Removing Kerberos 4

"Magnus Hagander" <mha@sollentuna.net> writes:

This patch removes Kerberos version 4 support from the backend and
libpq. Per previous mail, I sent a mail to both hackers and -general
about a month ago asking for ppl who use it, for zero responses. I also
looked back in the archives and it seems it has been asked before and
also not responded, so I think it's safe to say it's not in widespread
use ATM. Finally, kerberos version 4 is deprecated by the kerberos
people - for security reasons amongst others.

Last chance for any Kerberos 4 users to speak up --- otherwise I'll
apply this soon.

regards, tom lane

Magnus Hagander wrote:

This patch removes Kerberos version 4 support from the backend and
libpq.

I'll apply this later today, barring any objections.

-Neil

Tom Lane <tgl@sss.pgh.pa.us> writes:

Last chance for any Kerberos 4 users to speak up --- otherwise I'll
apply this soon.

If you just want someone to test it I can do that. I don't actually use it
normally though.

As far as security issues the only issues I'm aware of is a) it uses plain DES
which is just a 56 bit key and crackable by brute force and b) cross-domain
authentication is broken.

But if you just have a single domain it's a lot simpler to set up than the
poster child for second system effect, Kerberos 5.

--
greg

Last chance for any Kerberos 4 users to speak up --- otherwise I'll
apply this soon.

If you just want someone to test it I can do that. I don't
actually use it normally though.

I don't think "just testing" is enough - somebody needs to actually
maintain it...

As far as security issues the only issues I'm aware of is a)
it uses plain DES which is just a 56 bit key and crackable by
brute force and b) cross-domain authentication is broken.

Yeah. But it has been declared dead by the Kerberos folks
(http://www.faqs.org/faqs/kerberos-faq/general/section-7.html. And this
document is from 2000, an dit was declared already then)...

//Magnus

"Magnus Hagander" <mha@sollentuna.net> writes:

Yeah. But it has been declared dead by the Kerberos folks
(http://www.faqs.org/faqs/kerberos-faq/general/section-7.html. And this
document is from 2000, an dit was declared already then)...

Right. The real question here is who's going to be using a 2005
database release with a pre-2000 security system? There's a fair
amount of code there and no evidence that time spent on testing
and maintaining it is going to benefit anyone anymore.

If someone wakes up and says "hey, I'm still ACTUALLY using that code",
I'm willing to forbear ... but otherwise I think its time is long gone.

regards, tom lane

On Wed, Jun 22, 2005 at 04:39:15PM -0400, Tom Lane wrote:

"Magnus Hagander" <mha@sollentuna.net> writes:

Yeah. But it has been declared dead by the Kerberos folks
(http://www.faqs.org/faqs/kerberos-faq/general/section-7.html. And this
document is from 2000, an dit was declared already then)...

Right. The real question here is who's going to be using a 2005
database release with a pre-2000 security system? There's a fair
amount of code there and no evidence that time spent on testing
and maintaining it is going to benefit anyone anymore.

If someone wakes up and says "hey, I'm still ACTUALLY using that code",
I'm willing to forbear ... but otherwise I think its time is long gone.

While I agree, if it's easy to just disable kerb without actually
ripping the code out right now that might be a tad 'safer', as there
might be some users who are using it but don't read the mailling lists.

Has Kerb4 been marked as depricated in the docs at all? If not it might
be best to just do that and then yank it later.
--
Jim C. Nasby, Database Consultant decibel@decibel.org
Give your computer some brain candy! www.distributed.net Team #1828

Windows: "Where do you want to go today?"
Linux: "Where do you want to go tomorrow?"
FreeBSD: "Are you guys coming, or what?"

Has Kerb4 been marked as depricated in the docs at all? If
not it might be best to just do that and then yank it later.

Yes, since 7.4.

http://www.postgresql.org/docs/8.0/static/auth-methods.html#KERBEROS-AUT
H
http://www.postgresql.org/docs/7.4/static/auth-methods.html#KERBEROS-AUT
H

"Kerberos 4 is considered insecure and no longer recommended for general
use."

//Magnus

On Thu, Jun 23, 2005 at 07:34:30PM +0200, Magnus Hagander wrote:

Has Kerb4 been marked as depricated in the docs at all? If
not it might be best to just do that and then yank it later.

Yes, since 7.4.

http://www.postgresql.org/docs/8.0/static/auth-methods.html#KERBEROS-AUT
H
http://www.postgresql.org/docs/7.4/static/auth-methods.html#KERBEROS-AUT
H

"Kerberos 4 is considered insecure and no longer recommended for general
use."

Just as a nitpick, in the future it would probably be better to
explicitely say if something is considered depricated and will be
removed in the future. Having said that, that statement means it's
removal shouldn't come as a shock to anyone.
--
Jim C. Nasby, Database Consultant decibel@decibel.org
Give your computer some brain candy! www.distributed.net Team #1828

Windows: "Where do you want to go today?"
Linux: "Where do you want to go tomorrow?"
FreeBSD: "Are you guys coming, or what?"

Magnus Hagander wrote:

This patch removes Kerberos version 4 support from the backend and
libpq.

Applied, thanks.

Bruce, can you mark the "Remove krb4" TODO item as finished? Thanks.

-Neil

Neil Conway wrote:

Magnus Hagander wrote:

This patch removes Kerberos version 4 support from the backend and
libpq.

Applied, thanks.

Bruce, can you mark the "Remove krb4" TODO item as finished? Thanks.

Thanks, done.

-- 
  Bruce Momjian                        |  http://candle.pha.pa.us
  pgman@candle.pha.pa.us               |  (610) 359-1001
  +  If your life is a hard drive,     |  13 Roberts Road
  +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073