Re: weird libpq GSSAPI comment

From: Robbie Harwood <rharwood(at)redhat(dot)com>
To: Alvaro Herrera <alvherre(at)2ndquadrant(dot)com>, Stephen Frost <sfrost(at)snowman(dot)net>
Cc: Pg Hackers <pgsql-hackers(at)lists(dot)postgresql(dot)org>
Subject: Re: weird libpq GSSAPI comment
Date: 2020-01-03 20:01:25
Message-ID: jlgsgkwqpgq.fsf@redhat.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

Alvaro Herrera <alvherre(at)2ndquadrant(dot)com> writes:

> How about this?
>
> * If GSSAPI is enabled and we can reach a credential cache,
> * set up a handle for it; if it's operating, just send a
> * GSS startup message, instead of the SSL negotiation and
> * regular startup message below.

Due to the way postgres handled this historically, there are two ways
GSSAPI can be used: for connection encryption, and for authentication
only. We perform the same dance of sending a "request packet" for
GSSAPI encryption as we do for TLS encryption. So I'd like us to be
precise about which one we're talking about here (encryption).

The GSSAPI idiom I should have used is "can acquire credentials" (i.e.,
instead of "can reach a credential cache" in your proposal).

There's no such thing as a "GSS startup message". After negotiating
GSSAPI/TLS encryption (or failing to do so), we send the same things in
all cases, which includes negotiation of authentication mechanism if
any. (Negotiating GSSAPI for authentication after negotiating GSSAPI
for encryption will short-circuit rather than establishing a second
context, if I remember right.)

I wonder if part of the confusion might be due to the synonyms we're
using here for "in use". Things seem to be "got running", "set up",
"operating", "negotiated", ... - maybe that's part of the barrier to
understanding?

Thanks,
--Robbie

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Peter Eisentraut 2020-01-03 20:09:38 Re: Greatest Common Divisor
Previous Message Pavel Stehule 2020-01-03 19:39:25 Re: Assigning ROW variable having NULL value to RECORD type variable doesn't give any structure to the RECORD variable.