From: | Magnus Hagander <magnus(at)hagander(dot)net> |
---|---|
To: | Joe Conway <mail(at)joeconway(dot)com> |
Cc: | Stephen Frost <sfrost(at)snowman(dot)net>, Peter Eisentraut <peter(dot)eisentraut(at)2ndquadrant(dot)com>, Alvaro Herrera <alvherre(at)2ndquadrant(dot)com>, David Steele <david(at)pgmasters(dot)net>, Michael Paquier <michael(at)paquier(dot)xyz>, Nico Williams <nico(at)cryptonector(dot)com>, Robbie Harwood <rharwood(at)redhat(dot)com>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: [PATCH v20] GSSAPI encryption support |
Date: | 2019-04-03 06:49:25 |
Message-ID: | CABUevEyuNNJv=19foa=ycTfTfBUYOEwM8_Uss5OVKrwBAy+Btw@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Wed, Apr 3, 2019 at 12:22 AM Joe Conway <mail(at)joeconway(dot)com> wrote:
> On 4/2/19 6:18 PM, Stephen Frost wrote:
> > Greetings,
> >
> > On Tue, Apr 2, 2019 at 18:10 Peter Eisentraut
> > <peter(dot)eisentraut(at)2ndquadrant(dot)com
> > <mailto:peter(dot)eisentraut(at)2ndquadrant(dot)com>> wrote:
> >
> > On 2019-02-23 17:27, Stephen Frost wrote:
> > >> About pg_hba.conf: The "hostgss" keyword seems a bit confusing.
> > It only
> > >> applies to encrypted gss-using connections, not all of them.
> Maybe
> > >> "hostgssenc" or "hostgsswrap"?
> > > Not quite sure what you mean here, but 'hostgss' seems to be quite
> > well
> > > in-line with what we do for SSL... as in, we have 'hostssl', we
> don't
> > > say 'hostsslenc'. I feel like I'm just not understanding what you
> > mean
> > > by "not all of them".
> >
> > Reading the latest patch, I think this is still a bit confusing.
> > Consider an entry like
> >
> > hostgss all all 0.0.0.0/0
> > <http://0.0.0.0/0> gss
> >
> > The "hostgss" part means, the connection is GSS-*encrypted*. The
> "gss"
> > entry in the last column means use gss for *authentication*. But
> didn't
> > "hostgss" already imply that? No. I understand what's going on,
> but it
> > seems quite confusing. They both just say "gss"; you have to know a
> lot
> > about the nuances of pg_hba.conf processing to get that.
> >
> > If you have line like
> >
> > hostgss all all 0.0.0.0/0
> > <http://0.0.0.0/0> md5
> >
> > it is not obvious that this means, if GSS-encrypted, use md5. It
> could
> > just as well mean, if GSS-authenticated, use md5.
> >
> > The analogy with SSL is such that we use "hostssl" for connections
> using
> > SSL encryption and "cert" for the authentication method. So there we
> > use two different words for two different aspects of SSL.
> >
> >
> > I don’t view it as confusing, but I’ll change it to hostgssenc as was
> > suggested earlier to address that concern. It’s a bit wordy but if it
> > helps reduce confusion then that’s a good thing.
>
> Personally I don't find it as confusing as is either, and I find hostgss
> to be a good analog of hostssl. On the other hand hostgssenc is long and
> unintuitive. So +1 for leaving as is and -1 one for changing it IMHO.
>
I think for those who are well versed in pg_hba (and maybe gss as well),
it's not confusing. That includes me.
However, for a new user, I can definitely see how it can be considered
confusing. And confusion in *security configuration* is always a bad idea,
even if it's just potential.
Thus +1 on changing it.
If it was on the table it might have been better to keep hostgss and change
the authentication method to gssauth or something, but that ship sailed
*years* ago.
--
Magnus Hagander
Me: https://www.hagander.net/ <http://www.hagander.net/>
Work: https://www.redpill-linpro.com/ <http://www.redpill-linpro.com/>
From | Date | Subject | |
---|---|---|---|
Next Message | Michael Paquier | 2019-04-03 06:59:49 | Simplify redability of some tests for toast_tuple_target in strings.sql |
Previous Message | Michael Paquier | 2019-04-03 06:37:59 | Caveats from reloption toast_tuple_target |