Re: [PATCH v5] GSSAPI encryption support

David Steele <david(at)pgmasters(dot)net> writes:

> On 2/15/16 12:45 PM, Robbie Harwood wrote:
>> David Steele <david(at)pgmasters(dot)net> writes:
>>
>>> 1) It didn't apply cleanly to HEAD. It did apply cleanly on a455878
>>> which I figured was recent enough for testing. I didn't bisect to find
>>> the exact commit that broke it.
>>
>> It applied to head of master (57c932475504d63d8f8a68fc6925d7decabc378a)
>> for me (`patch -p1 < v4-GSSAPI-encryption-support.patch`). I rebased it
>> anyway and cut a v5 anyway, just to be sure. It's attached, and
>> available on github as well:
>> https://github.com/frozencemetery/postgres/commit/dc10e3519f0f6c67f79abd157dc8ff1a1c293f53
>
> It could have been my mistake. I'll give it another try when you have a
> new patch.

Please do let me know how v5 goes. If you run into trouble, in addition
to the logs you helpfully provided before, I'd like a traffic dump (pcap
preferable; I need tcp/udp port 88 for Kerberos and tcp port 5432 or
whatever you're running postgres on) if possible. Thanks!

>>> 2) While I was able to apply the patch and get it compiled it seemed
>>> pretty flaky - I was only able to logon about 1 in 10 times on average.
>>> Here was my testing methodology:
>>
>> What I can't tell from looking at your methodology is whether both the
>> client and server were running my patches or no. There's no fallback
>> here (I'd like to talk about how that should work, with example from
>> v1-v3, if people have ideas). This means that both the client and the
>> server need to be running my patches for the moment. Is this your
>> setup?
>
> I was testing on a system with no version of PostgreSQL installed. I
> applied your patch to master and then ran both server and client from
> that patched version. Is there something I'm missing?

Not that I can immediately see. As long as the client and server are
both patched, everything should work. My process is the same as with
previous versions of this patchset [0], and though I'm using FreeIPA
there is no reason it shouldn't work with any other KDC (MIT, for
instance[1]) provided the IPA calls are converted.

I am curious, though - I haven't changed any of the authentication code
in v4/v5 from what's in ~master, so how often can you log in using
GSSAPI using master?

[0]: https://mivehind.net/2015/06/11/kerberized-postgresql/
[1]: http://web.mit.edu/kerberos/krb5-devel/doc/admin/install_kdc.html