Re: [EXT] Re: GSS Auth issue when user member of lots of AD groups
Nico Williams <nico@cryptonector.com>
From: Nico Williams <nico@cryptonector.com>
To: Chris Gooch <cgooch@bamfunds.com>
Cc: Tom Lane <tgl@sss.pgh.pa.us>, Jacob Champion <jacob.champion@enterprisedb.com>, "pgsql-bugs@lists.postgresql.org" <pgsql-bugs@lists.postgresql.org>
Date: 2025-05-24T23:42:16Z
Lists: pgsql-bugs
Commits
Same data as JSON:
GET /api/v1/messages/:b64id/commits
the thread's linked commits as JSON, with link sources.
API reference →
-
Allow larger packets during GSSAPI authentication exchange.
- d98cefe1143e 18.0 landed
- ca70ee6ede1b 16.10 landed
- c81cdffa1f05 13.22 landed
- a7da7914c355 14.19 landed
- 8b0aa7a6b723 17.6 landed
- 39b1d190714a 15.14 landed
On Thu, May 22, 2025 at 05:04:32PM +0000, Chris Gooch wrote: > It now makes sense to me. I believe the KDC will not allow tokens > larger than 65535 bytes, so feel it is safe from a GSS perspective. The KDC protocol over TCP uses 32-bit unsigned PDU lengths in network byte order, of which the high bit is reserved and must be zero. ASN.1 supports much larger lengths still. The protocol easily supports very large tickets, therefore very large initial security context tokens. The architecture of having the user's SIDs be included in the user's service tickets was very useful as an optimization for a long time, but as the number of SIDs increases this optimization becomes more of an albatross. Nico --