Hello!
Today, there exists GSSAPI authentication support in Postgres. I plan
to extend this work to include encryption as well, but wanted to get
your input on that first since you've probably thought about this
already.
From what I can tell, the auth/encryption layer is very nicely designed
Stephen Frost sfr...@snowman.net writes:
Robbie,
* Robbie Harwood (rharw...@redhat.com) wrote:
We'd I think also want a new kind of HBA entry (probably something along
the lines of `hostgss` to contrast with `hostssl`), but I'm not sure
what we'd want to do for the counterpart
Robbie Harwood rharw...@redhat.com writes:
Stephen Frost sfr...@snowman.net writes:
Robbie,
* Robbie Harwood (rharw...@redhat.com) wrote:
We'd I think also want a new kind of HBA entry (probably something along
the lines of `hostgss` to contrast with `hostssl`), but I'm not sure
what
separation rather than too little. A patch for each
is attached. This is v1 of the series.
Thanks!
From f506ba6ab6755f56c8aadba7d72a8839d5fbc0d9 Mon Sep 17 00:00:00 2001
From: Robbie Harwood (frozencemetery) rharw...@redhat.com
Date: Mon, 8 Jun 2015 19:27:45 -0400
Subject: build: Define
Michael Paquier michael.paqu...@gmail.com writes:
On Fri, Jul 3, 2015 at 3:22 AM, Robbie Harwood rharw...@redhat.com wrote:
There are 8 commits in this series; I have tried to err on the side of
creating too much separation rather than too little. A patch for each
is attached. This is v1
Michael Paquier writes:
> Robbie,
>
> +#ifdef ENABLE_GSS
> + if (pggss_encrypt(conn) < 0)
> + return EOF;
> +#endif
>
> @@ -1528,10 +1541,20 @@ socket_putmessage(char msgtype, const char *s,
> size_t len)
> if (internal_putbytes(s, len))
>
Michael Paquier <michael.paqu...@gmail.com> writes:
> On Tue, Oct 20, 2015 at 3:01 AM, Robbie Harwood wrote:
>> Stephen Frost <sfr...@snowman.net> writes:
>>> psql: lost synchronization with server: got message type "S", length 22
>>
>> which un
Andres Freund writes:
> On 2015-10-22 16:47:09 +0900, Michael Paquier wrote:
>> Hm, and that's why you chose this way of going. My main concern about
>> this patch is that it adds on top of the existing Postgres protocol a
>> layer to encrypt and decrypt the messages between
Jeff Janes <jeff.ja...@gmail.com> writes:
> On Tue, Sep 29, 2015 at 7:53 AM, Robbie Harwood <rharw...@redhat.com> wrote:
>> Robbie Harwood <rharw...@redhat.com> writes:
>>
>>>>>> Michael Paquier <michael.paqu...@gmail.com> writes:
>>&
Andreas, can you please weigh in here since your voice is important to
this process?
Robbie Harwood <rharw...@redhat.com> writes:
> Andres Freund <and...@anarazel.de> writes:
>
>> On 2015-10-22 16:47:09 +0900, Michael Paquier wrote:
>>> Hm, and that's why you
Jeff Janes writes:
> I can't ./configure --with-gssapi from git on ubuntu 14.04.3 because:
>
> configure: error: gssapi.h header file is required for GSSAPI
>
> If I download the distribution-specific 9.3 source with apt, I find
> their secret sauce to make it work:
>
>
Craig Ringer <cr...@2ndquadrant.com> writes:
> On 14 October 2015 at 06:34, Robbie Harwood <rharw...@redhat.com> wrote:
>> Alright, here's v3. As requested, it's one patch now.
>
> I hate to ask, but have you looked at how this interacts with Windows?
>
> We
Stephen Frost writes:
> As for this patch, the reason I've not been as involved (beyond being
> ridiculously busy) is that Michael's environment, which at least appears
> perfectly reasonable (and works with PG unpatched) isn't working. If we
> can get that working (and I've
m, I would love to
hear them; right now though I don't see a better way.
Patch follows. Thanks!
From 6710d5ad0226ea3a5ea8e35d6dc54b4500f1d3e0 Mon Sep 17 00:00:00 2001
From: "Robbie Harwood (frozencemetery)" <rharw...@redhat.com>
Date: Mon, 8 Jun 2015 19:27:45 -0400
Subject: [PATCH]
both of you! Okay, if block is desired, I'll
squish for v3. Sorry for the inconvenience.
>> On 2015-07-02 14:22:13 -0400, Robbie Harwood wrote:
>> [Andres' comments]
>
> Here are some comments on top of what Andres has mentioned.
>
> --- a/configure.in
> +++ b/configure
ow the steps don't
> individually make sense.
That's fair. Can you suggest a better organization?
> On 2015-07-02 14:22:13 -0400, Robbie Harwood wrote:
>> +#include
>
> postgres.h should be the first header included.
Okay, will fix.
>> +size_t
>> +be_gss_encrypt(Port *por
Steve Singer st...@ssinger.info writes:
On 04/19/2015 11:18 AM, Mikko Tiihonen wrote:
Hi,
I would like allow specifying multiple host names for libpq to try to
connecting to. This is currently only supported if the host name
resolves to multiple addresses. Having the support for it
Michael Paquier <michael.paqu...@gmail.com> writes:
> On Fri, Jul 3, 2015 at 3:22 AM, Robbie Harwood <rharw...@redhat.com> wrote:
>
>> Hello -hackers,
>>
>> As previously discussed on this list, I have coded up GSSAPI encryption
>> support. If it is easi
Michael Paquier <michael.paqu...@gmail.com> writes:
> On Thu, Sep 10, 2015 at 4:27 PM, Michael Paquier <michael.paqu...@gmail.com>
> wrote:
>> On Thu, Sep 10, 2015 at 1:44 AM, Robbie Harwood <rharw...@redhat.com> wrote:
>>> Michael Paquier <michael.paq
Robbie Harwood <rharw...@redhat.com> writes:
>>>> Michael Paquier <michael.paqu...@gmail.com> writes:
>>>>
>>>>> Well, the issue is still here: login through gssapi fails with
>>>>> your patch, not with HEAD. This patch is next
Michael Paquier <michael.paqu...@gmail.com> writes:
> On Wed, Sep 9, 2015 at 4:12 AM, Robbie Harwood wrote:
>> Michael Paquier writes:
>> As promised, here's a V2 to address your issues with comments. I
>> haven't heard back on the issues you found in testing, so no o
Michael Paquier <michael.paqu...@gmail.com> writes:
> On Thu, Apr 7, 2016 at 8:20 AM, Tom Lane <t...@sss.pgh.pa.us> wrote:
>> Robbie Harwood <rharw...@redhat.com> writes:
>>> Tom Lane <t...@sss.pgh.pa.us> writes:
>>>
>>&g
c92275b6605d7929cda5551de47a4c60aab7179e Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharw...@redhat.com>
Date: Tue, 17 Nov 2015 18:34:14 -0500
Subject: [PATCH] Connect encryption support for GSSAPI
Existing GSSAPI authentication code is extended to support connection
encryption. Connection begins as soon as po
Michael Paquier <michael.paqu...@gmail.com> writes:
> On Thu, Feb 11, 2016 at 6:06 AM, Robbie Harwood <rharw...@redhat.com> wrote:
>>
>> - The GSSAPI authentication code has been moved without modification.
>> In doing so, the temptation to modify it (fla
Michael Paquier <michael.paqu...@gmail.com> writes:
> On Tue, Feb 16, 2016 at 2:45 AM, Robbie Harwood <rharw...@redhat.com> wrote:
>> David Steele <da...@pgmasters.net> writes:
>>> On 2/10/16 4:06 PM, Robbie Harwood wrote:
>>>> Hello friends,
David Steele <da...@pgmasters.net> writes:
> On 2/15/16 12:45 PM, Robbie Harwood wrote:
>> David Steele <da...@pgmasters.net> writes:
>>
>>> 1) It didn't apply cleanly to HEAD. It did apply cleanly on a455878
>>> which I figured was recent
David Steele <da...@pgmasters.net> writes:
> Hi Robbie,
>
> On 2/10/16 4:06 PM, Robbie Harwood wrote:
>> Hello friends,
>>
>> For your consideration, here is a new version of GSSAPI encryption
>> support. For those who prefer, it's also availa
Stephen Frost <sfr...@snowman.net> writes:
> Robbie,
>
> * Robbie Harwood (rharw...@redhat.com) wrote:
>> Michael Paquier <michael.paqu...@gmail.com> writes:
>> > - maj_stat = gss_accept_sec_context(
>> > -
Michael Paquier <michael.paqu...@gmail.com> writes:
> On Tue, Mar 15, 2016 at 3:12 PM, David Steele <da...@pgmasters.net> wrote:
>> On 3/8/16 5:44 PM, Robbie Harwood wrote:
>>> Here's yet another version of GSSAPI encryption support.
>>
>> This look
David Steele <da...@pgmasters.net> writes:
> Hi Robbie,
>
> On 3/8/16 5:44 PM, Robbie Harwood wrote:
>> Hello friends,
>>
>> Here's yet another version of GSSAPI encryption support. It's also
>> available for viewing on my github:
>
> The build wen
David Steele <da...@pgmasters.net> writes:
> On 3/8/16 5:44 PM, Robbie Harwood wrote:
>>
>> Here's yet another version of GSSAPI encryption support. It's also
>> available for viewing on my github:
>
> I got this warning when applying the first patch in the set:
anks!
From 5674aa74effab4931bac1044f32dee83d915aa90 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharw...@redhat.com>
Date: Fri, 26 Feb 2016 16:07:05 -0500
Subject: [PATCH 1/3] Move common GSSAPI code into its own files
On both the frontend and backend, prepare for GSSAPI encryption suport
by mo
p until later. This
removes the hang because now the connection will not erroneously get
stuck polling while data is buffered.
Thanks!
From 3b62e99de16f2c4600d0bb02f3626e5157ecdc6c Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharw...@redhat.com>
Date: Fri, 26 Feb 2016 16:07:05 -0500
Subject: [PAT
David Steele <da...@pgmasters.net> writes:
> On 3/14/16 4:10 PM, Robbie Harwood wrote:
>
>> David Steele <da...@pgmasters.net> writes:
>>
>>> On 3/8/16 5:44 PM, Robbie Harwood wrote:
>>>
>>>> Here's yet another version of GSSAPI enc
Stephen Frost writes:
> Just an initial pass over the patch.
Thanks! In the interest of brevity, if I haven't replied to something,
I plan to fix it.
>> /*
>> - * Flush message so client will see it, except for AUTH_REQ_OK, which
>> need
>> - * not be sent
Michael Paquier <michael.paqu...@gmail.com> writes:
> On Tue, Apr 5, 2016 at 9:06 AM, Robbie Harwood <rharw...@redhat.com> wrote:
>> Here's v12, both here and on my github:
>> https://github.com/frozencemetery/postgres/tree/feature/gssencryp
Tom Lane <t...@sss.pgh.pa.us> writes:
> Robbie Harwood <rharw...@redhat.com> writes:
>> I need to flush this any time we might be doing encryption because it
>> needs to be in a separate request to _secure_write() from what follows
>> it. We don't know whether we
Alvaro Herrera <alvhe...@2ndquadrant.com> writes:
> Robbie Harwood wrote:
>> Michael Paquier <michael.paqu...@gmail.com> writes:
>>
>> > On Tue, Apr 5, 2016 at 9:06 AM, Robbie Harwood <rharw...@redhat.com> wrote:
>> >> Here's v12
Justin Clift writes:
> Moving over a conversation from the pgsql-advocacy mailing list. In it
> Simon (CC'd) raised the issue of potentially creating a
> backwards-compatibility
> breaking release at some point in the future, to deal with things that
> might have no
message conditional again.
- Fixed typo in server error message for insufficient GSSAPI protection.
Thanks!
From 3b62e99de16f2c4600d0bb02f3626e5157ecdc6c Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharw...@redhat.com>
Date: Fri, 26 Feb 2016 16:07:05 -0500
Subject: [PATCH 1/3] Move common
Christian Ullrich writes:
> Updated patch attached.
I unfortunately don't have windows machines to test this on, but I
thought it might be helpful to review this anyway since I'm touching
code in the same general area (GSSAPI). And as far as I can tell, you
don't break
Christian Ullrich writes:
> Updated patch attached.
Okay, I am happy now. Thanks!
signature.asc
Description: PGP signature
Michael Paquier <michael.paqu...@gmail.com> writes:
> On Fri, Apr 1, 2016 at 12:31 PM, Robbie Harwood <rharw...@redhat.com> wrote:
>
>> - Fixed buffering of large replies on the serverside. This should fix
>> the traceback that was being seen. The issue had
David Steele <da...@pgmasters.net> writes:
> On 3/20/16 12:09 AM, Robbie Harwood wrote:
>
>> A new version of my GSSAPI encryption patchset is available
>
> Here's a more thorough review:
Thanks for the review! To keep this a manageable size, I'm going to
trim prett
Michael Paquier <michael.paqu...@gmail.com> writes:
> On Thu, Mar 31, 2016 at 2:14 PM, Michael Paquier
> <michael.paqu...@gmail.com> wrote:
>> On Wed, Mar 30, 2016 at 1:01 PM, Robbie Harwood <rharw...@redhat.com> wrote:
>>> A new version of my GSSAPI
Alvaro Herrera <alvhe...@2ndquadrant.com> writes:
> Robbie Harwood wrote:
>> Michael Paquier <michael.paqu...@gmail.com> writes:
>
>> > + iov[0].iov_base = lenbuf;
>> > + iov[0].iov_len = 4;
>> > + iov[1].iov_base = output.value;
>>
.
- Remove accidental whitespace change.
Thanks!
From 945805d45e8021f92ad73518b3a74ac6bab89525 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharw...@redhat.com>
Date: Fri, 26 Feb 2016 16:07:05 -0500
Subject: [PATCH 1/3] Move common GSSAPI code into its own files
On both the frontend and b
Michael Paquier <michael.paqu...@gmail.com> writes:
> On Sat, Apr 2, 2016 at 7:34 AM, Robbie Harwood <rharw...@redhat.com> wrote:
>
>> Since I still can't reproduce this locally (left a client machine and
>> a process on the same machine retrying for over
-and-then-send, which turns out to be not only shorter but
easier for me to reason about.
Thanks!
From 945805d45e8021f92ad73518b3a74ac6bab89525 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharw...@redhat.com>
Date: Fri, 26 Feb 2016 16:07:05 -0500
Subject: [PATCH 1/3] Move common GSSAP
nse to see what changed
by diffing from the previous changeset.
Thanks!
From 3b62e99de16f2c4600d0bb02f3626e5157ecdc6c Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharw...@redhat.com>
Date: Fri, 26 Feb 2016 16:07:05 -0500
Subject: [PATCH 1/3] Move common GSSAPI code into its own files
On b
functions.
- Error message cleanup.
Thanks!
From 945805d45e8021f92ad73518b3a74ac6bab89525 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharw...@redhat.com>
Date: Fri, 26 Feb 2016 16:07:05 -0500
Subject: [PATCH 1/3] Move common GSSAPI code into its own files
On both the frontend and b
Michael Paquier <michael.paqu...@gmail.com> writes:
> On Wed, Jul 27, 2016 at 12:22 AM, Robbie Harwood <rharw...@redhat.com> wrote:
>> Michael Paquier <michael.paqu...@gmail.com> writes:
>>
>> So there's a connection setting `sslmode` that we'll want so
Robbie Harwood <rharw...@redhat.com> writes:
> Michael Paquier <michael.paqu...@gmail.com> writes:
>
>> On Thu, Apr 7, 2016 at 8:20 AM, Tom Lane <t...@sss.pgh.pa.us> wrote:
>>> Robbie Harwood <rharw...@redhat.com> writes:
>>>> Tom Lane &
Robbie Harwood <rharw...@redhat.com> writes:
> So there's a connection setting `sslmode` that we'll want something
> similar to here (`gssapimode` or so). `sslmode` has six settings, but I
> think we only need three for GSSAPI: "disable", "allow", and
Michael Paquier <michael.paqu...@gmail.com> writes:
> On Tue, Jul 26, 2016 at 5:58 AM, Robbie Harwood <rharw...@redhat.com> wrote:
>> Robbie Harwood <rharw...@redhat.com> writes:
>
> Sorry for my late reply.
Thanks for the feedback!
>>> If I were to con
Tom Lane <t...@sss.pgh.pa.us> writes:
> Robbie Harwood <rharw...@redhat.com> writes:
>> So there's a connection setting `sslmode` that we'll want something
>> similar to here (`gssapimode` or so). `sslmode` has six settings, but I
>> think we only need th
56 matches
Mail list logo