Re: JAVA Support
Bruce Momjian <bruce@momjian.us>
From: Bruce Momjian <bruce@momjian.us>
To: "Henry B. Hotz" <hotz@jpl.nasa.gov>
Cc: Tom Lane <tgl@sss.pgh.pa.us>, "Joshua D. Drake" <jd@commandprompt.com>, Josh Berkus <josh@agliodbs.com>, Kris Jurka <books@ejurka.com>, pgsql-hackers@postgresql.org
Date: 2006-09-30T03:12:47Z
Lists: pgsql-hackers
Henry B. Hotz wrote: > Well, that's why I was pushing SASL instead of GSSAPI. There are > multiple mechanisms that are actually in use. > > PAM turned out not to be sufficiently specified for cross-platform > behavioral compatibility, and it only does password checking anyway. > Calling it a security solution is a big overstatement IMO. I guess a > lot of people use PAM with SSL and don't worry about the gap between > the two (which SASL or GSSAPI close). > > In defense of GSSAPI non-Kerberos mechanisms do exist. They just > cost money and they aren't very cross-platform. AFAIK GSSAPI has no > simple password mechanisms. > > There's a Microsoft-compatible SPNEGO mechanism for GSSAPI that's > being implemented fairly widely now, but it's just a sub-negotiation > mech that lets you choose between a Kerberos 5 (that's practically > identical to the direct one), and NTLM. If you allow NTLM you'd > better limit it to NTLMv2! As already mentioned, the limitations of PAM weren't clear until after we implemented it, so I expect the same to happen here, and the number of acronyms flying around in this discussion is a bad sign too. -- Bruce Momjian bruce@momjian.us EnterpriseDB http://www.enterprisedb.com + If your life is a hard drive, Christ can be your backup. +