From: | Raj kumar <rajkumar820999(at)gmail(dot)com> |
---|---|
To: | Stephen Frost <sfrost(at)snowman(dot)net> |
Cc: | Pgsql-admin <pgsql-admin(at)lists(dot)postgresql(dot)org> |
Subject: | Re: GSSAPI encryption support |
Date: | 2020-05-19 04:55:27 |
Message-ID: | CACxU--WutUdmVaR3_X5e1FXHgXrZwbecT8j0BZD_M1cQ4KbG2A@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-admin |
Thanks Stephen. 😊
Thanks,
Raj
On Mon, 18 May 2020, 21:10 Stephen Frost, <sfrost(at)snowman(dot)net> wrote:
> Greetings,
>
> * Raj kumar (rajkumar820999(at)gmail(dot)com) wrote:
> > 1) The encryption support means that the encryption between the Client
> and
> > the Server over the network, which was previously possible only through
> SSL
> > or previously, not encrypted at all. Now, instead of SSL, we can change
> > pg_hba.conf with the parameters "hostgssenc" and hostnogssenc" to support
> > encryption over the network directly using gssapi.
>
> Yes.
>
> > 2) We need to have a client server, a service server and a Key
> Distribution
> > Center Server which should have Kerberose installed in it. Kerberose is
> > available as opensource.
>
> Not sure what you mean by 'client server' and 'service server' here,
> but, yes you do need a client, a PG server, and a KDC. There's multiple
> Kerberos implementations available as open source- MIT Kerberos and
> Heimdal are the popular ones.
>
> > Please help me if my understanding is correct and let me know about the
> > major improvement on this feature with PG12. I have referred
> Documentation
> > and some blogs. But, couldn't get the right picture. Your reply is
> > appreciable.
>
> As usual, you'll want to run the most recent minor version of PG,
> particularly when working with new features. We've had a few issues in
> the GSSAPI encryption which have been fixed in the latest PG12 minor
> release (12.3).
>
> Generally speaking, if you've got a Kerberos environment and have PG
> working with Kerberos, GSSAPI encryption will just start happening,
> though it is recommended to use the 'hostgssenc' lines on the server
> side pg_hba.conf, as you mention, and on the client side set
> 'gssencmode=require' on the client, to ensure the communication will
> be using GSSAPI encryption (the default is only 'prefer', similar to
> SSL).
>
> Thanks,
>
> Stephen
>
From | Date | Subject | |
---|---|---|---|
Next Message | Stephen Frost | 2020-05-19 13:33:10 | Re: GSSAPI encryption support |
Previous Message | Stephen Frost | 2020-05-18 15:40:22 | Re: GSSAPI encryption support |