Re: [PATCH v20] GSSAPI encryption support

Stephen Frost <sfrost(at)snowman(dot)net> writes:

> * Peter Eisentraut (peter(dot)eisentraut(at)2ndquadrant(dot)com) wrote:
>> On 2019-04-05 04:59, Stephen Frost wrote:
>>
>>> Alright, that over-size error was a bug in the error-handling code,
>>> which I've just pushed a fix for. That said...
>>
>> Yes, that looks better now.
>
> Great.
>
>>> This looks like it's a real issue and it's unclear what's going on
>>> here. I wonder- are you certain that you're using all the same
>>> Kerberos libraries for the KDC, the server, and psql?
>>
>> Right, it was built against the OS-provided Kerberos installation
>> (/usr/bin etc.). If I build against the Homebrew-provided one then
>> the tests pass.
>
> All of it was built against the OS-provided Kerberos install, and you
> got the failure..?
>
>> So maybe that means that this encryption feature is not supported on
>> that (presumably older) installation? (krb5-config --version says
>> "Kerberos 5 release 1.7-prerelease") Is that plausible? Is a gentler
>> failure mode possible?

Heimdal never had a 1.7 release - they went from 1.5.2 to 7.1.0.

MIT did have a 1.7 release - in 2009.

Apple doesn't open source their Kerberos implementation, so I can't
exactly point a debugger at it. But if it's in fact somehow related to
MIT 1.7-prerelease, I imagine they inherited a bug or two that's been
fixed in the ten years since then.

As for the code: I'm not doing anything complicated. The interface I'm
using is as specified in RFC2743 and RFC2744, which is from 2000 (though
I think technically I'm mostly backward compatible to RFC1509, from
1993), and Kerberos V5 itself is specified in RFC4120 (from 2005).

> On a failure to set up an encrypted connection, we'll actually fall
> back to a non-encrypted one, using GSSAPI *just* for authentication,
> which is why I was asking if this worked before the encryption patch
> went in. Also, which of the tests are still failing, exactly? The
> authentication ones or the encryption ones or both?

Good question.

> If we determine that this is some issue with the MacOS-provided
> Kerberos libraries, then we could try to detect them and disable
> GSSAPI encryption in that case explicitly, I suppose, but I've seen
> odd things with the MacOS-provided Kerberos libraries before on
> released versions of PG (without any encryption support), so I'm not
> yet convinced that this is an issue that's specific to adding support
> for encryption.

If we have to, a version check >1.7 would probably work. That'll remove
the ability to work on RHEL/CentOS 5, but that's probably fine, and I'm
not aware of any other supported OSs that would be impacted.

Thanks,
--Robbie