I'm making no promises, but what would people think of a hostgss hba
option?
Using it would imply the gssapi/sspi authentication option. It would
be mutually exclusive of the ssl link-encryption option. It would
support strong encryption of the whole connection without the need to
get X509 certs deployed (which would be a big win if you're using
gssapi/sspi authentication anyway).
The thing that prevented me from including it in the gssapi patches I
did for 8.3 was that I couldn't disentangle the program logic to the
point of inserting the gssapi security layer code above the SSL code
and below everything else. I'm thinking that doing both is pretty
much an edge case, so I propose to do gssapi security layers instead
of SSL. The mods are a lot more obvious.
I'm *NOT* proposing to make build support of gssapi security layers
exclusive of SSL. You might, for example, configure a server to
support username/password over SSL for intra-net addresses, but
support gssapi for Internet addresses.
------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
No comments:
Post a Comment