Re: [PATCH v20] GSSAPI encryption support

On 2019-02-23 17:27, Stephen Frost wrote:
>> About pg_hba.conf: The "hostgss" keyword seems a bit confusing. It only
>> applies to encrypted gss-using connections, not all of them. Maybe
>> "hostgssenc" or "hostgsswrap"?
> Not quite sure what you mean here, but 'hostgss' seems to be quite well
> in-line with what we do for SSL... as in, we have 'hostssl', we don't
> say 'hostsslenc'. I feel like I'm just not understanding what you mean
> by "not all of them".

Reading the latest patch, I think this is still a bit confusing.
Consider an entry like

hostgss all all 0.0.0.0/0 gss

The "hostgss" part means, the connection is GSS-*encrypted*. The "gss"
entry in the last column means use gss for *authentication*. But didn't
"hostgss" already imply that? No. I understand what's going on, but it
seems quite confusing. They both just say "gss"; you have to know a lot
about the nuances of pg_hba.conf processing to get that.

If you have line like

hostgss all all 0.0.0.0/0 md5

it is not obvious that this means, if GSS-encrypted, use md5. It could
just as well mean, if GSS-authenticated, use md5.

The analogy with SSL is such that we use "hostssl" for connections using
SSL encryption and "cert" for the authentication method. So there we
use two different words for two different aspects of SSL.

--
Peter Eisentraut http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services