| From: | Craig Ringer <craig(at)2ndquadrant(dot)com> |
|---|---|
| To: | Robbie Harwood <rharwood(at)redhat(dot)com> |
| Cc: | PostgreSQL mailing lists <pgsql-hackers(at)postgresql(dot)org>, Andres Freund <andres(at)anarazel(dot)de>, Michael Paquier <michael(dot)paquier(at)gmail(dot)com> |
| Subject: | Re: [PATCH v3] GSSAPI encryption support |
| Date: | 2015-10-15 12:23:56 |
| Message-ID: | CAMsr+YE-WaD4kV4vYe0WxQhgD=hJ-EHd7oJ3=ZUF614t1HMPMA@mail.gmail.com |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On 14 October 2015 at 06:34, Robbie Harwood <rharwood(at)redhat(dot)com> wrote:
> Alright, here's v3. As requested, it's one patch now.
I hate to ask, but have you looked at how this interacts with Windows?
We support Windows SSPI (on a domain-member host) authenticating to a
PostgreSQL server using gssapi with spnego.
We also support a PostgreSQL client on *nix authenticating using
gssapi with spnego to a PostgreSQL server that's requesting sspi mode.
The relevant code is all a bit tangled, since there's support in there
for using Kerberos libraries on Windows instead of SSPI too. I doubt
anybody uses that last one, tests it, or cares about it, though, given
the painful hoop-jumping, registry key permission changes, etc
required to make it work.
For bonus fun, RC4, DES, AES128 or AES256 are available/used for
Kerberos encryption on Windows. See
http://blogs.msdn.com/b/openspecification/archive/2011/05/31/windows-configurations-for-kerberos-supported-encryption-type.aspx
. Though given that Win7 defaults to AES256 it's probably reasonable
to simply not care about anything else.
--
Craig Ringer http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Training & Services
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Amit Kapila | 2015-10-15 12:45:20 | Re: Parallel Seq Scan |
| Previous Message | Craig Ringer | 2015-10-15 12:11:18 | Re: PATCH: 9.5 replication origins fix for logical decoding |