Re: Postgres 8.1.x and MIT Kerberos 5

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello Magnus,

Regarding the configure issue:
 The platform is Tru64 Unix 5.1b, the problem I had was we have
compiled our Kerberos build statically and is installed in a
directory other than the standard location. The trick adding to LIBS
did not work as it (krb5support) library needs to come after the
other libs (is there a way to control that?).


As far as the security issue with Kerberos, here is the relevant thread

http://mailman.mit.edu/pipermail/kerberos/2002-October/002043.html

I am sorry it was in Kerberos mailing list not Postgres.


On 2/5/06, Magnus Hagander <mha@xxxxxxxxxxxxxx > wrote:
> > Greetings,
> >  I was trying to build source build postgres 8.1.x with MIT
> > Kerberos 5 1.4.x implementation.
> > The whole thing bombs out. After some digging, I had to hack
> > the autoconf script (configure.in) to properly account for
> > the way the libraries are built for 1.4.x. I don't know
> > whether an earlier post had the same issue. I think it boils
> > down to adding the 'libkrb5support' when all the krb5 libs
> > are checked in the configure script.
>
> (This is better asked in -hackers, I htink, copying there)
>
> What platform is this? I use it with krb5 1.4.3 on Linux (slackware)
> without any modifications at all. Perhaps platform specific behaviour?
>
> The postmaster is linked to libkrb5support, but I only have "-lkrb5" in
> my LIBS as generated by configure. However, if I do "ldd" on libkrb5.so
> I see that one pulls in libkrb5support.
>
>
> > On another note, is the kerberos authentication secure, I had
> > searched some old threads, where it was indicated the
> > principal is not checked by the db as a valid user. Is this
> > still the case?
>
> The principal name is definitly checked by the db as a valid user, and
> AFAIK it always has been (do you have a reference to where it says it
> doesn't?)
>
> The *REALM* is not checked, however. This can cause problems if you have
> a multi-realm system (where the realms already trust each other, because
> the KDC has to give out the service ticket) where you have the same
> username existing in multiple realms representing different users.
>
> If you're in a single realm, it's definitly secure.
>
> //Magnus
>
[Index of Archives]     [KVM ARM]     [KVM ia64]     [KVM ppc]     [Virtualization Tools]     [Spice Development]     [Libvirt]     [Libvirt Users]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite Questions]     [Linux Kernel]     [Linux SCSI]     [XFree86]

  Powered by Linux