Tom Lane wrote: > "Henry B. Hotz" <[EMAIL PROTECTED]> writes: >> Don't you want to maintain some interoperability between 8.2 client/ >> server and 8.3 server/client at least? > > Hm, you mean that what you called a C API change actually > break^H^H^H^H^Hchanges the on-the-wire protocol as well? > That sounds not very nice :-(
It's a completely new authentication method, that just happens to use Kerberos underneath it. And it uses the API/wireprotocol that's recommended by the Kerberos folks. And in fact when talking to the MIT folks back when I found that security issue two years back it seems we're more or less the only ones other than sample apps taht use the "native api". Fact is that the way we do it now is not very "pretty". The GSSAPI way lets PostgreSQL handle sending/receiving and wrapping in whatever we want, whereas the current method we just pass in the socket. I think in a lot of ways it's just pure luck that it works reasonably well alongside OpenSSL for example. I think the correct path is to put it in GSSAPI and deprecate krb5 for at least one release, and then get rid of krb5 completely. Oh, and I do think putting in GSSAPI authentication only (and not encryption) is the way to go for now, since we can do encryption with OpenSSL. It'll make the changes localized to just the authentication. //Magnus ---------------------------(end of broadcast)--------------------------- TIP 4: Have you searched our list archives? http://archives.postgresql.org