Re: [PATCH v20] GSSAPI encryption support

On Wed, Apr 3, 2019 at 12:22 AM Joe Conway <mail(at)joeconway(dot)com> wrote:

> On 4/2/19 6:18 PM, Stephen Frost wrote:
> > Greetings,
> >
> > On Tue, Apr 2, 2019 at 18:10 Peter Eisentraut
> > <peter(dot)eisentraut(at)2ndquadrant(dot)com
> > <mailto:peter(dot)eisentraut(at)2ndquadrant(dot)com>> wrote:
> >
> > On 2019-02-23 17:27, Stephen Frost wrote:
> > >> About pg_hba.conf: The "hostgss" keyword seems a bit confusing.
> > It only
> > >> applies to encrypted gss-using connections, not all of them.
> Maybe
> > >> "hostgssenc" or "hostgsswrap"?
> > > Not quite sure what you mean here, but 'hostgss' seems to be quite
> > well
> > > in-line with what we do for SSL... as in, we have 'hostssl', we
> don't
> > > say 'hostsslenc'. I feel like I'm just not understanding what you
> > mean
> > > by "not all of them".
> >
> > Reading the latest patch, I think this is still a bit confusing.
> > Consider an entry like
> >
> > hostgss all all 0.0.0.0/0
> > <http://0.0.0.0/0> gss
> >
> > The "hostgss" part means, the connection is GSS-*encrypted*. The
> "gss"
> > entry in the last column means use gss for *authentication*. But
> didn't
> > "hostgss" already imply that? No. I understand what's going on,
> but it
> > seems quite confusing. They both just say "gss"; you have to know a
> lot
> > about the nuances of pg_hba.conf processing to get that.
> >
> > If you have line like
> >
> > hostgss all all 0.0.0.0/0
> > <http://0.0.0.0/0> md5
> >
> > it is not obvious that this means, if GSS-encrypted, use md5. It
> could
> > just as well mean, if GSS-authenticated, use md5.
> >
> > The analogy with SSL is such that we use "hostssl" for connections
> using
> > SSL encryption and "cert" for the authentication method. So there we
> > use two different words for two different aspects of SSL.
> >
> >
> > I don’t view it as confusing, but I’ll change it to hostgssenc as was
> > suggested earlier to address that concern. It’s a bit wordy but if it
> > helps reduce confusion then that’s a good thing.
>
> Personally I don't find it as confusing as is either, and I find hostgss
> to be a good analog of hostssl. On the other hand hostgssenc is long and
> unintuitive. So +1 for leaving as is and -1 one for changing it IMHO.
>

I think for those who are well versed in pg_hba (and maybe gss as well),
it's not confusing. That includes me.

However, for a new user, I can definitely see how it can be considered
confusing. And confusion in *security configuration* is always a bad idea,
even if it's just potential.

Thus +1 on changing it.

If it was on the table it might have been better to keep hostgss and change
the authentication method to gssauth or something, but that ship sailed
*years* ago.

--
Magnus Hagander
Me: https://www.hagander.net/ <http://www.hagander.net/>
Work: https://www.redpill-linpro.com/ <http://www.redpill-linpro.com/>