Re: Design Considerations for New Authentication Methods
Henry B. Hotz <hotz@jpl.nasa.gov>
From: "Henry B. Hotz" <hotz@jpl.nasa.gov>
To: Magnus Hagander <mha@sollentuna.net>
Cc: "Stephen Frost" <sfrost@snowman.net>, <pgsql-hackers@postgresql.org>
Date: 2006-11-02T18:17:53Z
Lists: pgsql-hackers
On Nov 2, 2006, at 1:18 AM, Magnus Hagander wrote: >>> * Henry B. Hotz (hotz@jpl.nasa.gov) wrote: >>>> I've been looking at adding SASL or GSSAPI as an auth >> method. I have >>>> some questions about how to handle the flow of control changes. >>> >>> Great! I'd love to see that implemented, personally, so if you're >>> looking for help, please let me know. >> >> Thank you. I will! ;-) >> >> Do you know Java? I'm doing this ultimately because I want >> the JDBC driver to support encrypted connections with >> Kerberos and without needing SSL. As an added plus a >> Windows-native client should support it. > > Interesting, I thought you were going for the authentication only. > What's the real gain in doing Kerberos encryption over SSL encryption? > Doesn't Java come with SSL support anyway these days? > > >> My main hesitation between SASL and GSSAPI is that the >> Windows equivalent APIs for SASL have not received the same >> degree of interoperability testing as SSPI<-->GSSAPI. I >> don't have a published example to crib from. For general >> information the relevant calls are at the bottom of >> <http://msdn.microsoft.com/library/default.asp?url=/ >> library/en-us/secauthn/security/authentication_functions.asp>. > > One reason for this could be that they appear to be available only on > server platforms, and not on cilents, if you look at the > documentation. > That said, I have the DLL file and the export functions on my XP > machine, so it's definitly present there - I'm unsure if it *works* or > is supported. My registry does indicate that I have the GSSAPI profile > for SASL, which would be an indication that it should. > > > //Magnus