Re: [PATCH v3] GSSAPI encryption support

On 14 October 2015 at 06:34, Robbie Harwood <rharwood@redhat.com> wrote:
> Alright, here's v3.  As requested, it's one patch now.

I hate to ask, but have you looked at how this interacts with Windows?

We support Windows SSPI (on a domain-member host) authenticating to a
PostgreSQL server using gssapi with spnego.

We also support a PostgreSQL client on *nix authenticating using
gssapi with spnego to a PostgreSQL server that's requesting sspi mode.

The relevant code is all a bit tangled, since there's support in there
for using Kerberos libraries on Windows instead of SSPI too. I doubt
anybody uses that last one, tests it, or cares about it, though, given
the painful hoop-jumping, registry key permission changes, etc
required to make it work.

For bonus fun, RC4, DES, AES128 or AES256 are available/used for
Kerberos encryption on Windows. See

http://blogs.msdn.com/b/openspecification/archive/2011/05/31/windows-configurations-for-kerberos-supported-encryption-type.aspx
. Though given that Win7 defaults to AES256 it's probably reasonable
to simply not care about anything else.


-- Craig Ringer                   http://www.2ndQuadrant.com/PostgreSQL Development, 24x7 Support, Training & Services