Re: [PATCH v14] GSSAPI encryption support

From: Robbie Harwood <rharwood(at)redhat(dot)com>
To: PostgreSQL mailing lists <pgsql-hackers(at)postgresql(dot)org>
Cc: Michael Paquier <michael(dot)paquier(at)gmail(dot)com>, Stephen Frost <sfrost(at)snowman(dot)net>
Subject: Re: [PATCH v14] GSSAPI encryption support
Date: 2018-05-23 20:00:16
Message-ID: jlg1se287n3.fsf@redhat.com
Views: Raw Message | Whole Thread | Download mbox
Thread:
Lists: pgsql-hackers

Hello -hackers,

Zombie patch is back from the dead. It's been a bit more than two years
since v12 (the last major revision) and almost three since it was
originally submitted. (I do have enough pride to point out that it did
not actually /take/ anywhere close to two years to update it.)

CC'd are reviewers from before; I appreciate their input from before,
but there is of course no obligation for them to page all this back in,
especially if they don't want to. A large chunk of this code is
unchanged from previous iterations of the patch, but this is a major
re-architect. Various things have also been previously fixed as part of
the GSSAPI testing efforts, for which I am grateful.

So: this is GSSAPI encryption support for libpq. Based on feedback on
previous versions, GSSAPI encryption has a separate negotiation step -
similar to SSL negotiation. I've tried to incorporate all other
feedback I've received thus far, but very likely missed things (and
introduced new problems).

To actually see encryption, you'll first need to configure the server as
for GSSAPI authentication. You'll also need to ensure the HBA
configuration has a rule that will permit it. However, there should
hopefully be enough information to set this up in the corresponding docs
changes (and if there isn't, I should fix it). The Kerberos/GSSAPI
implementation shouldn't matter, but I am testing using MIT krb5
(through freeIPA); I wrote a post a while back for my setup here:
https://mivehind.net/2015/06/11/kerberized-postgresql/

Finally, I've submitted this as a single patch because it was requested
previously. I'm happy to break it apart into many commits instead, if
that's helpful.

Thanks,
--Robbie

Attachment Content-Type Size
v14-libpq-GSSAPI-encryption-support.patch text/x-diff 74.5 KB

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Stephen Frost 2018-05-23 20:03:12 Re: [PATCH v14] GSSAPI encryption support
Previous Message Paolo Crosato 2018-05-23 19:55:55 Re: Error on vacuum: xmin before relfrozenxid