Re: [PATCH v20] GSSAPI encryption support

Tom Lane <tgl@sss.pgh.pa.us>

From: Tom Lane <tgl@sss.pgh.pa.us>
To: Stephen Frost <sfrost@snowman.net>
Cc: Peter Eisentraut <peter.eisentraut@2ndquadrant.com>, Alvaro Herrera <alvherre@2ndquadrant.com>, David Steele <david@pgmasters.net>, Joe Conway <mail@joeconway.com>, Magnus Hagander <magnus@hagander.net>, Michael Paquier <michael@paquier.xyz>, Nico Williams <nico@cryptonector.com>, PostgreSQL-development <pgsql-hackers@postgresql.org>, Robbie Harwood <rharwood@redhat.com>
Date: 2019-04-04T16:16:24Z
Lists: pgsql-hackers
I wrote:
> Stephen Frost <sfrost@snowman.net> writes:
>> So I'm a bit surprised that it's taking 4 minutes for you.  I wonder if
>> there might be an issue related to the KDC wanting to get some amount of
>> random data and the system you're on isn't producing random bytes very
>> fast..?

> Not sure.  This is my usual development box and it also does mail, DNS,
> etc for my household, so I'd expect it to have plenty of entropy.
> But it's running a pretty old kernel, and old Kerberos too, so maybe
> the explanation is in there somewhere.

Same test on a laptop running Fedora 28 takes a shade under 5 seconds.
The laptop has a somewhat better geekbench rating than my workstation,
but certainly not 50x better.  And I really doubt it's got more entropy
sources than the workstation.  Gotta be something about the kernel.

Watching the test logs, I see that essentially all the time on the RHEL6
machine is consumed by the two

# Running: /usr/sbin/kdb5_util create -s -P secret0

steps.  Is there a case for merging the two scripts so we only have to
do that once?  Maybe not, if nobody else sees this.

			regards, tom lane



Commits

  1. GSSAPI encryption support

  2. Fix typo