From: | Bear Giles <bgiles(at)coyotesong(dot)com> |
---|---|
To: | Lincoln Yeoh <lyeoh(at)pop(dot)jaring(dot)my> |
Cc: | Bear Giles <bgiles(at)coyotesong(dot)com>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, pgsql-hackers(at)postgresql(dot)org |
Subject: | Re: SASL, compression? |
Date: | 2002-05-20 07:11:06 |
Message-ID: | 200205200711.BAA11326@eris.coyotesong.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
> What are the benefits of SASL+Postgresql compared to Postgresql over plain SSL?
SASL is orthogonal to SSL. SASL is an application-layer library
and can be run over either regular sockets or SSL. However there
are SASL hooks to tell it that it's running over a secure channel.
The anticipated benefit of SASL is that it would replace all of the
current authetication code with a set of standard plugins. The
authority problem would be reduced to a simple text mapping.
(BTW, I didn't make it clear earlier but "authentication" is figuring
out who the other party is, "authority" is figuring out what they're
entitled to do.)
PAM is *not* a solution to network authentication since it was never
designed for it. One well-known nightmare scenario is the Kerberos
PAM modules - they were designed to be used by local users logging
onto a virtual terminal, to eliminate the need to modify login to
acquire Kerberos credentials directly. But in the wild they've been
seen used with Apache "mod_pam" modules to "autheticate" Kerberos
users. Since they require the Kerberos principal and password to be
transmitted across the wire in the clear, they're major security holes
when used this way.
> Coz Postgresql already supports SSL right?
Postgresql minimally supports SSL. It contains some significant
coding errors, poor initialization, and no support for client
certificates. My recent patches should go a long way towards
fixing that.
Bear
From | Date | Subject | |
---|---|---|---|
Next Message | Jean-Michel POURE | 2002-05-20 07:31:31 | Re: [HACKERS] UTF-8 safe ascii() function |
Previous Message | Bear Giles | 2002-05-20 06:48:48 | revised SSL patches submitted |