| From: | Brian Crowell <brian(at)fluggo(dot)com> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | Stephen Frost <sfrost(at)snowman(dot)net>, pgsql-bugs <pgsql-bugs(at)postgresql(dot)org> |
| Subject: | Re: BUG #9337: SSPI/GSSAPI with mismatched user names |
| Date: | 2014-02-24 20:09:50 |
| Message-ID: | CAAQkdDqrz_O9EE7QL7vpyC4Ti3qcWGLPPD8Ox+Gevrke9+0zqg@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
On Mon, Feb 24, 2014 at 1:58 PM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> I wonder whether there would be any value in an option for SSPI (and
> maybe other auth methods) to say "after authentication is complete,
> substitute the authenticated principal name for the database user
> name" (possibly after realm-stripping, case-folding, etc).
I humbly resubmit my ticket-in-the-startup-packet suggestion, which
I'd hope would be easier, especially since any program not supplying
it would fall back to the standard challenge auth mechanism.
Like:
1. client -> server startup packet + GSSAPI="here's my ticket"
2. server -> client AuthenticationGSSContinue
3. client -> server password packet
4. server -> client AuthenticationOK
But then I don't know what I'm talking about really :P
(goes to read the protocol specs)
--Brian
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2014-02-24 20:21:39 | Re: Problem with PostgreSQL 9.2.7 and make check on AIX 7.1 |
| Previous Message | Brian Crowell | 2014-02-24 20:03:01 | Re: BUG #9337: SSPI/GSSAPI with mismatched user names |