Re: Kerberos v5 support
| От | Bruce Momjian |
|---|---|
| Тема | Re: Kerberos v5 support |
| Дата | |
| Msg-id | 200011061825.NAA28132@candle.pha.pa.us обсуждение исходный текст |
| Ответ на | Re: Kerberos v5 support (Garrett Wollman <wollman@khavrinen.lcs.mit.edu>) |
| Список | pgsql-patches |
OK. > <<On Mon, 6 Nov 2000 12:05:01 -0500 (EST), Bruce Momjian <pgman@candle.pha.pa.us> said: > > > I have applied some kerberos changes to the current snapshot a few > > months ago. Can you grab that and let me know what you would like > > changed? Thanks. > > My code has much better error handing (``Kerberos error %d'' is vile!) > and uses the correct API to determine the client's authenticated > name. My version also checks the IP addresses in the client's ticket > to protect against certain kinds of attacks. On the other hand, the > -current code is configurable with respect to the name of the keytab. > (I don't personally see much value in allowing the keytab name to be > changed at run time, but whatever floats your boat....) > > Both versions still sweep the an_to_ln problem under the carpet. This > is a SERIOUS flaw for anyone who needs to operate in an environment > with cross-realm authentication. I don't know the innards of pgsql > well-enough to be able to code the internal table-lookup that would be > necessary to perform proper an_to_ln mapping -- hopefully someone else > out there does. > > Since I'm working in a near-production environment, I'm not presently > able to combine my functionality with that provided in pgsql-current. > When it becomes a release, you may well hear back from me. > > -GAWollman > > -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 853-3000 + If your life is a hard drive, | 830 Blythe Avenue + Christ can be your backup. | Drexel Hill, Pennsylvania 19026
В списке pgsql-patches по дате отправления: