Andreas, can you please weigh in here since your voice is important to
this process?
Robbie Harwood writes:
> Andres Freund writes:
>
>> On 2015-10-22 16:47:09 +0900, Michael Paquier wrote:
>>> Hm, and that's why you chose this way of going. My main concern about
>>> this patch is that it adds
On Thu, Oct 22, 2015 at 11:36 PM, Robbie Harwood wrote:
> To be clear, what I need to know is:
> - What changes do you want to see in the wire protocol? (And how will
> fallback be supported if that's affected?)
Hm. Something essential will be to send the length of the wrapped
gss_buffer_t obje
Andres Freund writes:
> On 2015-10-22 16:47:09 +0900, Michael Paquier wrote:
>> Hm, and that's why you chose this way of going. My main concern about
>> this patch is that it adds on top of the existing Postgres protocol a
>> layer to encrypt and decrypt the messages between server and client
>>
On Thu, Oct 22, 2015 at 6:00 PM, Andres Freund wrote:
> On 2015-10-22 16:47:09 +0900, Michael Paquier wrote:
>> Hm, and that's why you chose this way of going. My main concern about
>> this patch is that it adds on top of the existing Postgres protocol a
>> layer to encrypt and decrypt the message
On 2015-10-22 16:47:09 +0900, Michael Paquier wrote:
> Hm, and that's why you chose this way of going. My main concern about
> this patch is that it adds on top of the existing Postgres protocol a
> layer to encrypt and decrypt the messages between server and client
> based on GSSAPI. All messages
On Thu, Oct 22, 2015 at 1:28 AM, Robbie Harwood wrote:
> Michael Paquier writes:
>
>> Robbie,
>>
>> +#ifdef ENABLE_GSS
>> + if (pggss_encrypt(conn) < 0)
>> + return EOF;
>> +#endif
>>
>> @@ -1528,10 +1541,20 @@ socket_putmessage(char msgtype, const char *s,
>> size_t len)
>>
Michael Paquier writes:
> On Tue, Oct 20, 2015 at 3:01 AM, Robbie Harwood wrote:
>> Stephen Frost writes:
>>> psql: lost synchronization with server: got message type "S", length 22
>>
>> which unfortunately could be a great many things. I've said this a
>> couple times now, but I really do nee
Michael Paquier writes:
> Robbie,
>
> +#ifdef ENABLE_GSS
> + if (pggss_encrypt(conn) < 0)
> + return EOF;
> +#endif
>
> @@ -1528,10 +1541,20 @@ socket_putmessage(char msgtype, const char *s,
> size_t len)
> if (internal_putbytes(s, len))
> goto fail;
>
Robbie,
On Wed, Oct 21, 2015 at 3:54 PM, Michael Paquier
wrote:
> On Tue, Oct 20, 2015 at 3:01 AM, Robbie Harwood wrote:
>> Stephen Frost writes:
>>> psql: lost synchronization with server: got message type "S", length 22
>>
>> which unfortunately could be a great many things. I've said this a
On Tue, Oct 20, 2015 at 3:01 AM, Robbie Harwood wrote:
> Stephen Frost writes:
>> psql: lost synchronization with server: got message type "S", length 22
>
> which unfortunately could be a great many things. I've said this a
> couple times now, but I really do need more information - a traffic
>
Stephen Frost writes:
> As for this patch, the reason I've not been as involved (beyond being
> ridiculously busy) is that Michael's environment, which at least appears
> perfectly reasonable (and works with PG unpatched) isn't working. If we
> can get that working (and I've not looked at what's
* Craig Ringer (cr...@2ndquadrant.com) wrote:
> On 16 October 2015 at 21:34, Stephen Frost wrote:
> >> It's a different auth request, but the handling in be-auth.c is
> >> co-mingled to handle the cases:
> >
> > be-auth.c? You mean src/backend/libpq/auth.c?
>
> Ahem. Yes.
No worries. :)
> Also
On 16 October 2015 at 21:34, Stephen Frost wrote:
> * Craig Ringer (cr...@2ndquadrant.com) wrote:
>> On 16 October 2015 at 01:07, Robbie Harwood wrote:
>> > Looking at
>> > http://www.postgresql.org/docs/9.4/static/protocol-message-formats.html
>> > suggests that SSPI follows a separate codepath
* Craig Ringer (cr...@2ndquadrant.com) wrote:
> On 16 October 2015 at 01:07, Robbie Harwood wrote:
> > Looking at
> > http://www.postgresql.org/docs/9.4/static/protocol-message-formats.html
> > suggests that SSPI follows a separate codepath from the GSS code;
> > certainly it's a different auth re
On 16 October 2015 at 01:07, Robbie Harwood wrote:
> The short - and probably most important - answer is that no, I haven't
> tested it, and it would be difficult for me to do so quickly.
IIRC it's pretty easy to fire up AWS instances that're primary domain
controllers, and then join a Pg box to
Craig Ringer writes:
> On 14 October 2015 at 06:34, Robbie Harwood wrote:
>> Alright, here's v3. As requested, it's one patch now.
>
> I hate to ask, but have you looked at how this interacts with Windows?
>
> We support Windows SSPI (on a domain-member host) authenticating to a
> PostgreSQL se
On 14 October 2015 at 06:34, Robbie Harwood wrote:
> Alright, here's v3. As requested, it's one patch now.
I hate to ask, but have you looked at how this interacts with Windows?
We support Windows SSPI (on a domain-member host) authenticating to a
PostgreSQL server using gssapi with spnego.
We
On Wed, Oct 14, 2015 at 7:34 AM, Robbie Harwood wrote:
> Alright, here's v3. As requested, it's one patch now. Other things
> addressed herein include:
> Essentially, the problem is that socket_putmessage_noblock() needs to
> know the size of the message to put in the buffer but we can't know
>
Alright, here's v3. As requested, it's one patch now. Other things
addressed herein include:
- postgres.h/assert.h ordering fix
- spacing around casts
- leaking of GSS buffer in be_gss_inplace_decrypt
- libpq-be.h not having a conditional internal include
- always exposing guc veriable gss_
19 matches
Mail list logo
