Re: Future of krb5 authentication

* Tom Lane (tgl(at)sss(dot)pgh(dot)pa(dot)us) wrote:
> Magnus Hagander <magnus(at)hagander(dot)net> writes:
> > On Wed, Jul 18, 2007 at 10:46:58AM -0400, Tom Lane wrote:
> >> This needs to be fixed.
>
> > Non, GSSAPI and krb5 are *not* mutually exclusive.
>
> > SSPI and GSSAPI are mutually exclusive.
>
> Color me confused then. What's the difference?

GSSAPI is the MIT libraries, SSPI is the Windows library, but there's no
way to indicate to libpq which to use and they share some of the same
code paths with minor adjustments for each done at compile-time (aiui
anyway, Magnus can provide a clearer answer on this).

The feeling was that because there's no way to indicate to libpq which
to use except through the connectionstring and that most people would
want SSPI instead and that krb5 support is going to be removed that we
could just support either SSPI or GSSAPI (not both).

My feeling is that if we're going to continue to support krb5 *anyway*
(which I don't disagree with, honestly) then the GSSAPI stuff is going
to be required for the build *regardless* and therefore it makes sense
to support both in libpq rather than making them mutually exclusive.
Supporting it using a connectionstring option would be sufficient, imv,
though downstream utilities that don't let you modify the
connectionstring directly would have to add support for it (I'm of the
opinion that such things should be changed to allow a connectionstring
option, or at least an append to it, but perhaps there's some reason
that's a problem for some).

GSSAPI and SSPI are not, themselves, mutually exclusive. They're just
being made that way by the libpq code that's been proposed. Mozilla
handles doing both just fine and you flip between them using an option
in their 'about:config' screen.

Thanks,

Stephen