Re: [PATCH v20] GSSAPI encryption support - Mailing list pgsql-hackers
From | Magnus Hagander |
---|---|
Subject | Re: [PATCH v20] GSSAPI encryption support |
Date | |
Msg-id | CABUevEyuNNJv=19foa=ycTfTfBUYOEwM8_Uss5OVKrwBAy+Btw@mail.gmail.com Whole thread Raw |
In response to | Re: [PATCH v20] GSSAPI encryption support (Joe Conway <mail@joeconway.com>) |
Responses |
Re: [PATCH v20] GSSAPI encryption support
Re: [PATCH v20] GSSAPI encryption support |
List | pgsql-hackers |
On Wed, Apr 3, 2019 at 12:22 AM Joe Conway <mail@joeconway.com> wrote:
On 4/2/19 6:18 PM, Stephen Frost wrote:
> Greetings,
>
> On Tue, Apr 2, 2019 at 18:10 Peter Eisentraut
> <peter.eisentraut@2ndquadrant.com
> <mailto:peter.eisentraut@2ndquadrant.com>> wrote:
>
> On 2019-02-23 17:27, Stephen Frost wrote:
> >> About pg_hba.conf: The "hostgss" keyword seems a bit confusing.
> It only
> >> applies to encrypted gss-using connections, not all of them. Maybe
> >> "hostgssenc" or "hostgsswrap"?
> > Not quite sure what you mean here, but 'hostgss' seems to be quite
> well
> > in-line with what we do for SSL... as in, we have 'hostssl', we don't
> > say 'hostsslenc'. I feel like I'm just not understanding what you
> mean
> > by "not all of them".
>
> Reading the latest patch, I think this is still a bit confusing.
> Consider an entry like
>
> hostgss all all 0.0.0.0/0
> <http://0.0.0.0/0> gss
>
> The "hostgss" part means, the connection is GSS-*encrypted*. The "gss"
> entry in the last column means use gss for *authentication*. But didn't
> "hostgss" already imply that? No. I understand what's going on, but it
> seems quite confusing. They both just say "gss"; you have to know a lot
> about the nuances of pg_hba.conf processing to get that.
>
> If you have line like
>
> hostgss all all 0.0.0.0/0
> <http://0.0.0.0/0> md5
>
> it is not obvious that this means, if GSS-encrypted, use md5. It could
> just as well mean, if GSS-authenticated, use md5.
>
> The analogy with SSL is such that we use "hostssl" for connections using
> SSL encryption and "cert" for the authentication method. So there we
> use two different words for two different aspects of SSL.
>
>
> I don’t view it as confusing, but I’ll change it to hostgssenc as was
> suggested earlier to address that concern. It’s a bit wordy but if it
> helps reduce confusion then that’s a good thing.
Personally I don't find it as confusing as is either, and I find hostgss
to be a good analog of hostssl. On the other hand hostgssenc is long and
unintuitive. So +1 for leaving as is and -1 one for changing it IMHO.
I think for those who are well versed in pg_hba (and maybe gss as well), it's not confusing. That includes me.
However, for a new user, I can definitely see how it can be considered confusing. And confusion in *security configuration* is always a bad idea, even if it's just potential.
Thus +1 on changing it.
If it was on the table it might have been better to keep hostgss and change the authentication method to gssauth or something, but that ship sailed *years* ago.
pgsql-hackers by date: