Postgres Pro
Downloads
Home   >   mailing lists

Re: weird libpq GSSAPI comment - Mailing list pgsql-hackers

From Stephen Frost
Subject Re: weird libpq GSSAPI comment
Date
Msg-id 20200106210322.GJ3195@tamriel.snowman.net
Whole thread Raw
In response to Re: weird libpq GSSAPI comment  (Robbie Harwood <rharwood@redhat.com>)
Responses Re: weird libpq GSSAPI comment
Re: weird libpq GSSAPI comment
List pgsql-hackers
Tree view 
Greetings,

* Robbie Harwood (rharwood@redhat.com) wrote:
> Alvaro Herrera <alvherre@2ndquadrant.com> writes:
>
> > How about this?
> >
> >                  * If GSSAPI is enabled and we can reach a credential cache,
> >                  * set up a handle for it; if it's operating, just send a
> >                  * GSS startup message, instead of the SSL negotiation and
> >                  * regular startup message below.
>
> Due to the way postgres handled this historically, there are two ways
> GSSAPI can be used: for connection encryption, and for authentication
> only.  We perform the same dance of sending a "request packet" for
> GSSAPI encryption as we do for TLS encryption.  So I'd like us to be
> precise about which one we're talking about here (encryption).

Alright, that's fair.

> The GSSAPI idiom I should have used is "can acquire credentials" (i.e.,
> instead of "can reach a credential cache" in your proposal).

Ok.

> There's no such thing as a "GSS startup message".  After negotiating
> GSSAPI/TLS encryption (or failing to do so), we send the same things in
> all cases, which includes negotiation of authentication mechanism if
> any.  (Negotiating GSSAPI for authentication after negotiating GSSAPI
> for encryption will short-circuit rather than establishing a second
> context, if I remember right.)

Yes, you can see that around src/backend/libpq/auth.c:538 where we skip
straight to pg_GSS_checkauth() if we already have encryption up and
running, and if we don't then we go through pg_GSS_recvauth() (which
will eventually call pg_GSS_checkauth() too).

> I wonder if part of the confusion might be due to the synonyms we're
> using here for "in use".  Things seem to be "got running", "set up",
> "operating", "negotiated", ... - maybe that's part of the barrier to
> understanding?

How about something like this?

 * If GSSAPI Encryption is enabled, then call pg_GSS_have_cred_cache()
 * which will return true if we can acquire credentials (and give us a
 * handle to use in conn->gcred), and then send a packet to the server
 * asking for GSSAPI Encryption (and skip past SSL negotiation and
 * regular startup below).

Thanks,

Stephen
Attachment

pgsql-hackers by date:

Previous
From: Robert Haas
Date:
Subject: Re: Removing pg_pltemplate and creating "trustable" extensions
Next
From: Robbie Harwood
Date:
Subject: Re: weird libpq GSSAPI comment