From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
---|---|
To: | "Magnus Hagander" <mha(at)sollentuna(dot)net> |
Cc: | pgsql-hackers(at)postgresql(dot)org |
Subject: | Re: Kerberos brokenness and oops question in 8.1beta2 |
Date: | 2005-10-07 22:03:11 |
Message-ID: | 9827.1128722591@sss.pgh.pa.us |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
"Magnus Hagander" <mha(at)sollentuna(dot)net> writes:
> Anyway. This makes it impossible for a 8.1 client to connect to a 8.0
> server, or a 8.0 client to a 8.1 server, in any case where the service
> name has changed - such as a win32 active directory deployment, but I'm
> sure many others as well.
How important is that really? How many win32 users are likely to be
using Kerberos auth with 8.0?
> The only real advantage to how it is now is that it's "cleaner". The
> argument that it protects against a security hole in MIT KRB5 doesn't
> hold any more because there is a patch out, and we can't take
> responsibility for people who haven't patched.
I don't really buy that argument. ISTM we should fix the code to do the
right thing, especially if the right thing is more secure. If I
understood what you said properly, hardwiring it as "postgres" is the
correct thing, and loss of compatibility in marginal cases is just the
price we pay for having done it wrong originally.
regards, tom lane
From | Date | Subject | |
---|---|---|---|
Next Message | Neil Conway | 2005-10-07 22:30:01 | Re: Issue is changing _bt_compare function and |
Previous Message | Magnus Hagander | 2005-10-07 21:15:51 | Kerberos brokenness and oops question in 8.1beta2 |