Re: [PATCH v4] GSSAPI encryption support

Hi Robbie,

On 2/10/16 4:06 PM, Robbie Harwood wrote:
> Hello friends,
>
> For your consideration, here is a new version of GSSAPI encryption
> support. For those who prefer, it's also available on my github:
> https://github.com/frozencemetery/postgres/commit/c92275b6605d7929cda5551de47a4c60aab7179e

It tried out this patch and ran into a few problems:

1) It didn't apply cleanly to HEAD. It did apply cleanly on a455878
which I figured was recent enough for testing. I didn't bisect to find
the exact commit that broke it.

2) While I was able to apply the patch and get it compiled it seemed
pretty flaky - I was only able to logon about 1 in 10 times on average.
Here was my testing methodology:

a) Build Postgres from a455878 (without your patch), install/configure
Kerberos and get everything working. I was able the set the auth method
to gss in pg_hba.conf and logon successfully every time.

b) On the same system rebuild Postgres from a455878 including your patch
and attempt authentication.

The problems arose after step 2b. Sometimes I would try to logon twenty
times without success and sometimes it only take five or six attempts.
I was never able to logon successfully twice in a row.

When not successful the client always output this incomplete message
(without terminating LF):

psql: expected authentication request from server, but received

From the logs I can see the server is reporting EOF from the client,
though the client does not core dump and prints the above message before
exiting.

I have attached files that contain server logs at DEBUG5 and tcpdump
output for both the success and failure cases.

Please let me know if there's any more information you would like me to
provide.

--
-David
david(at)pgmasters(dot)net