Re: Future of krb5 authentication

From: Gregory Stark <stark(at)enterprisedb(dot)com>
To: "Heikki Linnakangas" <heikki(at)enterprisedb(dot)com>
Cc: "Magnus Hagander" <magnus(at)hagander(dot)net>, "Tom Lane" <tgl(at)sss(dot)pgh(dot)pa(dot)us>, "Dave Page" <dpage(at)postgresql(dot)org>, "pgsql-hackers" <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: Future of krb5 authentication
Date: 2007-07-18 21:49:18
Message-ID: 87ir8hz8kh.fsf@oxford.xeocode.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers


"Heikki Linnakangas" <heikki(at)enterprisedb(dot)com> writes:

> Magnus Hagander wrote:
>
>> The wire protocol is the same for them. It's a matter of which *client
>> library* should be used to produce the packets that go over the network.
>...
> On Windows, why would you need GSSAPI, if SSPI comes with the operation
> system? What's the difference between the libraries? Can you try SSPI
> first, and fall back to GSSAPI?

Am I right in thinking that while the client<->postgres protocol may be the
same the actual authentication tokens are different? That is, if you have a
Windows Active Directory server then using SSPI will use your Windows
credentials obtained from that server to log you in whereas if you used the
MIT GSSAPI library it would try to use your Kerberos tickets for which it would
look elsewhere?

What confuses me here is that I don't understand how this relates to
applications. You keep talking about using the connection string which may be
appropriate for a user-oriented application like psql. But in the general case
surely the application needs to be able to control the authentication process
and be able to provide credentials of its choice?

--
Gregory Stark
EnterpriseDB http://www.enterprisedb.com

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Tom Lane 2007-07-18 21:52:03 Re: Future of krb5 authentication
Previous Message Stephen Frost 2007-07-18 21:44:48 Re: Future of krb5 authentication