Re: Plans for 8.4

Stephen Frost wrote:
> * Henry B. Hotz (hbhotz(at)oxy(dot)edu) wrote:
>> I'm making no promises, but what would people think of a hostgss hba
>> option?
>
> As described, sounds like a win to me. It'd be very nice to be able to
> just use GSSAPI encryption on the link. That, combined w/ Magnus' work
> on username/princ mappings, would really bring PostgreSQL up to date wrt
> GSSAPI support.

Yeah, +1 on this feature, it would be quite useful.

> It'd really be great to have this support in the ODBC and JDBC drivers
> too.. I think in JDBC it might 'just work', I'm less sure about ODBC.

ODBC will need hackery I think. They use libpq for authentication only,
but have their own SSL code and such. I do think ODBC would be a fairly
major point to it being a success, though, so it'd be good if a plan
could be secured for it. But it's not a showstopper, of course.

> As a practical question- would you really need a seperate explicit
> pg_hba option for it? It'd be nice to be able to require it, if
> desired, but that strikes me as more sensible as an option to the 'gss'
> auth mechanism?

Yeah, if we can get rid of that, that'd be good. The stuff I'm working
on will allow us to have multiple parameters for each row in name/value
pairs, so if we could use that, it'd be better. (I've been considering
changing how host/hostssl work that way as well - by having a parameter
similar to what we have on the client side with sslmode=...)

A thought that I came across - is it even possible to use GSSAPI
encryption *without* using GSSAPI authentication? If not, it really
seems like it should belong more in the parameter part of the field.
Since in that case it is also not possible to enable encryption *before*
authentication, or is it?

//Magnus