rdelaage/postgresql
1
0
Fork 0
mirror of https://git.postgresql.org/git/postgresql.git synced 2024-09-15 21:30:23 +02:00
Code Issues Packages Projects Releases Wiki Activity
26058bf0dc
postgresql/src/backend/libpq
History
Stephen Frost 9a0884176f Change default for include_realm to 1 
The default behavior for GSS and SSPI authentication methods has long
been to strip the realm off of the principal, however, this is not a
secure approach in multi-realm environments and the use-case for the
parameter at all has been superseded by the regex-based mapping support
available in pg_ident.conf.

Change the default for include_realm to be '1', meaning that we do
NOT remove the realm from the principal by default.  Any installations
which depend on the existing behavior will need to update their
configurations (ideally by leaving include_realm set to 1 and adding a
mapping in pg_ident.conf, but alternatively by explicitly setting
include_realm=0 prior to upgrading).  Note that the mapping capability
exists in all currently supported versions of PostgreSQL and so this
change can be done today.  Barring that, existing users can update their
configurations today to explicitly set include_realm=0 to ensure that
the prior behavior is maintained when they upgrade.

This needs to be noted in the release notes.

Per discussion with Magnus and Peter.
2015-05-08 19:39:42 -04:00
..
auth.c Use FLEXIBLE_ARRAY_MEMBER in a number of other places. 2015-02-21 16:12:14 -05:00
be-fsstubs.c
be-secure-openssl.c Add system view pg_stat_ssl 2015-04-12 19:07:46 +02:00
be-secure.c Simplify waiting logic in reading from / writing to client. 2015-02-13 21:46:14 +02:00
crypt.c
hba.c Change default for include_realm to 1 2015-05-08 19:39:42 -04:00
ip.c Remove code to match IPv4 pg_hba.conf entries to IPv4-in-IPv6 addresses. 2015-02-17 12:49:18 -05:00
Makefile
md5.c
pg_hba.conf.sample
pg_ident.conf.sample
pqcomm.c Also correct therefor to therefore. 2015-04-26 19:05:39 +02:00
pqformat.c
pqmq.c Create an infrastructure for parallel computation in PostgreSQL. 2015-04-30 15:02:14 -04:00
pqsignal.c
README.SSL

README.SSL 

src/backend/libpq/README.SSL

SSL
===

>From the servers perspective:


  Receives StartupPacket
           |
           |
 (Is SSL_NEGOTIATE_CODE?) -----------  Normal startup
           |                  No
           |
           | Yes
           |
           |
 (Server compiled with USE_SSL?) ------- Send 'N'
           |                       No        |
           |                                 |
           | Yes                         Normal startup
           |
           |
        Send 'S'
           |
           |
      Establish SSL
           |
           |
      Normal startup





>From the clients perspective (v6.6 client _with_ SSL):


      Connect
         |
         |
  Send packet with SSL_NEGOTIATE_CODE
         |
         |
  Receive single char  ------- 'S' -------- Establish SSL
         |                                       |
         | '<else>'                              |
         |                                  Normal startup
         |
         |
   Is it 'E' for error  ------------------- Retry connection
         |                  Yes             without SSL
         | No
         |
   Is it 'N' for normal ------------------- Normal startup
         |                  Yes
         |
   Fail with unknown

---------------------------------------------------------------------------