The current implementation of the kerberos 5
authentification in backend/libpq/auth.c truncates the
principal after the first '/' or failing that, after
the first '@', assuming the result to be the database
username. This implicitly allows crossrealm
autentification which is not good in many instances.
Even more seriously, it discards parts following any
'/' which is definatelly very bad in many instances.

This is not satisfactory for some (I would think most)
applications. A solution to this would be mapping
kerberos principals to usernames in the database. (As
e.g ~username/.k5login determines which principals are
authorized to login as username.) Idealy this mapping
table should be a system table in the database (and
not a specialized file like the current implementation
of pg_ident.conf). Is this a stupid idea? Any
comments?

I do have a few my questions regarding an
implementation of this.

Is there any existing way of making queries from
postmaster (other than setting up a client connection
from it)?

Is there a reason pg_ident.conf and pg_hba.conf are
files rather than tables?

Is there any reason not doing authentification of both
the client and the server?

Grateful for answers and comments
Daniel


__________________________________________________
Do You Yahoo!?
Everything you'll ever need on one web page
from News and Sport to Email and Music Charts
http://uk.my.yahoo.com

---------------------------(end of broadcast)---------------------------
TIP 3: if posting/reading through Usenet, please send an appropriate
subscribe-nomail command to [EMAIL PROTECTED] so that your
message can get through to the mailing list cleanly

Reply via email to