PG Bug reporting form <noreply(at)postgresql(dot)org> writes:
> With following entries in pg_hba.conf, psql v13 is prompting for password
> for Kerberos connections, whereas psql v11 succeeds connecting without any
> issue.
> local all pgbkp peer map=pgbackrest
> hostssl all +citi_pg_app_read 0.0.0.0/0 gss map=krb
> host all all 0.0.0.0/0 scram-sha-256
> [kdc_test_fid(at)icl-actpsql-vm1 /psql13]$ psql -U app_kdc_test_fid -h x.x.x -d
> postgres -p 1524
> Password for user app_kdc_test_fid:
I suspect the v13 libpq is trying GSSAPI encryption before SSL encryption,
so it falls through the hostssl line and ends up at the catchall.
regards, tom lane