| From: | Stephen Frost <sfrost(at)snowman(dot)net> |
|---|---|
| To: | Magnus Hagander <magnus(at)hagander(dot)net> |
| Cc: | "Henry B(dot) Hotz" <hbhotz(at)oxy(dot)edu>, pgsql-patches(at)postgresql(dot)org |
| Subject: | Re: Preliminary GSSAPI Patches |
| Date: | 2007-06-22 16:29:51 |
| Message-ID: | 20070622162951.GY7531@tamriel.snowman.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-patches |
* Magnus Hagander (magnus(at)hagander(dot)net) wrote:
> We enable the setting of the service name in the server configuration
> file, but we never use that variable anywhere. We do, however, use the
> service name on the client, in order to pick the correct key (and
> turning this off makes GSSAPI no longer work).
>
> If this is correct, we should not enable that parameter on the server.
> If it's not correct, we should be using it somewhere.
Uh, shouldn't you be acquiring the server credentials before accepting
the context? That'd be done using gss_acquire_cred(), which takes the
service name (in gss_name_t structure) as an argument. That would then
be passed in to gss_accept_sec_context() instead of using
GSS_C_NO_CREDENTIAL (in port->gss->cred). I'm kind of suprised it's
working without that and rather curious as to what it's doing under the
hood to make that happen. :/
Thanks,
Stephen
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Magnus Hagander | 2007-06-22 16:56:06 | Re: Preliminary GSSAPI Patches |
| Previous Message | Tom Lane | 2007-06-22 16:27:17 | Re: Load Distributed Checkpoints, take 3 |