Re: [HACKERS] LibreOffice driver 2: MIT Kerberos vs Microsoft Kerberos
On Tue, Dec 13, 2011 at 05:09:01PM -0500, Stephen Frost wrote: * Greg Smith (g...@2ndquadrant.com) wrote: Given that pgAdmin III has given up on MIT KRB5, would you feel doing the same is appropriate for LibreOffice too? Yes, I'd encourage LibreOffice to drop MIT Kerberos for Windows from their configure/install of libpq on Windows. Thanks for the advice, we won't enable it. -- Lionel -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
[HACKERS] LibreOffice driver 2: MIT Kerberos vs Microsoft Kerberos
(See part 1 for general introduction) LibreOffice currently - when it rebuilds libpq, such as for our official MS Windows binaries - links libpq against only the MS Windows built-in SSPI stuff, which if I understand well is an embrace and extend Kerberos 5 implementation. I wanted to understand the limitations (if any) of building libpq on Windows only with the MS Windows-builtin Kerberos and not additionally with MIT Kerberos. The gsslib parameter in the connection string won't work, but will that keep users from authenticating to some Kerberos domains, and/or are there other (interoperability?) issues that make it strongly desirable to link libpq with *both* SSPI *and* MIT krb5 (and its gssapi_krb5 library)? -- Lionel -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
Re: [HACKERS] LibreOffice driver 2: MIT Kerberos vs Microsoft Kerberos
* Lionel Elie Mamane (lio...@mamane.lu) wrote: The gsslib parameter in the connection string won't work, but will that keep users from authenticating to some Kerberos domains, and/or are there other (interoperability?) issues that make it strongly desirable to link libpq with *both* SSPI *and* MIT krb5 (and its gssapi_krb5 library)? The MIT KRB5 library on Windows is more-or-less defunct now, as I understand it. pgAdmin3 hasn't been linking against it due to unfixed security bugs (that don't seem likely to ever be fixed) and because it's horribly painful to maintain. The gist of the limitation is this- if you need to support decent encryption in a cross-realm environment on Windows XP-age systems, you need MIT KRB5. If you're on Windows 7 or something else recent, the built-in Windows stuff w/ AES works fine. Thanks, Stephen signature.asc Description: Digital signature
Re: [HACKERS] LibreOffice driver 2: MIT Kerberos vs Microsoft Kerberos
On 12/13/2011 09:18 AM, Stephen Frost wrote: The gist of the limitation is this- if you need to support decent encryption in a cross-realm environment on Windows XP-age systems, you need MIT KRB5. If you're on Windows 7 or something else recent, the built-in Windows stuff w/ AES works fine. This answers Lionel's question, but I'm curious for a more user impact opinion from you. Given that pgAdmin III has given up on MIT KRB5, would you feel doing the same is appropriate for LibreOffice too? It sounds like they really shouldn't take on either the build cruft or the potential security issues of pulling that in at this point. -- Greg Smith 2ndQuadrant USg...@2ndquadrant.com Baltimore, MD PostgreSQL Training, Services, and 24x7 Support www.2ndQuadrant.us -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
Re: [HACKERS] LibreOffice driver 2: MIT Kerberos vs Microsoft Kerberos
* Greg Smith (g...@2ndquadrant.com) wrote: This answers Lionel's question, but I'm curious for a more user impact opinion from you. Given that pgAdmin III has given up on MIT KRB5, would you feel doing the same is appropriate for LibreOffice too? It sounds like they really shouldn't take on either the build cruft or the potential security issues of pulling that in at this point. Yes, I'd encourage LibreOffice to drop MIT Kerberos for Windows from their configure/install of libpq on Windows. It's just too painful and evil and, today, it might almost be better to just use the built-in Windows stuff (even on XP with the crappy encryption..) than deal with the headaches and known security flaws in the ancient MIT KfW build. Thanks, Stephen signature.asc Description: Digital signature