Greetings, On Tue, Apr 2, 2019 at 18:10 Peter Eisentraut < peter.eisentr...@2ndquadrant.com> wrote:
> On 2019-02-23 17:27, Stephen Frost wrote: > >> About pg_hba.conf: The "hostgss" keyword seems a bit confusing. It only > >> applies to encrypted gss-using connections, not all of them. Maybe > >> "hostgssenc" or "hostgsswrap"? > > Not quite sure what you mean here, but 'hostgss' seems to be quite well > > in-line with what we do for SSL... as in, we have 'hostssl', we don't > > say 'hostsslenc'. I feel like I'm just not understanding what you mean > > by "not all of them". > > Reading the latest patch, I think this is still a bit confusing. > Consider an entry like > > hostgss all all 0.0.0.0/0 gss > > The "hostgss" part means, the connection is GSS-*encrypted*. The "gss" > entry in the last column means use gss for *authentication*. But didn't > "hostgss" already imply that? No. I understand what's going on, but it > seems quite confusing. They both just say "gss"; you have to know a lot > about the nuances of pg_hba.conf processing to get that. > > If you have line like > > hostgss all all 0.0.0.0/0 md5 > > it is not obvious that this means, if GSS-encrypted, use md5. It could > just as well mean, if GSS-authenticated, use md5. > > The analogy with SSL is such that we use "hostssl" for connections using > SSL encryption and "cert" for the authentication method. So there we > use two different words for two different aspects of SSL. I don’t view it as confusing, but I’ll change it to hostgssenc as was suggested earlier to address that concern. It’s a bit wordy but if it helps reduce confusion then that’s a good thing. Thanks, Stephen >
