Hi Team,
I’ve noticed that in recent automated PostgreSQL provisioning runs, the "pg_krb5.conf" file is no longer present on newly built instances.
From an SRE standpoint, this should not impact us since:
- Our primary authentication mechanism is SSL certificate-based.
- LDAP usage (in our case) does not rely on Kerberos/GSSAPI.
- "krb5.conf" is only required when Kerberos (GSSAPI) authentication is enabled via "pg_hba.conf".
Could you please confirm whether this removal is intentional?
Just want to ensure there are no implications for any edge cases or future auth integrations.
Thanks,
Nikhil
Hi Team,
I hope you’re doing well.
I wanted to highlight an observation from the recent PostgreSQL server provisioning runs (automated builds in our environment). I’ve noticed that the "pg_krb5.conf" file is no longer being provisioned on newly created instances.
As part of a quick technical review from the SRE perspective:
- Our authentication model is predominantly certificate-based (SSL client certs), which does not depend on Kerberos configuration.
- LDAP authentication is used occasionally, and standard LDAP (without GSSAPI/Kerberos binding) also does not require a "krb5.conf" file.
- The "krb5.conf" file becomes relevant only if GSSAPI/Kerberos authentication is enabled (e.g., "gss" entries in "pg_hba.conf") or if LDAP is configured with SASL/GSSAPI.
- In the absence of Kerberos-based authentication, the file should not have any functional impact on PostgreSQL connectivity.
That said, I wanted to confirm:
- Is the omission of "pg_krb5.conf" intentional as part of a security hardening or configuration simplification effort?
- Or should it still be provisioned for fallback / future Kerberos-based integrations?
Just seeking confirmation to ensure there are no unintended side effects in edge cases or future auth model changes.
Thanks in advance for the clarification.
Best regards,
Nikhil
0 comments:
Post a Comment