| From: | Brian Crowell <brian(at)fluggo(dot)com> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | Stephen Frost <sfrost(at)snowman(dot)net>, pgsql-bugs <pgsql-bugs(at)postgresql(dot)org> |
| Subject: | Re: BUG #9337: SSPI/GSSAPI with mismatched user names |
| Date: | 2014-02-24 21:24:08 |
| Message-ID: | CAAQkdDqXptf4DM0Bf_uryJ5SxSTz8OR9pURuDj6ik-Pux-Az+w@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
On Mon, Feb 24, 2014 at 2:56 PM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> If it's possible to extract a principal name from a ticket without
> contacting the server, then that objection fails ... but if that were
> the case then I suppose you'd not be here looking for a solution.
You've got a point. I do believe the principal name is in the ticket
in clear text. I could generate a ticket in anticipation of needing
it, extract the name, and send that. I have no idea how to get it, but
I'll look into it.
I still think this would be useful in the server. If I'm right, and
the principal name is in clear text, the server would look at it this
way:
PSEUDOCODE
// (server receives packet without user, but
// ticket="my ticket for User(at)REALM(dot)COM")
if(!user_name) {
if(ticket)
user_name = extract_user_name(ticket)
}
if(!user_name)
return NO_USER_NAME;
auth_type = lookup_pg_hba(user_name, database, etc.)
if(ticket) {
if(auth_type != GSSAPI)
return BAD_AUTH;
accept_gssapi_packet(ticket);
}
else {
// Do what you would normally do
challenge(auth_type);
}
/PSEUDOCODE
Something like that.
--Brian
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2014-02-24 21:40:34 | Re: BUG #9337: SSPI/GSSAPI with mismatched user names |
| Previous Message | Christopher Browne | 2014-02-24 21:01:47 | Re: Problem with PostgreSQL 9.2.7 and make check on AIX 7.1 |