| From: | Joe Conway <mail(at)joeconway(dot)com> |
|---|---|
| To: | Stephen Frost <sfrost(at)snowman(dot)net>, Peter Eisentraut <peter(dot)eisentraut(at)2ndquadrant(dot)com> |
| Cc: | Alvaro Herrera <alvherre(at)2ndquadrant(dot)com>, David Steele <david(at)pgmasters(dot)net>, Michael Paquier <michael(at)paquier(dot)xyz>, Nico Williams <nico(at)cryptonector(dot)com>, Robbie Harwood <rharwood(at)redhat(dot)com>, pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: [PATCH v20] GSSAPI encryption support |
| Date: | 2019-04-02 22:22:11 |
| Message-ID: | 500b1be7-d0aa-96a2-9982-d748609faff5@joeconway.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On 4/2/19 6:18 PM, Stephen Frost wrote:
> Greetings,
>
> On Tue, Apr 2, 2019 at 18:10 Peter Eisentraut
> <peter(dot)eisentraut(at)2ndquadrant(dot)com
> <mailto:peter(dot)eisentraut(at)2ndquadrant(dot)com>> wrote:
>
> On 2019-02-23 17:27, Stephen Frost wrote:
> >> About pg_hba.conf: The "hostgss" keyword seems a bit confusing.
> It only
> >> applies to encrypted gss-using connections, not all of them. Maybe
> >> "hostgssenc" or "hostgsswrap"?
> > Not quite sure what you mean here, but 'hostgss' seems to be quite
> well
> > in-line with what we do for SSL... as in, we have 'hostssl', we don't
> > say 'hostsslenc'. I feel like I'm just not understanding what you
> mean
> > by "not all of them".
>
> Reading the latest patch, I think this is still a bit confusing.
> Consider an entry like
>
> hostgss all all 0.0.0.0/0
> <http://0.0.0.0/0> gss
>
> The "hostgss" part means, the connection is GSS-*encrypted*. The "gss"
> entry in the last column means use gss for *authentication*. But didn't
> "hostgss" already imply that? No. I understand what's going on, but it
> seems quite confusing. They both just say "gss"; you have to know a lot
> about the nuances of pg_hba.conf processing to get that.
>
> If you have line like
>
> hostgss all all 0.0.0.0/0
> <http://0.0.0.0/0> md5
>
> it is not obvious that this means, if GSS-encrypted, use md5. It could
> just as well mean, if GSS-authenticated, use md5.
>
> The analogy with SSL is such that we use "hostssl" for connections using
> SSL encryption and "cert" for the authentication method. So there we
> use two different words for two different aspects of SSL.
>
>
> I don’t view it as confusing, but I’ll change it to hostgssenc as was
> suggested earlier to address that concern. It’s a bit wordy but if it
> helps reduce confusion then that’s a good thing.
Personally I don't find it as confusing as is either, and I find hostgss
to be a good analog of hostssl. On the other hand hostgssenc is long and
unintuitive. So +1 for leaving as is and -1 one for changing it IMHO.
Joe
--
Crunchy Data - http://crunchydata.com
PostgreSQL Support for Secure Enterprises
Consulting, Training, & Open Source Development
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Amit Langote | 2019-04-03 01:01:19 | Re: Ordered Partitioned Table Scans |
| Previous Message | Stephen Frost | 2019-04-02 22:18:33 | Re: [PATCH v20] GSSAPI encryption support |