Michael Paquier writes:
> On Wed, Jul 27, 2016 at 12:22 AM, Robbie Harwood wrote:
>> Michael Paquier writes:
>>
>> So there's a connection setting `sslmode` that we'll want something
>> similar to here (`gssapimode` or so). `sslmode` has six settings,
Tom Lane writes:
> Robbie Harwood writes:
>> So there's a connection setting `sslmode` that we'll want something
>> similar to here (`gssapimode` or so). `sslmode` has six settings, but I
>> think we only need three for GSSAPI: "disable", "allow&qu
Robbie Harwood writes:
> So there's a connection setting `sslmode` that we'll want something
> similar to here (`gssapimode` or so). `sslmode` has six settings, but I
> think we only need three for GSSAPI: "disable", "allow", and "prefer"
>
Michael Paquier writes:
> On Tue, Jul 26, 2016 at 5:58 AM, Robbie Harwood wrote:
>> Robbie Harwood writes:
>
> Sorry for my late reply.
Thanks for the feedback!
>>> If I were to continue as I have been - using the plaintext connection
>>> and auth negot
Robbie Harwood writes:
> Michael Paquier writes:
>
>> On Thu, Apr 7, 2016 at 8:20 AM, Tom Lane wrote:
>>> Robbie Harwood writes:
>>>> Tom Lane writes:
>>>>
>>>>> Wait a second. So the initial connection-request packet is
>&
Michael Paquier writes:
> On Thu, Apr 7, 2016 at 8:20 AM, Tom Lane wrote:
>> Robbie Harwood writes:
>>> Tom Lane writes:
>>>
>>>> Wait a second. So the initial connection-request packet is
>>>> necessarily unencrypted under this scheme?
>
Justin Clift writes:
> Moving over a conversation from the pgsql-advocacy mailing list. In it
> Simon (CC'd) raised the issue of potentially creating a
> backwards-compatibility
> breaking release at some point in the future, to deal with things that
> might have no other solution (my wording).
Tom Lane writes:
> Robbie Harwood writes:
>> I need to flush this any time we might be doing encryption because it
>> needs to be in a separate request to _secure_write() from what follows
>> it. We don't know whether we should be doing encryption until
>> conn
Stephen Frost writes:
> Just an initial pass over the patch.
Thanks! In the interest of brevity, if I haven't replied to something,
I plan to fix it.
>> /*
>> - * Flush message so client will see it, except for AUTH_REQ_OK, which
>> need
>> - * not be sent until we are ready for
Alvaro Herrera writes:
> Robbie Harwood wrote:
>> Michael Paquier writes:
>>
>> > On Tue, Apr 5, 2016 at 9:06 AM, Robbie Harwood wrote:
>> >> Here's v12, both here and on my github:
>> >> https://github.com/frozencemetery/postgres/tree/fea
Michael Paquier writes:
> On Tue, Apr 5, 2016 at 9:06 AM, Robbie Harwood wrote:
>> Here's v12, both here and on my github:
>> https://github.com/frozencemetery/postgres/tree/feature/gssencrypt12
>>
> +#ifdef ENABLE_GSS
> + {
> + Memory
-send with a
buffer-and-then-send, which turns out to be not only shorter but
easier for me to reason about.
Thanks!
From 945805d45e8021f92ad73518b3a74ac6bab89525 Mon Sep 17 00:00:00 2001
From: Robbie Harwood
Date: Fri, 26 Feb 2016 16:07:05 -0500
Subject: [PATCH 1/3] Move common GSSAPI code in
Michael Paquier writes:
> On Sat, Apr 2, 2016 at 7:34 AM, Robbie Harwood wrote:
>
>> Since I still can't reproduce this locally (left a client machine and
>> a process on the same machine retrying for over an hour on your test
>> case and didn't see i
to using parse_bool for handling gss_encrypt.
- Remove accidental whitespace change.
Thanks!
From 945805d45e8021f92ad73518b3a74ac6bab89525 Mon Sep 17 00:00:00 2001
From: Robbie Harwood
Date: Fri, 26 Feb 2016 16:07:05 -0500
Subject: [PATCH 1/3] Move common GSSAPI code into its own files
On both
Michael Paquier writes:
> On Fri, Apr 1, 2016 at 12:31 PM, Robbie Harwood wrote:
>
>> - Fixed buffering of large replies on the serverside. This should fix
>> the traceback that was being seen. The issue had to do with the
>> difference between the server and cl
_should_encrypt functions.
- Error message cleanup.
Thanks!
From 945805d45e8021f92ad73518b3a74ac6bab89525 Mon Sep 17 00:00:00 2001
From: Robbie Harwood
Date: Fri, 26 Feb 2016 16:07:05 -0500
Subject: [PATCH 1/3] Move common GSSAPI code into its own files
On both the frontend and backend, pre
Alvaro Herrera writes:
> Robbie Harwood wrote:
>> Michael Paquier writes:
>
>> > + iov[0].iov_base = lenbuf;
>> > + iov[0].iov_len = 4;
>> > + iov[1].iov_base = output.value;
>> > + iov[1].iov_len = output.length;
>> > +
>&g
Michael Paquier writes:
> On Thu, Mar 31, 2016 at 2:14 PM, Michael Paquier
> wrote:
>> On Wed, Mar 30, 2016 at 1:01 PM, Robbie Harwood wrote:
>>> A new version of my GSSAPI encryption patchset is available, both in
>>> this email and on my github:
>>> htt
kes the most sense to see what changed
by diffing from the previous changeset.
Thanks!
From 3b62e99de16f2c4600d0bb02f3626e5157ecdc6c Mon Sep 17 00:00:00 2001
From: Robbie Harwood
Date: Fri, 26 Feb 2016 16:07:05 -0500
Subject: [PATCH 1/3] Move common GSSAPI code into its own files
On both the fron
David Steele writes:
> On 3/20/16 12:09 AM, Robbie Harwood wrote:
>
>> A new version of my GSSAPI encryption patchset is available
>
> Here's a more thorough review:
Thanks for the review! To keep this a manageable size, I'm going to
trim pretty heavily. If I
Christian Ullrich writes:
> Updated patch attached.
Okay, I am happy now. Thanks!
signature.asc
Description: PGP signature
Christian Ullrich writes:
> Updated patch attached.
I unfortunately don't have windows machines to test this on, but I
thought it might be helpful to review this anyway since I'm touching
code in the same general area (GSSAPI). And as far as I can tell, you
don't break anything there; master co
EQ_OK message conditional again.
- Fixed typo in server error message for insufficient GSSAPI protection.
Thanks!
From 3b62e99de16f2c4600d0bb02f3626e5157ecdc6c Mon Sep 17 00:00:00 2001
From: Robbie Harwood
Date: Fri, 26 Feb 2016 16:07:05 -0500
Subject: [PATCH 1/3] Move common GSSAPI code into its own
Stephen Frost writes:
> Robbie,
>
> * Robbie Harwood (rharw...@redhat.com) wrote:
>> Michael Paquier writes:
>> > - maj_stat = gss_accept_sec_context(
>> > - &min_stat,
>> > + maj_stat = gss_accept
Michael Paquier writes:
> On Tue, Mar 15, 2016 at 3:12 PM, David Steele wrote:
>> On 3/8/16 5:44 PM, Robbie Harwood wrote:
>>> Here's yet another version of GSSAPI encryption support.
>>
>> This looks far more stable than last versions, cool to see the
>&g
David Steele writes:
> On 3/14/16 4:10 PM, Robbie Harwood wrote:
>
>> David Steele writes:
>>
>>> On 3/8/16 5:44 PM, Robbie Harwood wrote:
>>>
>>>> Here's yet another version of GSSAPI encryption support. It's also
>>>> a
deferring that step until later. This
removes the hang because now the connection will not erroneously get
stuck polling while data is buffered.
Thanks!
From 3b62e99de16f2c4600d0bb02f3626e5157ecdc6c Mon Sep 17 00:00:00 2001
From: Robbie Harwood
Date: Fri, 26 Feb 2016 16:07:05 -0500
Subject: [PATCH
David Steele writes:
> Hi Robbie,
>
> On 3/8/16 5:44 PM, Robbie Harwood wrote:
>> Hello friends,
>>
>> Here's yet another version of GSSAPI encryption support. It's also
>> available for viewing on my github:
>
> The build went fine but when t
David Steele writes:
> On 3/8/16 5:44 PM, Robbie Harwood wrote:
>>
>> Here's yet another version of GSSAPI encryption support. It's also
>> available for viewing on my github:
>
> I got this warning when applying the first patch in the set:
>
> ../oth
hat's fine and easy to do.
Thanks!
From 5674aa74effab4931bac1044f32dee83d915aa90 Mon Sep 17 00:00:00 2001
From: Robbie Harwood
Date: Fri, 26 Feb 2016 16:07:05 -0500
Subject: [PATCH 1/3] Move common GSSAPI code into its own files
On both the frontend and backend, prepare for GSSAPI encryption suport
by
Michael Paquier writes:
> On Tue, Feb 16, 2016 at 2:45 AM, Robbie Harwood wrote:
>> David Steele writes:
>>> On 2/10/16 4:06 PM, Robbie Harwood wrote:
>>>> Hello friends,
>>>>
>>>> For your consideration, here is a new version of GSSAPI enc
David Steele writes:
> On 2/15/16 12:45 PM, Robbie Harwood wrote:
>> David Steele writes:
>>
>>> 1) It didn't apply cleanly to HEAD. It did apply cleanly on a455878
>>> which I figured was recent enough for testing. I didn't bisect to find
>>&g
David Steele writes:
> Hi Robbie,
>
> On 2/10/16 4:06 PM, Robbie Harwood wrote:
>> Hello friends,
>>
>> For your consideration, here is a new version of GSSAPI encryption
>> support. For those who prefer, it's also available on my github:
>> https
Michael Paquier writes:
> On Thu, Feb 11, 2016 at 6:06 AM, Robbie Harwood wrote:
>>
>> - The GSSAPI authentication code has been moved without modification.
>> In doing so, the temptation to modify it (flags, error checking, that
>> big comment at the top about th
.
Thanks!
From c92275b6605d7929cda5551de47a4c60aab7179e Mon Sep 17 00:00:00 2001
From: Robbie Harwood
Date: Tue, 17 Nov 2015 18:34:14 -0500
Subject: [PATCH] Connect encryption support for GSSAPI
Existing GSSAPI authentication code is extended to support connection
encryption. Connection begins as soon as possible - that is,
im
Jeff Janes writes:
> I can't ./configure --with-gssapi from git on ubuntu 14.04.3 because:
>
> configure: error: gssapi.h header file is required for GSSAPI
>
> If I download the distribution-specific 9.3 source with apt, I find
> their secret sauce to make it work:
>
> ./debian/rules:LDFLAGS+= -
Andreas, can you please weigh in here since your voice is important to
this process?
Robbie Harwood writes:
> Andres Freund writes:
>
>> On 2015-10-22 16:47:09 +0900, Michael Paquier wrote:
>>> Hm, and that's why you chose this way of going. My main concern about
>
Jeff Janes writes:
> On Tue, Sep 29, 2015 at 7:53 AM, Robbie Harwood wrote:
>> Robbie Harwood writes:
>>
>>>>>> Michael Paquier writes:
>>>>>>
>>>>>>> Well, the issue is still here: login through gssapi fails with
&g
Andres Freund writes:
> On 2015-10-22 16:47:09 +0900, Michael Paquier wrote:
>> Hm, and that's why you chose this way of going. My main concern about
>> this patch is that it adds on top of the existing Postgres protocol a
>> layer to encrypt and decrypt the messages between server and client
>>
Michael Paquier writes:
> On Tue, Oct 20, 2015 at 3:01 AM, Robbie Harwood wrote:
>> Stephen Frost writes:
>>> psql: lost synchronization with server: got message type "S", length 22
>>
>> which unfortunately could be a great many things. I've sai
Michael Paquier writes:
> Robbie,
>
> +#ifdef ENABLE_GSS
> + if (pggss_encrypt(conn) < 0)
> + return EOF;
> +#endif
>
> @@ -1528,10 +1541,20 @@ socket_putmessage(char msgtype, const char *s,
> size_t len)
> if (internal_putbytes(s, len))
> goto fail;
>
Stephen Frost writes:
> As for this patch, the reason I've not been as involved (beyond being
> ridiculously busy) is that Michael's environment, which at least appears
> perfectly reasonable (and works with PG unpatched) isn't working. If we
> can get that working (and I've not looked at what's
Craig Ringer writes:
> On 14 October 2015 at 06:34, Robbie Harwood wrote:
>> Alright, here's v3. As requested, it's one patch now.
>
> I hate to ask, but have you looked at how this interacts with Windows?
>
> We support Windows SSPI (on a domain-member host) a
tions to this problem, I would love to
hear them; right now though I don't see a better way.
Patch follows. Thanks!
From 6710d5ad0226ea3a5ea8e35d6dc54b4500f1d3e0 Mon Sep 17 00:00:00 2001
From: "Robbie Harwood (frozencemetery)"
Date: Mon, 8 Jun 2015 19:27:45 -0400
Subject: [PA
I'll
squish for v3. Sorry for the inconvenience.
>> On 2015-07-02 14:22:13 -0400, Robbie Harwood wrote:
>> [Andres' comments]
>
> Here are some comments on top of what Andres has mentioned.
>
> --- a/configure.in
> +++ b/configure.in
> @@ -636,6 +636,7
don't
> individually make sense.
That's fair. Can you suggest a better organization?
> On 2015-07-02 14:22:13 -0400, Robbie Harwood wrote:
>> +#include
>
> postgres.h should be the first header included.
Okay, will fix.
>> +size_t
>> +be_gss_encrypt(Port *port
Robbie Harwood writes:
>>>> Michael Paquier writes:
>>>>
>>>>> Well, the issue is still here: login through gssapi fails with
>>>>> your patch, not with HEAD. This patch is next on my review list by
>>>>> the way so I'll
Michael Paquier writes:
> On Thu, Sep 10, 2015 at 4:27 PM, Michael Paquier
> wrote:
>> On Thu, Sep 10, 2015 at 1:44 AM, Robbie Harwood wrote:
>>> Michael Paquier writes:
>>>> On Wed, Sep 9, 2015 at 4:12 AM, Robbie Harwood wrote:
>>>>> Michael P
Michael Paquier writes:
> On Wed, Sep 9, 2015 at 4:12 AM, Robbie Harwood wrote:
>> Michael Paquier writes:
>> As promised, here's a V2 to address your issues with comments. I
>> haven't heard back on the issues you found in testing, so no other
>> change
Michael Paquier writes:
> On Fri, Jul 3, 2015 at 3:22 AM, Robbie Harwood wrote:
>
>> Hello -hackers,
>>
>> As previously discussed on this list, I have coded up GSSAPI encryption
>> support. If it is easier for anyone, this code is also available for
>&g
Michael Paquier writes:
> On Fri, Jul 3, 2015 at 3:22 AM, Robbie Harwood wrote:
>
>> There are 8 commits in this series; I have tried to err on the side of
>> creating too much separation rather than too little. A patch for each
>> is attached. This is v1 of the series
Steve Singer writes:
> On 04/19/2015 11:18 AM, Mikko Tiihonen wrote:
>>
>> Hi,
>>
>>
>> I would like allow specifying multiple host names for libpq to try to
>> connecting to. This is currently only supported if the host name
>> resolves to multiple addresses. Having the support for it without
separation rather than too little. A patch for each
is attached. This is v1 of the series.
Thanks!
From f506ba6ab6755f56c8aadba7d72a8839d5fbc0d9 Mon Sep 17 00:00:00 2001
From: "Robbie Harwood (frozencemetery)"
Date: Mon, 8 Jun 2015 19:27:45 -0400
Subject: build: Define with_gssapi
Robbie Harwood writes:
> Stephen Frost writes:
>
>> Robbie,
>>
>> * Robbie Harwood (rharw...@redhat.com) wrote:
>>
>>> We'd I think also want a new kind of HBA entry (probably something along
>>> the lines of `hostgss` to contrast with `hos
Stephen Frost writes:
> Robbie,
>
> * Robbie Harwood (rharw...@redhat.com) wrote:
>
>> We'd I think also want a new kind of HBA entry (probably something along
>> the lines of `hostgss` to contrast with `hostssl`), but I'm not sure
>> what we'd
Hello!
Today, there exists GSSAPI authentication support in Postgres. I plan
to extend this work to include encryption as well, but wanted to get
your input on that first since you've probably thought about this
already.
From what I can tell, the auth/encryption layer is very nicely designed
for
56 matches
Mail list logo
