Re: [PATCH v20] GSSAPI encryption support

Magnus Hagander <magnus@hagander.net>

From: Magnus Hagander <magnus@hagander.net>
To: Robert Haas <robertmhaas@gmail.com>
Cc: Stephen Frost <sfrost@snowman.net>, Robbie Harwood <rharwood@redhat.com>, Bruce Momjian <bruce@momjian.us>, Magnus Hagander <magnus@hagander.net>, Joe Conway <mail@joeconway.com>, Peter Eisentraut <peter.eisentraut@2ndquadrant.com>, Alvaro Herrera <alvherre@2ndquadrant.com>, David Steele <david@pgmasters.net>, Michael Paquier <michael@paquier.xyz>, Nico Williams <nico@cryptonector.com>, PostgreSQL-development <pgsql-hackers@postgresql.org>
Date: 2019-04-11T13:58:54Z
Lists: pgsql-hackers
On Thu, Apr 11, 2019 at 3:56 PM Robert Haas <robertmhaas@gmail.com> wrote:

> On Wed, Apr 10, 2019 at 9:47 PM Stephen Frost <sfrost@snowman.net> wrote:
> > Right, if we changed the name of the auth method then everyone who is
> > using the "gss" auth method would have to update their pg_hba.conf
> > files...  That would be very ugly.  Also, it wasn't implicitly rejected,
> > it was discussed up-thread (see the comments between Magnus and I,
> > specifically, quoted above- "that ship sailed *years* ago") and
> > explicitly rejected.
>
> Slightly off-topic, but I am not familiar with GSSAPI and don't quite
> understand what the benefits of GSSAPI encryption are as compared with
> OpenSSL encryption.  I am sure there must be some; otherwise, nobody
> would have bothered writing, reviewing, and committing this patch.
> Can somebody enlighten me?
>

You don't need to set up an SSL PKI.

Yes you need the similar keys and stuff set up for GSSAPI, but if you
already *have* those (which you do if you are using gss authentication for
example) then it's a lot less extra overhead.

-- 
 Magnus Hagander
 Me: https://www.hagander.net/ <http://www.hagander.net/>
 Work: https://www.redpill-linpro.com/ <http://www.redpill-linpro.com/>

Commits

  1. GSSAPI encryption support

  2. Fix typo