).
>
> Peter

What he says about not verifying the domain is a serious security bug
IMO, but it's been discussed.  I think it's a little more complex
than that posting indicates.

If they are wire-compatible then there is no reason to use a
different value on the wire to differentiate them.  This is the point
that I said I didn't understand.

This is the wrong audience for these complaints though.

------------------------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu