As far as using TLS, it is good approach. Although, we don't need complete channel encryption for every transaction or query. I am looking at a more granular approach where
I can decide depending on the security of information exchange whether to encrypt the
channel or not (like using maybe GSSAPI). Is this something that will be considered down
the line?
Mohan
On 2/6/06, Magnus Hagander <
mha@xxxxxxxxxxxxxx> wrote:
> Hello Magnus,
>
> Regarding the configure issue:
> The platform is Tru64 Unix 5.1b, the problem I had was we
> have compiled our Kerberos build statically and is installed
> in a directory other than the standard location. The trick
> adding to LIBS did not work as it (krb5support) library needs
> to come after the other libs (is there a way to control that?).
Ok. Someone more autoconfy than me will have to say something about that
:-)
> As far as the security issue with Kerberos, here is the
> relevant thread
>
> http://mailman.mit.edu/pipermail/kerberos/2002-October/002043.
> html
> < http://mailman.mit.edu/pipermail/kerberos/2002-October/002043.html>
>
> I am sorry it was in Kerberos mailing list not Postgres.
Ah, that explains me not seeing it.
If you need protection against mitm and connection security, you should
use TLS. We don't use Kerberos for encryption.
//Magnus
