Re: GSSAPI encryption support

Greetings,

* Raj kumar (rajkumar820999(at)gmail(dot)com) wrote:
> Thanks Stephen. 😊

Sure. Also- just to be clear, if you already have an Active Directory
environment, then you already have a KDC- you don't need to stand up
another one (though you certainly could and could use a cross-realm
trust relationship between the AD environment to the MIT/Heimdal one, if
you wanted, and allow AD authenticated users to connect to the PG server
in the MIT/Heimdal realm using Kerberos).

Thanks,

Stephen

> On Mon, 18 May 2020, 21:10 Stephen Frost, <sfrost(at)snowman(dot)net> wrote:
>
> > Greetings,
> >
> > * Raj kumar (rajkumar820999(at)gmail(dot)com) wrote:
> > > 1) The encryption support means that the encryption between the Client
> > and
> > > the Server over the network, which was previously possible only through
> > SSL
> > > or previously, not encrypted at all. Now, instead of SSL, we can change
> > > pg_hba.conf with the parameters "hostgssenc" and hostnogssenc" to support
> > > encryption over the network directly using gssapi.
> >
> > Yes.
> >
> > > 2) We need to have a client server, a service server and a Key
> > Distribution
> > > Center Server which should have Kerberose installed in it. Kerberose is
> > > available as opensource.
> >
> > Not sure what you mean by 'client server' and 'service server' here,
> > but, yes you do need a client, a PG server, and a KDC. There's multiple
> > Kerberos implementations available as open source- MIT Kerberos and
> > Heimdal are the popular ones.
> >
> > > Please help me if my understanding is correct and let me know about the
> > > major improvement on this feature with PG12. I have referred
> > Documentation
> > > and some blogs. But, couldn't get the right picture. Your reply is
> > > appreciable.
> >
> > As usual, you'll want to run the most recent minor version of PG,
> > particularly when working with new features. We've had a few issues in
> > the GSSAPI encryption which have been fixed in the latest PG12 minor
> > release (12.3).
> >
> > Generally speaking, if you've got a Kerberos environment and have PG
> > working with Kerberos, GSSAPI encryption will just start happening,
> > though it is recommended to use the 'hostgssenc' lines on the server
> > side pg_hba.conf, as you mention, and on the client side set
> > 'gssencmode=require' on the client, to ensure the communication will
> > be using GSSAPI encryption (the default is only 'prefer', similar to
> > SSL).
> >
> > Thanks,
> >
> > Stephen
> >