| From: | Magnus Hagander <magnus(at)hagander(dot)net> |
|---|---|
| To: | pgsql-hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Future of krb5 authentication |
| Date: | 2007-07-18 10:40:35 |
| Message-ID: | 20070718104035.GD3787@svr2.hagander.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Now that we have working GSSAPI authentication, I'd like to see the
following done:
* Deprecate krb5 authentication in 8.3. At least in documentation, possibly
with a warning when loading pg_hba.conf?
* Remove krb5 authenticatino completely in 8.4.
The reasons for this is:
* krb5 auth doesn't do anything that gssapi doesn't.
* krb5 authentication doesn't follow a published standard. It follows API
examples from MIT later copied by Heimdal, but there is no documented
standard.
* krb5 authentication operates directly on the socket and as such violates
the libpq protocol. This means it's not protected by SSL if you have SSL on
your connection, and that it may misbehave with async sockets.
This was actually on the agenda when we first talked about doig gssapi, but
now that we have it it's time to bring it up again...
Comments?
//Magnus
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Heikki Linnakangas | 2007-07-18 10:41:31 | Comments on the HOT design |
| Previous Message | Magnus Hagander | 2007-07-18 10:29:26 | Re: SSPI authentication |