Re: Future of krb5 authentication

* Heikki Linnakangas (heikki(at)enterprisedb(dot)com) wrote:
> Uh, this is really confusing. Let's see if I got this right. So we're
> talking about two orthogonal changes here:

It is kinda confusing. :)

> 1. Wire protocol. In 8.2 and below, we used the krb5 protocol. 8.3
> server and libpq will use the GSSAPI wire protocol by default, with
> support for krb5 protocol when speaking with older versions.

Well, I think it'll depend on what's configured, no? Doesn't the libpq
protocol say back to the user "this is what I want to use" or similar?
The impression I got was more along the lines of- we'll have another
option in pg_hba.conf for 'gssapi', distinct from 'krb5' and either
could be used. Might have misunderstood tho.

> 2. In 8.2 and below, we used the GSSAPI library on all platforms. 8.3
> adds support for Microsoft's SSPI interface on Windows.

No.. We used the MIT Krb5 library. This is a change to use the GSSAPI
library (also from MIT and part of their Kerberos distribution, so it's
a tad confusing) on Unix by default and compile in support for it under
Windows as well.

> On Windows, why would you need GSSAPI, if SSPI comes with the operation
> system? What's the difference between the libraries? Can you try SSPI
> first, and fall back to GSSAPI?

You can't really 'fall back' without creating alot of noise in the logs
and whatnot. Also, it could try to do things that don't make any sense.
The reason to support both is that they have, essentially, different
feature sets.

> Can you do <= 8.2 style krb5 authentication with the SSPI library?

No, at least from a user-interface standpoint and I think also the
wireline protocol is different...

Thanks,

Stephen