Re: SSPI authentication - patch

On Wed, Jul 18, 2007 at 12:16:42PM +0200, Magnus Hagander wrote:
> Attached is the patch to support SSPI authentication in libpq. With this
> patch, I can authenticate windows clients against a linux server using
> kerberos *without* reqiring setting up MIT kerberos on the windows side.
> Protocol has not changed at all.

Here's an updated version of this patch. This version has full SSPI support
in the server as well, so I can do both kerberos and NTLM between two
windows machines using the negotiate method.

I've added a libpq connection parameter gsslib and the corresponding
environment variable PGGSSLIB. If it's set to "gssapi", libpq will use the
MIT GSSAPI implementation to authenticate to GSSAPI servers. If it's not
set, or set to anything else, SSPI will be used in Kerberos mode. SSPI in
negotiate mode will only be used if the server requests "sspi"
authentication instead of "gss".

Server-side, I've added the new authentication method "sspi" so the server
can inform the client that it wants to do SSPI "negotiate" auth instead of
plain Kerberos.

Since SSPI and GSSAPI can now both be used, my plan is not to have an
autoconf to disable SSPI, but to just enable it unconditionally on win32.
Or does this seem like a bad idea?

Comments welcome.

//Magnus