Added to TODO:
* Add 'hostgss' pg_hba.conf option to allow GSS link-level encryption
http://archives.postgresql.org/pgsql-hackers/2008-07/msg01454.php
---------------------------------------------------------------------------
Henry B. Hotz wrote:
> What's the time frame for 8.4?
>
> I'm making no promises, but what would people think of a hostgss hba
> option?
>
> Using it would imply the gssapi/sspi authentication option. It would
> be mutually exclusive of the ssl link-encryption option. It would
> support strong encryption of the whole connection without the need to
> get X509 certs deployed (which would be a big win if you're using
> gssapi/sspi authentication anyway).
>
> The thing that prevented me from including it in the gssapi patches I
> did for 8.3 was that I couldn't disentangle the program logic to the
> point of inserting the gssapi security layer code above the SSL code
> and below everything else. I'm thinking that doing both is pretty
> much an edge case, so I propose to do gssapi security layers instead
> of SSL. The mods are a lot more obvious.
>
> I'm *NOT* proposing to make build support of gssapi security layers
> exclusive of SSL. You might, for example, configure a server to
> support username/password over SSL for intra-net addresses, but
> support gssapi for Internet addresses.
>
> ------------------------------------------------------
> The opinions expressed in this message are mine,
> not those of Caltech, JPL, NASA, or the US Government.
> Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu
>
>
>
>
> --
> Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
> To make changes to your subscription:
> http://www.postgresql.org/mailpref/pgsql-hackers
-- Bruce Momjian <bruce@momjian.us> http://momjian.us EnterpriseDB
http://enterprisedb.com
+ If your life is a hard drive, Christ can be your backup. +
