Re: [PATCH v20] GSSAPI encryption support - Mailing list pgsql-hackers

From Magnus Hagander
Subject Re: [PATCH v20] GSSAPI encryption support
Date
Msg-id CABUevEyuNNJv=19foa=ycTfTfBUYOEwM8_Uss5OVKrwBAy+Btw@mail.gmail.com
Whole thread Raw
In response to Re: [PATCH v20] GSSAPI encryption support  (Joe Conway <mail@joeconway.com>)
Responses Re: [PATCH v20] GSSAPI encryption support
Re: [PATCH v20] GSSAPI encryption support
List pgsql-hackers


On Wed, Apr 3, 2019 at 12:22 AM Joe Conway <mail@joeconway.com> wrote:
On 4/2/19 6:18 PM, Stephen Frost wrote:
> Greetings,
>
> On Tue, Apr 2, 2019 at 18:10 Peter Eisentraut
> <peter.eisentraut@2ndquadrant.com
> <mailto:peter.eisentraut@2ndquadrant.com>> wrote:
>
>     On 2019-02-23 17:27, Stephen Frost wrote:
>     >> About pg_hba.conf: The "hostgss" keyword seems a bit confusing. 
>     It only
>     >> applies to encrypted gss-using connections, not all of them.  Maybe
>     >> "hostgssenc" or "hostgsswrap"?
>     > Not quite sure what you mean here, but 'hostgss' seems to be quite
>     well
>     > in-line with what we do for SSL...  as in, we have 'hostssl', we don't
>     > say 'hostsslenc'.  I feel like I'm just not understanding what you
>     mean
>     > by "not all of them".
>
>     Reading the latest patch, I think this is still a bit confusing.
>     Consider an entry like
>
>         hostgss all             all             0.0.0.0/0
>     <http://0.0.0.0/0>               gss
>
>     The "hostgss" part means, the connection is GSS-*encrypted*.  The "gss"
>     entry in the last column means use gss for *authentication*.  But didn't
>     "hostgss" already imply that?  No.  I understand what's going on, but it
>     seems quite confusing.  They both just say "gss"; you have to know a lot
>     about the nuances of pg_hba.conf processing to get that.
>
>     If you have line like
>
>         hostgss all             all             0.0.0.0/0
>     <http://0.0.0.0/0>               md5
>
>     it is not obvious that this means, if GSS-encrypted, use md5.  It could
>     just as well mean, if GSS-authenticated, use md5.
>
>     The analogy with SSL is such that we use "hostssl" for connections using
>     SSL encryption and "cert" for the authentication method.  So there we
>     use two different words for two different aspects of SSL.
>
>
> I don’t view it as confusing, but I’ll change it to hostgssenc as was
> suggested earlier to address that concern.  It’s a bit wordy but if it
> helps reduce confusion then that’s a good thing.

Personally I don't find it as confusing as is either, and I find hostgss
to be a good analog of hostssl. On the other hand hostgssenc is long and
unintuitive. So +1 for leaving as is and -1 one for changing it IMHO.

I think for those who are well versed in pg_hba (and maybe gss as well), it's not confusing. That includes me.

However, for a new user, I can definitely see how it can be considered confusing. And confusion in *security configuration* is always a bad idea, even if it's just potential.

Thus +1 on changing it.

If it was on the table it might have been better to keep hostgss and change the authentication method to gssauth or something, but that ship sailed *years* ago.
 
--

pgsql-hackers by date:

Previous
From: Michael Paquier
Date:
Subject: Caveats from reloption toast_tuple_target
Next
From: Michael Paquier
Date:
Subject: Simplify redability of some tests for toast_tuple_target instrings.sql