| Lists: | pgsql-adminpgsql-hackers |
|---|
| From: | "Magnus Hagander" <mha(at)sollentuna(dot)net> |
|---|---|
| To: | "Mohan K" <mohan(dot)anon(at)gmail(dot)com> |
| Cc: | <pgsql-hackers(at)postgresql(dot)org>, <pgsql-admin(at)postgresql(dot)org> |
| Subject: | Re: Postgres 8.1.x and MIT Kerberos 5 |
| Date: | 2006-02-06 15:20:12 |
| Message-ID: | 6BCB9D8A16AC4241919521715F4D8BCE6C7FB6@algol.sollentuna.se |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Lists: | pgsql-admin pgsql-hackers |
> Hello Magnus,
>
> Regarding the configure issue:
> The platform is Tru64 Unix 5.1b, the problem I had was we
> have compiled our Kerberos build statically and is installed
> in a directory other than the standard location. The trick
> adding to LIBS did not work as it (krb5support) library needs
> to come after the other libs (is there a way to control that?).
Ok. Someone more autoconfy than me will have to say something about that
:-)
> As far as the security issue with Kerberos, here is the
> relevant thread
>
> http://mailman.mit.edu/pipermail/kerberos/2002-October/002043.
> html
> <http://mailman.mit.edu/pipermail/kerberos/2002-October/002043.html>
>
> I am sorry it was in Kerberos mailing list not Postgres.
Ah, that explains me not seeing it.
If you need protection against mitm and connection security, you should
use TLS. We don't use Kerberos for encryption.
//Magnus
| From: | Mohan K <mohan(dot)anon(at)gmail(dot)com> |
|---|---|
| To: | Magnus Hagander <mha(at)sollentuna(dot)net> |
| Cc: | pgsql-hackers(at)postgresql(dot)org, pgsql-admin(at)postgresql(dot)org |
| Subject: | Re: Postgres 8.1.x and MIT Kerberos 5 |
| Date: | 2006-02-06 15:50:10 |
| Message-ID: | 655c73580602060750s3667b8aw7784ced234ca826@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Lists: | pgsql-admin pgsql-hackers |
Thanks.
As far as using TLS, it is good approach. Although, we don't need complete
channel encryption for every transaction or query. I am looking at a more
granular approach where
I can decide depending on the security of information exchange whether to
encrypt the
channel or not (like using maybe GSSAPI). Is this something that will be
considered down
the line?
Mohan
On 2/6/06, Magnus Hagander <mha(at)sollentuna(dot)net> wrote:
>
> > Hello Magnus,
> >
> > Regarding the configure issue:
> > The platform is Tru64 Unix 5.1b, the problem I had was we
> > have compiled our Kerberos build statically and is installed
> > in a directory other than the standard location. The trick
> > adding to LIBS did not work as it (krb5support) library needs
> > to come after the other libs (is there a way to control that?).
>
> Ok. Someone more autoconfy than me will have to say something about that
> :-)
>
>
> > As far as the security issue with Kerberos, here is the
> > relevant thread
> >
> > http://mailman.mit.edu/pipermail/kerberos/2002-October/002043.
> > html
> > <http://mailman.mit.edu/pipermail/kerberos/2002-October/002043.html>
> >
> > I am sorry it was in Kerberos mailing list not Postgres.
>
> Ah, that explains me not seeing it.
>
> If you need protection against mitm and connection security, you should
> use TLS. We don't use Kerberos for encryption.
>
> //Magnus
>