Re: [PATCH v20] GSSAPI encryption support

From: Stephen Frost <sfrost(at)snowman(dot)net>
To: Peter Eisentraut <peter(dot)eisentraut(at)2ndquadrant(dot)com>
Cc: Magnus Hagander <magnus(at)hagander(dot)net>, Joe Conway <mail(at)joeconway(dot)com>, Alvaro Herrera <alvherre(at)2ndquadrant(dot)com>, David Steele <david(at)pgmasters(dot)net>, Michael Paquier <michael(at)paquier(dot)xyz>, Nico Williams <nico(at)cryptonector(dot)com>, Robbie Harwood <rharwood(at)redhat(dot)com>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: [PATCH v20] GSSAPI encryption support
Date: 2019-04-05 12:48:03
Message-ID: 20190405124803.GO6197@tamriel.snowman.net
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

Greetings,

* Peter Eisentraut (peter(dot)eisentraut(at)2ndquadrant(dot)com) wrote:
> On 2019-04-05 04:59, Stephen Frost wrote:
> > Alright, that over-size error was a bug in the error-handling code,
> > which I've just pushed a fix for. That said...
>
> Yes, that looks better now.

Great.

> > This looks like it's a real issue and it's unclear what's going on here.
> > I wonder- are you certain that you're using all the same Kerberos
> > libraries for the KDC, the server, and psql?
>
> Right, it was built against the OS-provided Kerberos installation
> (/usr/bin etc.). If I build against the Homebrew-provided one then the
> tests pass.

All of it was built against the OS-provided Kerberos install, and you
got the failure..?

> So maybe that means that this encryption feature is not supported on
> that (presumably older) installation? (krb5-config --version says
> "Kerberos 5 release 1.7-prerelease") Is that plausible? Is a gentler
> failure mode possible?

On a failure to set up an encrypted connection, we'll actually fall back
to a non-encrypted one, using GSSAPI *just* for authentication, which is
why I was asking if this worked before the encryption patch went in.
Also, which of the tests are still failing, exactly? The authentication
ones or the encryption ones or both?

If we determine that this is some issue with the MacOS-provided Kerberos
libraries, then we could try to detect them and disable GSSAPI
encryption in that case explicitly, I suppose, but I've seen odd things
with the MacOS-provided Kerberos libraries before on released versions
of PG (without any encryption support), so I'm not yet convinced that
this is an issue that's specific to adding support for encryption.

Thanks!

Stephen

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Daniel Verite 2019-04-05 13:03:37 Re: Changes to pg_dump/psql following collation "C" in the catalog
Previous Message Daniel Verite 2019-04-05 12:18:53 Re: Changes to pg_dump/psql following collation "C" in the catalog