| From: | "Henry B(dot) Hotz" <hotz(at)jpl(dot)nasa(dot)gov> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | "Joshua D(dot) Drake" <jd(at)commandprompt(dot)com>, Josh Berkus <josh(at)agliodbs(dot)com>, Kris Jurka <books(at)ejurka(dot)com>, pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: JAVA Support |
| Date: | 2006-09-29 15:50:46 |
| Message-ID: | D0B1065C-3E09-4CDB-8889-F4FFBF3A1A14@jpl.nasa.gov |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Sep 28, 2006, at 9:35 PM, Tom Lane wrote:
> "Joshua D. Drake" <jd(at)commandprompt(dot)com> writes:
>> Is there any reason why we haven't built a generic authentication
>> API?
>> Something like PAM, except cross platform?
>
> We're database geeks, not security/crypto/authentication geeks. What
> makes you think we have any particular competence to do the above?
>
> Actually, the part of this proposal that raised my hackles the most
> was
> the claim that GSSAPI provides a generic auth API, because that was
> exactly the bill of goods we were sold in connection with PAM. (So
> why
> is this our problem at all --- can't you make a PAM plugin for it??)
> It didn't help any that that was shortly followed by the lame
> admission
> that no one has ever implemented anything except Kerberos
> underneath it.
> Word to the wise, guys: go *real* soft on vaporware claims for auth
> stuff, because we've seen enough of those before.
Well, that's why I was pushing SASL instead of GSSAPI. There are
multiple mechanisms that are actually in use.
PAM turned out not to be sufficiently specified for cross-platform
behavioral compatibility, and it only does password checking anyway.
Calling it a security solution is a big overstatement IMO. I guess a
lot of people use PAM with SSL and don't worry about the gap between
the two (which SASL or GSSAPI close).
In defense of GSSAPI non-Kerberos mechanisms do exist. They just
cost money and they aren't very cross-platform. AFAIK GSSAPI has no
simple password mechanisms.
There's a Microsoft-compatible SPNEGO mechanism for GSSAPI that's
being implemented fairly widely now, but it's just a sub-negotiation
mech that lets you choose between a Kerberos 5 (that's practically
identical to the direct one), and NTLM. If you allow NTLM you'd
better limit it to NTLMv2!
------------------------------------------------------------------------
----
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry(dot)B(dot)Hotz(at)jpl(dot)nasa(dot)gov, or hbhotz(at)oxy(dot)edu
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2006-09-29 15:57:39 | Re: Block B-Tree concept |
| Previous Message | Tom Lane | 2006-09-29 15:40:32 | Re: Another idea for dealing with cmin/cmax |