On Wed, Apr 3, 2019 at 12:22 AM Joe Conway <m...@joeconway.com> wrote:
> On 4/2/19 6:18 PM, Stephen Frost wrote: > > Greetings, > > > > On Tue, Apr 2, 2019 at 18:10 Peter Eisentraut > > <peter.eisentr...@2ndquadrant.com > > <mailto:peter.eisentr...@2ndquadrant.com>> wrote: > > > > On 2019-02-23 17:27, Stephen Frost wrote: > > >> About pg_hba.conf: The "hostgss" keyword seems a bit confusing. > > It only > > >> applies to encrypted gss-using connections, not all of them. > Maybe > > >> "hostgssenc" or "hostgsswrap"? > > > Not quite sure what you mean here, but 'hostgss' seems to be quite > > well > > > in-line with what we do for SSL... as in, we have 'hostssl', we > don't > > > say 'hostsslenc'. I feel like I'm just not understanding what you > > mean > > > by "not all of them". > > > > Reading the latest patch, I think this is still a bit confusing. > > Consider an entry like > > > > hostgss all all 0.0.0.0/0 > > <http://0.0.0.0/0> gss > > > > The "hostgss" part means, the connection is GSS-*encrypted*. The > "gss" > > entry in the last column means use gss for *authentication*. But > didn't > > "hostgss" already imply that? No. I understand what's going on, > but it > > seems quite confusing. They both just say "gss"; you have to know a > lot > > about the nuances of pg_hba.conf processing to get that. > > > > If you have line like > > > > hostgss all all 0.0.0.0/0 > > <http://0.0.0.0/0> md5 > > > > it is not obvious that this means, if GSS-encrypted, use md5. It > could > > just as well mean, if GSS-authenticated, use md5. > > > > The analogy with SSL is such that we use "hostssl" for connections > using > > SSL encryption and "cert" for the authentication method. So there we > > use two different words for two different aspects of SSL. > > > > > > I don’t view it as confusing, but I’ll change it to hostgssenc as was > > suggested earlier to address that concern. It’s a bit wordy but if it > > helps reduce confusion then that’s a good thing. > > Personally I don't find it as confusing as is either, and I find hostgss > to be a good analog of hostssl. On the other hand hostgssenc is long and > unintuitive. So +1 for leaving as is and -1 one for changing it IMHO. > I think for those who are well versed in pg_hba (and maybe gss as well), it's not confusing. That includes me. However, for a new user, I can definitely see how it can be considered confusing. And confusion in *security configuration* is always a bad idea, even if it's just potential. Thus +1 on changing it. If it was on the table it might have been better to keep hostgss and change the authentication method to gssauth or something, but that ship sailed *years* ago. -- Magnus Hagander Me: https://www.hagander.net/ <http://www.hagander.net/> Work: https://www.redpill-linpro.com/ <http://www.redpill-linpro.com/>
