From: | "Henry B(dot) Hotz" <hotz(at)jpl(dot)nasa(dot)gov> |
---|---|
To: | pgsql-hackers <pgsql-hackers(at)postgresql(dot)org> |
Subject: | 8.3 GSS Issues |
Date: | 2007-10-19 23:51:04 |
Message-ID: | B38F2872-A55B-4063-A607-9DE384F30149@jpl.nasa.gov |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
I know I haven't been very active for a while here, but I just got to
testing the October 3 version a bit prior to getting back to the Java
GSS client stuff I promised. There seem to be some funny things there.
The only serious issue is that the server doesn't require the realm
name to match. I haven't looked at how that broke yet, but I know I
was careful of that point in my original patches because it's always
been wrong in the Kerberos 5 auth method.
If I set up a server I might conceivably get connections from:
smith(at)JPL(dot)NASA(dot)GOV
smith(at)STANFORD(dot)EDU
smith(at)ARC(dot)NASA(dot)GOV
smith(at)GSFC(dot)NASA(dot)GOV
smith(at)KSC(dot)NASA(dot)GOV
<same for every other NASA center, HQ, plus a "fake" realm relating
to how NASA set up AD>
Now the only two of those that *might* be the same person are the
first two, and that's only if the Stanford person has a grant to work
on a JPL project and got put in our infrastructure as an affiliate,
*and* the username wasn't already taken.
It appears that you can just put a complete (realm-included) name
into postgres, so that's obviously the way to support gssapi
connections from non-default realms.
In short this is a security hole. IMO it should be fixed prior to
release.
---------
I notice there are hba options for gss and sspi both. Why?
Is there some windows-only functionality it enables? Shouldn't we be
using Microsoft's advertised GSSAPI/SSPI compatibility? If you build
on Windows then I'm sure you want to link the SSPI libraries rather
than require installation of a separate package, but that shouldn't
change the functionality or the wire protocol AFAIK. In other words
I would expect this to be a build-time option.
---------
At the risk of diluting my message: I still think it's a mistake to
call it gss instead of something like gss-noprot. I believe this
will cause misunderstandings in the future when we get the security
layer of gssapi implemented.
---------
There's no way to specify the gssapi library to use. I have three on
my main development Sun: MIT, Sun, and Heimdal. I might have more
than one version of one of those three at some times. Of course
there's no way to specify which kerberos 5 library or openssl library
you want either, so consider this a feature request for future
development.
------------------------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry(dot)B(dot)Hotz(at)jpl(dot)nasa(dot)gov, or hbhotz(at)oxy(dot)edu
From | Date | Subject | |
---|---|---|---|
Next Message | Gokulakannan Somasundaram | 2007-10-20 03:54:07 | Re: Including Snapshot Info with Indexes |
Previous Message | Joe Conway | 2007-10-19 22:42:12 | Re: dblink un-named connection doesn't get re-used |