| From: | Mohan K <mohan(dot)anon(at)gmail(dot)com> |
|---|---|
| To: | Magnus Hagander <mha(at)sollentuna(dot)net> |
| Cc: | pgsql-hackers(at)postgresql(dot)org, pgsql-admin(at)postgresql(dot)org |
| Subject: | Re: Postgres 8.1.x and MIT Kerberos 5 |
| Date: | 2006-02-06 15:10:34 |
| Message-ID: | 655c73580602060710q29517camf200af8cd010d61a@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-admin pgsql-hackers |
Hello Magnus,
Regarding the configure issue:
The platform is Tru64 Unix 5.1b, the problem I had was we have
compiled our Kerberos build statically and is installed in a
directory other than the standard location. The trick adding to LIBS
did not work as it (krb5support) library needs to come after the
other libs (is there a way to control that?).
As far as the security issue with Kerberos, here is the relevant thread
http://mailman.mit.edu/pipermail/kerberos/2002-October/002043.html
I am sorry it was in Kerberos mailing list not Postgres.
On 2/5/06, Magnus Hagander <mha(at)sollentuna(dot)net> wrote:
> > Greetings,
> > I was trying to build source build postgres 8.1.x with MIT
> > Kerberos 5 1.4.x implementation.
> > The whole thing bombs out. After some digging, I had to hack
> > the autoconf script (configure.in) to properly account for
> > the way the libraries are built for 1.4.x. I don't know
> > whether an earlier post had the same issue. I think it boils
> > down to adding the 'libkrb5support' when all the krb5 libs
> > are checked in the configure script.
>
> (This is better asked in -hackers, I htink, copying there)
>
> What platform is this? I use it with krb5 1.4.3 on Linux (slackware)
> without any modifications at all. Perhaps platform specific behaviour?
>
> The postmaster is linked to libkrb5support, but I only have "-lkrb5" in
> my LIBS as generated by configure. However, if I do "ldd" on libkrb5.so
> I see that one pulls in libkrb5support.
>
>
> > On another note, is the kerberos authentication secure, I had
> > searched some old threads, where it was indicated the
> > principal is not checked by the db as a valid user. Is this
> > still the case?
>
> The principal name is definitly checked by the db as a valid user, and
> AFAIK it always has been (do you have a reference to where it says it
> doesn't?)
>
> The *REALM* is not checked, however. This can cause problems if you have
> a multi-realm system (where the realms already trust each other, because
> the KDC has to give out the service ticket) where you have the same
> username existing in multiple realms representing different users.
>
> If you're in a single realm, it's definitly secure.
>
> //Magnus
>
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Magnus Hagander | 2006-02-06 15:20:12 | Re: Postgres 8.1.x and MIT Kerberos 5 |
| Previous Message | Magnus Hagander | 2006-02-06 12:36:04 | Re: pgAdminII download |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Magnus Hagander | 2006-02-06 15:20:12 | Re: Postgres 8.1.x and MIT Kerberos 5 |
| Previous Message | Mark Woodward | 2006-02-06 14:43:44 | Re: Shared memory and memory context question |