Обсуждение: GSSAPI encryption support
Hi Team,
Postgres 12 added "GSSAPI encryption support" as an additional feature to "GSSAPI Authentication" mechanism introduced in Postgres 11. I have few questions based on it.
1) The encryption support means that the encryption between the Client and the Server over the network, which was previously possible only through SSL or previously, not encrypted at all. Now, instead of SSL, we can change pg_hba.conf with the parameters "hostgssenc" and hostnogssenc" to support encryption over the network directly using gssapi.
2) We need to have a client server, a service server and a Key Distribution Center Server which should have Kerberose installed in it. Kerberose is available as opensource.
Please help me if my understanding is correct and let me know about the major improvement on this feature with PG12. I have referred Documentation and some blogs. But, couldn't get the right picture. Your reply is appreciable.
Thanks and Regards,
Raj Kumar.
Greetings, * Raj kumar (rajkumar820999@gmail.com) wrote: > 1) The encryption support means that the encryption between the Client and > the Server over the network, which was previously possible only through SSL > or previously, not encrypted at all. Now, instead of SSL, we can change > pg_hba.conf with the parameters "hostgssenc" and hostnogssenc" to support > encryption over the network directly using gssapi. Yes. > 2) We need to have a client server, a service server and a Key Distribution > Center Server which should have Kerberose installed in it. Kerberose is > available as opensource. Not sure what you mean by 'client server' and 'service server' here, but, yes you do need a client, a PG server, and a KDC. There's multiple Kerberos implementations available as open source- MIT Kerberos and Heimdal are the popular ones. > Please help me if my understanding is correct and let me know about the > major improvement on this feature with PG12. I have referred Documentation > and some blogs. But, couldn't get the right picture. Your reply is > appreciable. As usual, you'll want to run the most recent minor version of PG, particularly when working with new features. We've had a few issues in the GSSAPI encryption which have been fixed in the latest PG12 minor release (12.3). Generally speaking, if you've got a Kerberos environment and have PG working with Kerberos, GSSAPI encryption will just start happening, though it is recommended to use the 'hostgssenc' lines on the server side pg_hba.conf, as you mention, and on the client side set 'gssencmode=require' on the client, to ensure the communication will be using GSSAPI encryption (the default is only 'prefer', similar to SSL). Thanks, Stephen
Вложения
Thanks Stephen. 😊
Thanks,
Raj
On Mon, 18 May 2020, 21:10 Stephen Frost, <sfrost@snowman.net> wrote:
Greetings,
* Raj kumar (rajkumar820999@gmail.com) wrote:
> 1) The encryption support means that the encryption between the Client and
> the Server over the network, which was previously possible only through SSL
> or previously, not encrypted at all. Now, instead of SSL, we can change
> pg_hba.conf with the parameters "hostgssenc" and hostnogssenc" to support
> encryption over the network directly using gssapi.
Yes.
> 2) We need to have a client server, a service server and a Key Distribution
> Center Server which should have Kerberose installed in it. Kerberose is
> available as opensource.
Not sure what you mean by 'client server' and 'service server' here,
but, yes you do need a client, a PG server, and a KDC. There's multiple
Kerberos implementations available as open source- MIT Kerberos and
Heimdal are the popular ones.
> Please help me if my understanding is correct and let me know about the
> major improvement on this feature with PG12. I have referred Documentation
> and some blogs. But, couldn't get the right picture. Your reply is
> appreciable.
As usual, you'll want to run the most recent minor version of PG,
particularly when working with new features. We've had a few issues in
the GSSAPI encryption which have been fixed in the latest PG12 minor
release (12.3).
Generally speaking, if you've got a Kerberos environment and have PG
working with Kerberos, GSSAPI encryption will just start happening,
though it is recommended to use the 'hostgssenc' lines on the server
side pg_hba.conf, as you mention, and on the client side set
'gssencmode=require' on the client, to ensure the communication will
be using GSSAPI encryption (the default is only 'prefer', similar to
SSL).
Thanks,
Stephen
Greetings, * Raj kumar (rajkumar820999@gmail.com) wrote: > Thanks Stephen. 😊 Sure. Also- just to be clear, if you already have an Active Directory environment, then you already have a KDC- you don't need to stand up another one (though you certainly could and could use a cross-realm trust relationship between the AD environment to the MIT/Heimdal one, if you wanted, and allow AD authenticated users to connect to the PG server in the MIT/Heimdal realm using Kerberos). Thanks, Stephen > On Mon, 18 May 2020, 21:10 Stephen Frost, <sfrost@snowman.net> wrote: > > > Greetings, > > > > * Raj kumar (rajkumar820999@gmail.com) wrote: > > > 1) The encryption support means that the encryption between the Client > > and > > > the Server over the network, which was previously possible only through > > SSL > > > or previously, not encrypted at all. Now, instead of SSL, we can change > > > pg_hba.conf with the parameters "hostgssenc" and hostnogssenc" to support > > > encryption over the network directly using gssapi. > > > > Yes. > > > > > 2) We need to have a client server, a service server and a Key > > Distribution > > > Center Server which should have Kerberose installed in it. Kerberose is > > > available as opensource. > > > > Not sure what you mean by 'client server' and 'service server' here, > > but, yes you do need a client, a PG server, and a KDC. There's multiple > > Kerberos implementations available as open source- MIT Kerberos and > > Heimdal are the popular ones. > > > > > Please help me if my understanding is correct and let me know about the > > > major improvement on this feature with PG12. I have referred > > Documentation > > > and some blogs. But, couldn't get the right picture. Your reply is > > > appreciable. > > > > As usual, you'll want to run the most recent minor version of PG, > > particularly when working with new features. We've had a few issues in > > the GSSAPI encryption which have been fixed in the latest PG12 minor > > release (12.3). > > > > Generally speaking, if you've got a Kerberos environment and have PG > > working with Kerberos, GSSAPI encryption will just start happening, > > though it is recommended to use the 'hostgssenc' lines on the server > > side pg_hba.conf, as you mention, and on the client side set > > 'gssencmode=require' on the client, to ensure the communication will > > be using GSSAPI encryption (the default is only 'prefer', similar to > > SSL). > > > > Thanks, > > > > Stephen > >