Re: [PATCH v3] GSSAPI encryption support
Craig Ringer <craig@2ndquadrant.com>
From: Craig Ringer <craig@2ndquadrant.com>
To: Robbie Harwood <rharwood@redhat.com>
Cc: PostgreSQL mailing lists <pgsql-hackers@postgresql.org>,
Andres Freund <andres@anarazel.de>,
Michael Paquier <michael.paquier@gmail.com>
Date: 2015-10-15T12:23:56Z
Lists: pgsql-hackers
On 14 October 2015 at 06:34, Robbie Harwood <rharwood@redhat.com> wrote: > Alright, here's v3. As requested, it's one patch now. I hate to ask, but have you looked at how this interacts with Windows? We support Windows SSPI (on a domain-member host) authenticating to a PostgreSQL server using gssapi with spnego. We also support a PostgreSQL client on *nix authenticating using gssapi with spnego to a PostgreSQL server that's requesting sspi mode. The relevant code is all a bit tangled, since there's support in there for using Kerberos libraries on Windows instead of SSPI too. I doubt anybody uses that last one, tests it, or cares about it, though, given the painful hoop-jumping, registry key permission changes, etc required to make it work. For bonus fun, RC4, DES, AES128 or AES256 are available/used for Kerberos encryption on Windows. See http://blogs.msdn.com/b/openspecification/archive/2011/05/31/windows-configurations-for-kerberos-supported-encryption-type.aspx . Though given that Win7 defaults to AES256 it's probably reasonable to simply not care about anything else. -- Craig Ringer http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Training & Services
Commits
-
GSSAPI encryption support
- b0b39f72b990 12.0 landed
-
Fix typo
- 57c932475504 9.6.0 cited