Re: Future of krb5 authentication

Heikki Linnakangas wrote:
> Stephen Frost wrote:
>> Honestly, for now I'm happy w/ it being a connectionstring option.  It
>> seems the most appropriate place for it to go.  That does mean that
>> applications may need to be modified to support gssapi (where they might
>> not have to be for sspi since it's the default), but since we're going
>> to keep krb5 support around for a bit there's time for those
>> applications to catch up without breaking things explicitly for people
>> migrating to 8.3.
> 
> Isn't it possible to open the socket, try GSSAPI handshaking with
> protocol, and fall back to krb5 protocol if that fails? If that's not
> possible, how about handling it like we handle postgres protocol 3 vs 2?
> Connect using GSSAPI first, and if that fails, retry with krb5.

The issue is *not* about GSSAPI vs krb5. It's with GSSAPI vs SSPI.

The wire protocol is the same for them. It's a matter of which *client
library* should be used to produce the packets that go over the network.

//Magnus