Re: JAVA Support

Henry B. Hotz wrote:
> Well, that's why I was pushing SASL instead of GSSAPI.  There are  
> multiple mechanisms that are actually in use.
> 
> PAM turned out not to be sufficiently specified for cross-platform  
> behavioral compatibility, and it only does password checking anyway.   
> Calling it a security solution is a big overstatement IMO.  I guess a  
> lot of people use PAM with SSL and don't worry about the gap between  
> the two (which SASL or GSSAPI close).
> 
> In defense of GSSAPI non-Kerberos mechanisms do exist.  They just  
> cost money and they aren't very cross-platform.  AFAIK GSSAPI has no  
> simple password mechanisms.
> 
> There's a Microsoft-compatible SPNEGO mechanism for GSSAPI that's  
> being implemented fairly widely now, but it's just a sub-negotiation  
> mech that lets you choose between a Kerberos 5 (that's practically  
> identical to the direct one), and NTLM.  If you allow NTLM you'd  
> better limit it to NTLMv2!

As already mentioned, the limitations of PAM weren't clear until after
we implemented it, so I expect the same to happen here, and the number
of acronyms flying around in this discussion is a bad sign too.

--  Bruce Momjian   bruce@momjian.us EnterpriseDB    http://www.enterprisedb.com
 + If your life is a hard drive, Christ can be your backup. +