Is there support for GSSAPI encryption mechanism?

[Sireax]

I am trying to connect to postgres with GSSAPI using third-party plugin gopgkrb5. It uses gokrb5 to conduct all the operations. Kerberos authentication completes successfully, but it is done without GSSAPI Encryption (Integrity as far as I know). So all the traffic goes through insecure network. It seems like gokrb5 does not support GSSAPI Integrity, but im not sure.
If there is any clue how to do that, could you please help me out?

Original issue: jackc/pgx#1220

[douglasawh]

@jcmturner I too am wondering this. I can see there is some encoding in the code, but I cannot tell if that code is for encryption or not

[Sireax]

@jcmturner I too am wondering this. I can see there is some encoding in the code, but I cannot tell if that code is for encryption or not

No there is not. But I managed to add it by myself using another gssapi library

[Sireax]

By the way, it is not really related to gokrb itself, implementations will differ for some services and databases

[nicowilliams]

What is a "GSSAPI encryption mechanism"? Can you refer to a specific C/Java or abstract function/method from RFC 2743, 2744, etc?

[tsipinakis]

I have just sent a PR that implements all the required framework to implement a GSS-API server. This is now possible with this library.

Edit: It's unclear if this issue is talking about the client-side or server-side GSS-API protocol. Sever side is now possible for sure (I have implemented one, client-side is probably also possible).