Re: [PATCH v20] GSSAPI encryption support

Greetings,

* Magnus Hagander (magnus(at)hagander(dot)net) wrote:
> On Wed, Apr 3, 2019 at 12:22 AM Joe Conway <mail(at)joeconway(dot)com> wrote:
> > On 4/2/19 6:18 PM, Stephen Frost wrote:
> > > On Tue, Apr 2, 2019 at 18:10 Peter Eisentraut
> > > <peter(dot)eisentraut(at)2ndquadrant(dot)com
> > > <mailto:peter(dot)eisentraut(at)2ndquadrant(dot)com>> wrote:
> > >
> > > On 2019-02-23 17:27, Stephen Frost wrote:
> > > >> About pg_hba.conf: The "hostgss" keyword seems a bit confusing.
> > > It only
> > > >> applies to encrypted gss-using connections, not all of them.
> > Maybe
> > > >> "hostgssenc" or "hostgsswrap"?
> > > > Not quite sure what you mean here, but 'hostgss' seems to be quite
> > > well
> > > > in-line with what we do for SSL... as in, we have 'hostssl', we
> > don't
> > > > say 'hostsslenc'. I feel like I'm just not understanding what you
> > > mean
> > > > by "not all of them".
> > >
> > > Reading the latest patch, I think this is still a bit confusing.
> > > Consider an entry like
> > >
> > > hostgss all all 0.0.0.0/0
> > > <http://0.0.0.0/0> gss
> > >
> > > The "hostgss" part means, the connection is GSS-*encrypted*. The
> > "gss"
> > > entry in the last column means use gss for *authentication*. But
> > didn't
> > > "hostgss" already imply that? No. I understand what's going on,
> > but it
> > > seems quite confusing. They both just say "gss"; you have to know a
> > lot
> > > about the nuances of pg_hba.conf processing to get that.
> > >
> > > If you have line like
> > >
> > > hostgss all all 0.0.0.0/0
> > > <http://0.0.0.0/0> md5
> > >
> > > it is not obvious that this means, if GSS-encrypted, use md5. It
> > could
> > > just as well mean, if GSS-authenticated, use md5.
> > >
> > > The analogy with SSL is such that we use "hostssl" for connections
> > using
> > > SSL encryption and "cert" for the authentication method. So there we
> > > use two different words for two different aspects of SSL.
> > >
> > >
> > > I don’t view it as confusing, but I’ll change it to hostgssenc as was
> > > suggested earlier to address that concern. It’s a bit wordy but if it
> > > helps reduce confusion then that’s a good thing.
> >
> > Personally I don't find it as confusing as is either, and I find hostgss
> > to be a good analog of hostssl. On the other hand hostgssenc is long and
> > unintuitive. So +1 for leaving as is and -1 one for changing it IMHO.
>
> I think for those who are well versed in pg_hba (and maybe gss as well),
> it's not confusing. That includes me.
>
> However, for a new user, I can definitely see how it can be considered
> confusing. And confusion in *security configuration* is always a bad idea,
> even if it's just potential.
>
> Thus +1 on changing it.

Alright, I've made that change, and also changed "gssmode" to be
"gssencmode" to be both consistent and also clearer (that, imv anyway,
is actually a much better reason to go to using 'gssenc' instead of just
'gss' for this, since "gssmode" could be thought of as being related to
GSS authentication rather than being for GSS encryption).

> If it was on the table it might have been better to keep hostgss and change
> the authentication method to gssauth or something, but that ship sailed
> *years* ago.

Agreed, we certainly can't change that now.

Updated patch attached with the host[no]gss -> host[no]gssenc and
gssmode -> gssencmode changes, along with some other minor improvements.
I'll push this in a few hours unless there's anything else.

Thanks!

Stephen