Now that we have working GSSAPI authentication, I'd like to see the
following done:

* Deprecate krb5 authentication in 8.3. At least in documentation, possibly
with a warning when loading pg_hba.conf?
* Remove krb5 authenticatino completely in 8.4.

The reasons for this is:
* krb5 auth doesn't do anything that gssapi doesn't.
* krb5 authentication doesn't follow a published standard. It follows API
examples from MIT later copied by Heimdal, but there is no documented
* krb5 authentication operates directly on the socket and as such violates
the libpq protocol. This means it's not protected by SSL if you have SSL on
your connection, and that it may misbehave with async sockets.

This was actually on the agenda when we first talked about doig gssapi, but
now that we have it it's time to bring it up again...



---------------------------(end of broadcast)---------------------------
TIP 1: if posting/reading through Usenet, please send an appropriate
       subscribe-nomail command to [EMAIL PROTECTED] so that your
       message can get through to the mailing list cleanly

Reply via email to