| From: | Magnus Hagander <magnus(at)hagander(dot)net> |
|---|---|
| To: | Heikki Linnakangas <heikki(at)enterprisedb(dot)com> |
| Cc: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Dave Page <dpage(at)postgresql(dot)org>, pgsql-hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Future of krb5 authentication |
| Date: | 2007-07-18 19:58:16 |
| Message-ID: | 469E70D8.8000204@hagander.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Heikki Linnakangas wrote:
> Stephen Frost wrote:
>> Honestly, for now I'm happy w/ it being a connectionstring option. It
>> seems the most appropriate place for it to go. That does mean that
>> applications may need to be modified to support gssapi (where they might
>> not have to be for sspi since it's the default), but since we're going
>> to keep krb5 support around for a bit there's time for those
>> applications to catch up without breaking things explicitly for people
>> migrating to 8.3.
>
> Isn't it possible to open the socket, try GSSAPI handshaking with
> protocol, and fall back to krb5 protocol if that fails? If that's not
> possible, how about handling it like we handle postgres protocol 3 vs 2?
> Connect using GSSAPI first, and if that fails, retry with krb5.
The issue is *not* about GSSAPI vs krb5. It's with GSSAPI vs SSPI.
The wire protocol is the same for them. It's a matter of which *client
library* should be used to produce the packets that go over the network.
//Magnus
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Heikki Linnakangas | 2007-07-18 21:27:20 | Re: Future of krb5 authentication |
| Previous Message | Oleg Bartunov | 2007-07-18 19:46:55 | Re: Updated tsearch documentation |