On 2019-02-23 17:27, Stephen Frost wrote: >> About pg_hba.conf: The "hostgss" keyword seems a bit confusing. It only >> applies to encrypted gss-using connections, not all of them. Maybe >> "hostgssenc" or "hostgsswrap"? > Not quite sure what you mean here, but 'hostgss' seems to be quite well > in-line with what we do for SSL... as in, we have 'hostssl', we don't > say 'hostsslenc'. I feel like I'm just not understanding what you mean > by "not all of them".
Reading the latest patch, I think this is still a bit confusing. Consider an entry like
The "hostgss" part means, the connection is GSS-*encrypted*. The "gss" entry in the last column means use gss for *authentication*. But didn't "hostgss" already imply that? No. I understand what's going on, but it seems quite confusing. They both just say "gss"; you have to know a lot about the nuances of pg_hba.conf processing to get that.
it is not obvious that this means, if GSS-encrypted, use md5. It could just as well mean, if GSS-authenticated, use md5.
The analogy with SSL is such that we use "hostssl" for connections using SSL encryption and "cert" for the authentication method. So there we use two different words for two different aspects of SSL.
I don’t view it as confusing, but I’ll change it to hostgssenc as was suggested earlier to address that concern. It’s a bit wordy but if it helps reduce confusion then that’s a good thing.
