Re: JAVA Support
| От | Henry B. Hotz |
|---|---|
| Тема | Re: JAVA Support |
| Дата | |
| Msg-id | D0B1065C-3E09-4CDB-8889-F4FFBF3A1A14@jpl.nasa.gov обсуждение исходный текст |
| Ответ на | Re: JAVA Support (Tom Lane <tgl@sss.pgh.pa.us>) |
| Ответы |
Re: JAVA Support
|
| Список | pgsql-hackers |
On Sep 28, 2006, at 9:35 PM, Tom Lane wrote: > "Joshua D. Drake" <jd@commandprompt.com> writes: >> Is there any reason why we haven't built a generic authentication >> API? >> Something like PAM, except cross platform? > > We're database geeks, not security/crypto/authentication geeks. What > makes you think we have any particular competence to do the above? > > Actually, the part of this proposal that raised my hackles the most > was > the claim that GSSAPI provides a generic auth API, because that was > exactly the bill of goods we were sold in connection with PAM. (So > why > is this our problem at all --- can't you make a PAM plugin for it??) > It didn't help any that that was shortly followed by the lame > admission > that no one has ever implemented anything except Kerberos > underneath it. > Word to the wise, guys: go *real* soft on vaporware claims for auth > stuff, because we've seen enough of those before. Well, that's why I was pushing SASL instead of GSSAPI. There are multiple mechanisms that are actually in use. PAM turned out not to be sufficiently specified for cross-platform behavioral compatibility, and it only does password checking anyway. Calling it a security solution is a big overstatement IMO. I guess a lot of people use PAM with SSL and don't worry about the gap between the two (which SASL or GSSAPI close). In defense of GSSAPI non-Kerberos mechanisms do exist. They just cost money and they aren't very cross-platform. AFAIK GSSAPI has no simple password mechanisms. There's a Microsoft-compatible SPNEGO mechanism for GSSAPI that's being implemented fairly widely now, but it's just a sub-negotiation mech that lets you choose between a Kerberos 5 (that's practically identical to the direct one), and NTLM. If you allow NTLM you'd better limit it to NTLMv2! ------------------------------------------------------------------------ ---- The opinions expressed in this message are mine, not those of Caltech, JPL, NASA, or the US Government. Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu
В списке pgsql-hackers по дате отправления: