I'm not suggesting any change. Merely correcting a misstatement I
made earlier.
I believe the documentation already recommends best practice.
On Oct 10, 2007, at 10:53 AM, Magnus Hagander wrote:
Tom Lane wrote:
"Henry B. Hotz" <[EMAIL PROTECTED]> writes:
You know, I don't know what I was
Tom Lane wrote:
> "Henry B. Hotz" <[EMAIL PROTECTED]> writes:
>> You know, I don't know what I was thinking when I sent this. My
>> apologies for the late correction.
>>
>> Anyone who has a copy of the "host" keys for a machine can
>> manufacture kerberos tickets for the "host" service on that
"Henry B. Hotz" <[EMAIL PROTECTED]> writes:
> You know, I don't know what I was thinking when I sent this. My
> apologies for the late correction.
>
> Anyone who has a copy of the "host" keys for a machine can
> manufacture kerberos tickets for the "host" service on that machine
> masqueradi
You know, I don't know what I was thinking when I sent this. My
apologies for the late correction.
Anyone who has a copy of the "host" keys for a machine can
manufacture kerberos tickets for the "host" service on that machine
masquerading as absolutely anyone (including people who don't
On Mon, Jun 25, 2007 at 12:31:44AM -0700, Henry B. Hotz wrote:
>
> On Jun 24, 2007, at 11:03 PM, Magnus Hagander wrote:
>
> >>I'm told that the way Apple's equivalent to mod_auth_kerb works is it
> >>uses GSS_C_NO_CREDENTIAL and then does a case-insensitive compare of
> >>the resulting match to "
On Jun 24, 2007, at 11:03 PM, Magnus Hagander wrote:
I'm told that the way Apple's equivalent to mod_auth_kerb works is it
uses GSS_C_NO_CREDENTIAL and then does a case-insensitive compare of
the resulting match to "HTTP". We could do the same thing, if you
think it's worth it.
Do you know i
On Jun 23, 2007, at 1:44 AM, Magnus Hagander wrote:
Stephen Frost wrote:
* Henry B. Hotz ([EMAIL PROTECTED]) wrote:
On Jun 22, 2007, at 9:56 AM, Magnus Hagander wrote:
Most likely it's just checking the keytab to find a principal
with the
same name as the one presented from the client. Sin
> >>> The server uses the keytab to decrypt the token provided by the
> >>> client. By using the GSS_C_NO_CREDENTIAL arg on the server anything
> >>> put in the keytab is OK. (The server doesn't need to authenticate
> >>> itself to Kerberos, it just accepts authentication. Mutual
> >>> authentic
Magnus Hagander wrote:
> Stephen Frost wrote:
>> * Henry B. Hotz ([EMAIL PROTECTED]) wrote:
>>> On Jun 22, 2007, at 9:56 AM, Magnus Hagander wrote:
Most likely it's just checking the keytab to find a principal with the
same name as the one presented from the client. Since one is
pr
Stephen Frost wrote:
> * Henry B. Hotz ([EMAIL PROTECTED]) wrote:
>> On Jun 22, 2007, at 9:56 AM, Magnus Hagander wrote:
>>> Most likely it's just checking the keytab to find a principal with the
>>> same name as the one presented from the client. Since one is
>>> present, it
>>> loads it up auto
* Henry B. Hotz ([EMAIL PROTECTED]) wrote:
> On Jun 22, 2007, at 9:56 AM, Magnus Hagander wrote:
> >Most likely it's just checking the keytab to find a principal with the
> >same name as the one presented from the client. Since one is
> >present, it
> >loads it up automatically, and verifies agai
On Jun 22, 2007, at 9:56 AM, Magnus Hagander wrote:
Stephen Frost wrote:
* Magnus Hagander ([EMAIL PROTECTED]) wrote:
We enable the setting of the service name in the server
configuration
file, but we never use that variable anywhere. We do, however,
use the
service name on the client, in
Stephen Frost wrote:
> * Magnus Hagander ([EMAIL PROTECTED]) wrote:
>> We enable the setting of the service name in the server configuration
>> file, but we never use that variable anywhere. We do, however, use the
>> service name on the client, in order to pick the correct key (and
>> turning this
* Magnus Hagander ([EMAIL PROTECTED]) wrote:
> We enable the setting of the service name in the server configuration
> file, but we never use that variable anywhere. We do, however, use the
> service name on the client, in order to pick the correct key (and
> turning this off makes GSSAPI no longer
Magnus Hagander wrote:
>> Be curious to see what you've done, but if you're actively changing
>> things I'll let them settle.
>
> I've got a bit more cleanup to do, but I'm almost there.
>
> Much of it is just cleanup. I've changed the structs arond to be more in
> line with the other code arou
On Tue, Jun 19, 2007 at 06:19:37PM -0700, Henry B. Hotz wrote:
> Such timing!
>
> I just spent most of yesterday stepping though the gssapi sample
> app's in Java 1.4 with someone here at work. Was thinking I needed
> to get back to the JDBC client and do what I promised. Also finished
> f
Such timing!
I just spent most of yesterday stepping though the gssapi sample
app's in Java 1.4 with someone here at work. Was thinking I needed
to get back to the JDBC client and do what I promised. Also finished
filtering the PG lists for stuff just before seeing this email.
On Jun 19
On Sun, May 20, 2007 at 01:28:40AM -0700, Henry B. Hotz wrote:
> I finally got to testing that updated patch. It's fine per-se, but
> was missing the updated README.GSSAPI file. Herewith fixed.
>
I've been reviewing and updating this patch, for a while now.I've changed
quite a bit around, and
Your patch has been added to the PostgreSQL unapplied patches list at:
http://momjian.postgresql.org/cgi-bin/pgpatches
It will be applied as soon as one of the PostgreSQL committers reviews
and approves it.
---
He
I finally got to testing that updated patch. It's fine per-se, but
was missing the updated README.GSSAPI file. Herewith fixed.
gss.patch3.bz2
Description: Binary data
On May 12, 2007, at 9:53 AM, Henry B. Hotz wrote:
These patches are updated as discussed to remove the incomplete
featu
These patches are updated as discussed to remove the incomplete
feature. Unfortunately I have a wedding to go to this weekend and
won't get them tested until next week. Will post when I've done so.
On Mar 31, 2007, at 3:41 PM, Henry B. Hotz wrote:
These patches have been reasonably tested
Your patch has been added to the PostgreSQL unapplied patches list at:
http://momjian.postgresql.org/cgi-bin/pgpatches
It will be applied as soon as one of the PostgreSQL committers reviews
and approves it.
---
He
These patches have been reasonably tested (and cross-tested) on
Solaris 9 (SPARC) and MacOS 10.4 (both G4 and Intel) with the native
GSSAPI libraries. They implement the gss-np and (incompletely) the
gss authentication methods. Unlike the current krb5 method gssapi
has native support in J
23 matches
Mail list logo