Henry B. Hotz wrote:
> Well, that's why I was pushing SASL instead of GSSAPI. There are
> multiple mechanisms that are actually in use.
>
> PAM turned out not to be sufficiently specified for cross-platform
> behavioral compatibility, and it only does password checking anyway.
> Calling it
On Sep 29, 2006, at 12:31 AM, Magnus Hagander wrote:
However, that doesn't change that some people would like us to
support
GSSAPI, and there may be some benefit (additional applications,
better
network authentication, etc.) for doing so. If we can get
additional
programmers to code the
On Sep 28, 2006, at 9:35 PM, Tom Lane wrote:
"Joshua D. Drake" <[EMAIL PROTECTED]> writes:
Is there any reason why we haven't built a generic authentication
API?
Something like PAM, except cross platform?
We're database geeks, not security/crypto/authentication geeks. What
makes you think
This being SASL:
> > I know I tried to make
> > it work on win32 once and failed miserably. (Then again, I've
> failed
> > on Linux as well, but not quite as bad. And it's not included in
> all
> > Linux distributions, at least it wasn't when I checked a while
> back)
>
> Well, I know Redhat has
> > However, that doesn't change that some people would like us to
> support
> > GSSAPI, and there may be some benefit (additional applications,
> better
> > network authentication, etc.) for doing so. If we can get
> additional
> > programmers to code the support (i.e. Sun, JPL) I don't see any
>
> > I would if we could get some -hackers buy in on the idea. Adding
> more
> > and more auth methods is something they're not excited about
> unless
> > there's a good reason (which I think this is).
>
> Actually, I've been trying to get some of the Sun engineers to
> contribute patches for Sola
Tom Lane wrote:
> "Joshua D. Drake" <[EMAIL PROTECTED]> writes:
>> Is there any reason why we haven't built a generic authentication API?
>> Something like PAM, except cross platform?
>
> We're database geeks, not security/crypto/authentication geeks. What
> makes you think we have any particular
"Joshua D. Drake" <[EMAIL PROTECTED]> writes:
> Is there any reason why we haven't built a generic authentication API?
> Something like PAM, except cross platform?
We're database geeks, not security/crypto/authentication geeks. What
makes you think we have any particular competence to do the abov
Josh Berkus wrote:
> Henry,
>
>> Sun demonstrated that you could build the existing Kerberos support
>> with the current Solaris 11 beta's. They opened the "native" MIT
>> Kerberos API for outside use.
>
> Yes, and this will be available via the supported version in Solaris 10
> Update
> 4.
Josh Berkus writes:
> However, that doesn't change that some people would like us to support
> GSSAPI, and there may be some benefit (additional applications, better
> network authentication, etc.) for doing so. If we can get additional
> programmers to code the support (i.e. Sun, JPL) I don't se
On Sep 28, 2006, at 3:01 PM, Josh Berkus wrote:
Kris,
I would if we could get some -hackers buy in on the idea. Adding
more and more auth methods is something they're not excited about
unless there's a good reason (which I think this is).
Actually, I've been trying to get some of the Sun e
Henry,
> Sun demonstrated that you could build the existing Kerberos support
> with the current Solaris 11 beta's. They opened the "native" MIT
> Kerberos API for outside use.
Yes, and this will be available via the supported version in Solaris 10 Update
4.
However, that doesn't change that
On Sep 28, 2006, at 3:03 PM, Josh Berkus wrote:
Tom,
It would depend in part on the size of the patch, and on whether
there
are any arguments for supporting GSSAPI besides "Java can't do
Kerberos".
What would it buy for a libpq user?
According to the Solaris Security engineers, GSSAPI is mo
I cc'ed Tom Lockhart because he *used* to be core, and I know where
he works. No response expected.
On Sep 28, 2006, at 2:11 PM, Magnus Hagander wrote:
f) SASL support is available in current Java as well as C.
SASL libraries are included (or at least loadable) on MacOS,
Solaris 10+, and Lin
On Sep 28, 2006, at 2:24 PM, Tom Lane wrote:
"Magnus Hagander" <[EMAIL PROTECTED]> writes:
As for the other part - will core accept this - I can't answer that.
It would depend in part on the size of the patch, and on whether there
are any arguments for supporting GSSAPI besides "Java can't d
Tom,
> It would depend in part on the size of the patch, and on whether
> there
> are any arguments for supporting GSSAPI besides "Java can't do
> Kerberos".
> What would it buy for a libpq user?
According to the Solaris Security engineers, GSSAPI is more secure than
using the Kerberos headers.
Kris,
> I would if we could get some -hackers buy in on the idea. Adding
> more and more auth methods is something they're not excited about
> unless there's a good reason (which I think this is).
Actually, I've been trying to get some of the Sun engineers to
contribute patches for Solaris authe
> > As for the other part - will core accept this - I can't answer that.
>
> It would depend in part on the size of the patch, and on
> whether there are any arguments for supporting GSSAPI besides
> "Java can't do Kerberos".
> What would it buy for a libpq user?
I don't know, really ;-) It see
"Magnus Hagander" <[EMAIL PROTECTED]> writes:
> As for the other part - will core accept this - I can't answer that.
It would depend in part on the size of the patch, and on whether there
are any arguments for supporting GSSAPI besides "Java can't do Kerberos".
What would it buy for a libpq user?
> > As for the other part - will core accept this - I can't
> answer that. I
> > do beleive that there is a point to it, given that Java will then
> > support it natively, but I'm not core. I'm unsure if there
> is a clear
> > view on the merits of adding more authentication options..
>
> Fr
On Sep 28, 2006, at 12:42 PM, Magnus Hagander wrote:
2) If I were willing to add a GSSAPI or SASL layer as an
alternative to the bare Krb 5 support would anyone be willing
to help with the supporting mods to the pg_hba.conf parsing,
and configure?
Sure, I can help out with that. I've done a b
> 2) If I were willing to add a GSSAPI or SASL layer as an
> alternative to the bare Krb 5 support would anyone be willing
> to help with the supporting mods to the pg_hba.conf parsing,
> and configure?
Sure, I can help out with that. I've done a bunch of work on the current
kerberos stuff (toh
On Thu, 28 Sep 2006, Henry B. Hotz wrote:
I take it you're not volunteering to help with my second request. ;-)
I would if we could get some -hackers buy in on the idea. Adding more and
more auth methods is something they're not excited about unless there's a
good reason (which I think
On Sep 28, 2006, at 10:52 AM, Kris Jurka wrote:
On Thu, 28 Sep 2006, Henry B. Hotz wrote:
It appears that the JDBC client doesn't include the Kerberos
support that the C clients do.
Java doesn't have accessible Kerberos support. It wraps Kerberos
in GSSAPI which requires the server to
On Thu, 28 Sep 2006, Henry B. Hotz wrote:
It appears that the JDBC client doesn't include the Kerberos support
that the C clients do.
Java doesn't have accessible Kerberos support. It wraps Kerberos in
GSSAPI which requires the server to support GSSAPI instead of plain
Kerberos.
So, tw
It appears that the JDBC client doesn't include the Kerberos support
that the C clients do.
So, two questions:
1) Is there an alternative JDBC client that's just a glue layer
instead of a complete re-implementation?
2) If I were willing to add a GSSAPI or SASL layer as an alternative
to
26 matches
Mail list logo
