On Saturday, December 9, 2023, Stephen Frost <
sfrost@snowman.net> wrote:
The idea is that you can use both TLS and GSSAPI-with-encryption at the same time within a given cluster for connections but you wouldn’t use them on the same connection. Certainly would welcome suggestions as to the best way to phrase that.
It isn’t really connection driven though - or even specific to these two options. The pg_hba.conf file can contain any number of different authentication methods that are usable simultaneously (from the perspective of the cluster). But a given login request is only going to match a single one of those lines; so it isn’t like the client somehow decides during each login using the same machine and user name which way they are going to verify who they say they are.
We don’t call out being able to use password and peer simultaneously, the description and specification of the pg_hba.conf file itself imparts that information. I’m unclear why these two would warrant a special calling out.
David J.