|From:||Robbie Harwood <rharwood(at)redhat(dot)com>|
|To:||Michael Paquier <michael(dot)paquier(at)gmail(dot)com>|
|Cc:||PostgreSQL mailing lists <pgsql-hackers(at)postgresql(dot)org>|
|Subject:||Re: [PATCH v2] GSSAPI encryption support|
|Views:||Raw Message | Whole Thread | Download mbox|
Michael Paquier <michael(dot)paquier(at)gmail(dot)com> writes:
> On Fri, Jul 3, 2015 at 3:22 AM, Robbie Harwood <rharwood(at)redhat(dot)com> wrote:
>> Hello -hackers,
>> As previously discussed on this list, I have coded up GSSAPI encryption
>> support. If it is easier for anyone, this code is also available for
>> viewing on my github:
>> Fallback support is present in both directions for talking to old client
>> and old servers; GSSAPI encryption is by default auto-upgraded to where
>> available (for compatibility), but both client and server contain
>> settings for requiring it.
>> There are 8 commits in this series; I have tried to err on the side of
>> creating too much separation rather than too little. A patch for each
>> is attached. This is v1 of the series.
> I just had a quick look at this patch, and here are some comments:
> + <para>
> + If the client has probed <acronym>GSSAPI</acronym> encryption support
> + the connection is <acronym>GSSAPI</acronym>-authenticated, then after
> + server sends AuthenticationOk, all traffic between the client and
> + will be <acronym>GSSAPI</acronym>-encrypted. Because
> + <acronym>GSSAPI</acronym> does not provide framing,
> + <acronym>GSSAPI</acronym>-encrypted messages are modeled after
> + messages: the first byte is the caracter g, then four bytes of length,
> + then an encrypted message.
> + </para>
> Message formats should be described in protocol.sgml in the section for
> message formats.
> + network. In the <filename>pg_hba.conf</> file, the GSS authenticaion
> + method has a parameter to require encryption; otherwise, connections
> + will be encrypted if available and requiested by the client. On the
> + Whether to require GSSAPI encryption. Default is off, which causes
> + GSSAPI encryption to be enabled if available and requested for
> + compatability with old clients. It is recommended to set this
> + old clients are present.
As promised, here's a V2 to address your issues with comments. I
haven't heard back on the issues you found in testing, so no other
changes are present.
This means that only the last patch has changed. For convenience, I
will therefore only provide this new patch. I have also updated the
version available from my github.
|Next Message||Robert Haas||2015-09-08 20:18:12||Re: Hooking at standard_join_search (Was: Re: Foreign join pushdown vs EvalPlanQual)|
|Previous Message||Stephen Frost||2015-09-08 18:58:36||Re: pgsql: Improve logging of TAP tests.|