Remove support for native krb5 authentication

krb5 has been deprecated since 8.3, and the recommended way to do
Kerberos authentication is using the GSSAPI authentication method
(which is still fully supported).

libpq retains the ability to identify krb5 authentication, but only
gives an error message about it being unsupported. Since all authentication
is initiated from the backend, there is no need to keep it at all
in the backend.

13 files changed, 11 insertions, 559 deletions

diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c
index 85899159843..882dc8faf1b 100644
--- a/src/backend/libpq/auth.c
+++ b/src/backend/libpq/auth.c
@@ -134,29 +134,6 @@ bool		pg_krb_caseins_users;
 
 
 /*----------------------------------------------------------------
- * MIT Kerberos authentication system - protocol version 5
- *----------------------------------------------------------------
- */
-#ifdef KRB5
-static int	pg_krb5_recvauth(Port *port);
-
-#include <krb5.h>
-/* Some old versions of Kerberos do not include <com_err.h> in <krb5.h> */
-#if !defined(__COM_ERR_H) && !defined(__COM_ERR_H__)
-#include <com_err.h>
-#endif
-/*
- * Various krb5 state which is not connection specific, and a flag to
- * indicate whether we have initialised it yet.
- */
-static int	pg_krb5_initialised;
-static krb5_context pg_krb5_context;
-static krb5_keytab pg_krb5_keytab;
-static krb5_principal pg_krb5_server;
-#endif   /* KRB5 */
-
-
-/*----------------------------------------------------------------
  * GSSAPI Authentication
  *----------------------------------------------------------------
  */
@@ -257,9 +234,6 @@ auth_failed(Port *port, int status)
 		case uaImplicitReject:
 			errstr = gettext_noop("authentication failed for user \"%s\": host rejected");
 			break;
-		case uaKrb5:
-			errstr = gettext_noop("Kerberos 5 authentication failed for user \"%s\"");
-			break;
 		case uaTrust:
 			errstr = gettext_noop("\"trust\" authentication failed for user \"%s\"");
 			break;
@@ -497,15 +471,6 @@ ClientAuthentication(Port *port)
 				break;
 			}
 
-		case uaKrb5:
-#ifdef KRB5
-			sendAuthRequest(port, AUTH_REQ_KRB5);
-			status = pg_krb5_recvauth(port);
-#else
-			Assert(false);
-#endif
-			break;
-
 		case uaGSS:
 #ifdef ENABLE_GSS
 			sendAuthRequest(port, AUTH_REQ_GSS);
@@ -735,188 +700,6 @@ recv_and_check_password_packet(Port *port)
 }
 
 
-/*----------------------------------------------------------------
- * MIT Kerberos authentication system - protocol version 5
- *----------------------------------------------------------------
- */
-#ifdef KRB5
-
-static int
-pg_krb5_init(Port *port)
-{
-	krb5_error_code retval;
-	char	   *khostname;
-
-	if (pg_krb5_initialised)
-		return STATUS_OK;
-
-	retval = krb5_init_context(&pg_krb5_context);
-	if (retval)
-	{
-		ereport(LOG,
-				(errmsg("Kerberos initialization returned error %d",
-						retval)));
-		com_err("postgres", retval, "while initializing krb5");
-		return STATUS_ERROR;
-	}
-
-	retval = krb5_kt_resolve(pg_krb5_context, pg_krb_server_keyfile, &pg_krb5_keytab);
-	if (retval)
-	{
-		ereport(LOG,
-				(errmsg("Kerberos keytab resolving returned error %d",
-						retval)));
-		com_err("postgres", retval, "while resolving keytab file \"%s\"",
-				pg_krb_server_keyfile);
-		krb5_free_context(pg_krb5_context);
-		return STATUS_ERROR;
-	}
-
-	/*
-	 * If no hostname was specified, pg_krb_server_hostname is already NULL.
-	 * If it's set to blank, force it to NULL.
-	 */
-	khostname = port->hba->krb_server_hostname;
-	if (khostname && khostname[0] == '\0')
-		khostname = NULL;
-
-	retval = krb5_sname_to_principal(pg_krb5_context,
-									 khostname,
-									 pg_krb_srvnam,
-									 KRB5_NT_SRV_HST,
-									 &pg_krb5_server);
-	if (retval)
-	{
-		ereport(LOG,
-				(errmsg("Kerberos sname_to_principal(\"%s\", \"%s\") returned error %d",
-		 khostname ? khostname : "server hostname", pg_krb_srvnam, retval)));
-		com_err("postgres", retval,
-		"while getting server principal for server \"%s\" for service \"%s\"",
-				khostname ? khostname : "server hostname", pg_krb_srvnam);
-		krb5_kt_close(pg_krb5_context, pg_krb5_keytab);
-		krb5_free_context(pg_krb5_context);
-		return STATUS_ERROR;
-	}
-
-	pg_krb5_initialised = 1;
-	return STATUS_OK;
-}
-
-
-/*
- * pg_krb5_recvauth -- server routine to receive authentication information
- *					   from the client
- *
- * We still need to compare the username obtained from the client's setup
- * packet to the authenticated name.
- *
- * We have our own keytab file because postgres is unlikely to run as root,
- * and so cannot read the default keytab.
- */
-static int
-pg_krb5_recvauth(Port *port)
-{
-	krb5_error_code retval;
-	int			ret;
-	krb5_auth_context auth_context = NULL;
-	krb5_ticket *ticket;
-	char	   *kusername;
-	char	   *cp;
-
-	ret = pg_krb5_init(port);
-	if (ret != STATUS_OK)
-		return ret;
-
-	retval = krb5_recvauth(pg_krb5_context, &auth_context,
-						   (krb5_pointer) & port->sock, pg_krb_srvnam,
-						   pg_krb5_server, 0, pg_krb5_keytab, &ticket);
-	if (retval)
-	{
-		ereport(LOG,
-				(errmsg("Kerberos recvauth returned error %d",
-						retval)));
-		com_err("postgres", retval, "from krb5_recvauth");
-		return STATUS_ERROR;
-	}
-
-	/*
-	 * The "client" structure comes out of the ticket and is therefore
-	 * authenticated.  Use it to check the username obtained from the
-	 * postmaster startup packet.
-	 */
-#if defined(HAVE_KRB5_TICKET_ENC_PART2)
-	retval = krb5_unparse_name(pg_krb5_context,
-							   ticket->enc_part2->client, &kusername);
-#elif defined(HAVE_KRB5_TICKET_CLIENT)
-	retval = krb5_unparse_name(pg_krb5_context,
-							   ticket->client, &kusername);
-#else
-#error "bogus configuration"
-#endif
-	if (retval)
-	{
-		ereport(LOG,
-				(errmsg("Kerberos unparse_name returned error %d",
-						retval)));
-		com_err("postgres", retval, "while unparsing client name");
-		krb5_free_ticket(pg_krb5_context, ticket);
-		krb5_auth_con_free(pg_krb5_context, auth_context);
-		return STATUS_ERROR;
-	}
-
-	cp = strchr(kusername, '@');
-	if (cp)
-	{
-		/*
-		 * If we are not going to include the realm in the username that is
-		 * passed to the ident map, destructively modify it here to remove the
-		 * realm. Then advance past the separator to check the realm.
-		 */
-		if (!port->hba->include_realm)
-			*cp = '\0';
-		cp++;
-
-		if (port->hba->krb_realm != NULL && strlen(port->hba->krb_realm))
-		{
-			/* Match realm against configured */
-			if (pg_krb_caseins_users)
-				ret = pg_strcasecmp(port->hba->krb_realm, cp);
-			else
-				ret = strcmp(port->hba->krb_realm, cp);
-
-			if (ret)
-			{
-				elog(DEBUG2,
-					 "krb5 realm (%s) and configured realm (%s) don't match",
-					 cp, port->hba->krb_realm);
-
-				krb5_free_ticket(pg_krb5_context, ticket);
-				krb5_auth_con_free(pg_krb5_context, auth_context);
-				return STATUS_ERROR;
-			}
-		}
-	}
-	else if (port->hba->krb_realm && strlen(port->hba->krb_realm))
-	{
-		elog(DEBUG2,
-			 "krb5 did not return realm but realm matching was requested");
-
-		krb5_free_ticket(pg_krb5_context, ticket);
-		krb5_auth_con_free(pg_krb5_context, auth_context);
-		return STATUS_ERROR;
-	}
-
-	ret = check_usermap(port->hba->usermap, port->user_name, kusername,
-						pg_krb_caseins_users);
-
-	krb5_free_ticket(pg_krb5_context, ticket);
-	krb5_auth_con_free(pg_krb5_context, auth_context);
-	free(kusername);
-
-	return ret;
-}
-#endif   /* KRB5 */
-
 
 /*----------------------------------------------------------------
  * GSSAPI authentication system
diff --git a/src/backend/libpq/hba.c b/src/backend/libpq/hba.c
index ae25cf873f5..77434f410ae 100644
--- a/src/backend/libpq/hba.c
+++ b/src/backend/libpq/hba.c
@@ -1177,12 +1177,6 @@ parse_hba_line(List *line, int line_num, char *raw_line)
 		parsedline->auth_method = uaPeer;
 	else if (strcmp(token->string, "password") == 0)
 		parsedline->auth_method = uaPassword;
-	else if (strcmp(token->string, "krb5") == 0)
-#ifdef KRB5
-		parsedline->auth_method = uaKrb5;
-#else
-		unsupauth = "krb5";
-#endif
 	else if (strcmp(token->string, "gss") == 0)
 #ifdef ENABLE_GSS
 		parsedline->auth_method = uaGSS;
@@ -1262,17 +1256,6 @@ parse_hba_line(List *line, int line_num, char *raw_line)
 
 	/* Invalid authentication combinations */
 	if (parsedline->conntype == ctLocal &&
-		parsedline->auth_method == uaKrb5)
-	{
-		ereport(LOG,
-				(errcode(ERRCODE_CONFIG_FILE_ERROR),
-			 errmsg("krb5 authentication is not supported on local sockets"),
-				 errcontext("line %d of configuration file \"%s\"",
-							line_num, HbaFileName)));
-		return NULL;
-	}
-
-	if (parsedline->conntype == ctLocal &&
 		parsedline->auth_method == uaGSS)
 	{
 		ereport(LOG,
@@ -1417,11 +1400,10 @@ parse_hba_auth_opt(char *name, char *val, HbaLine *hbaline, int line_num)
 	{
 		if (hbaline->auth_method != uaIdent &&
 			hbaline->auth_method != uaPeer &&
-			hbaline->auth_method != uaKrb5 &&
 			hbaline->auth_method != uaGSS &&
 			hbaline->auth_method != uaSSPI &&
 			hbaline->auth_method != uaCert)
-			INVALID_AUTH_OPTION("map", gettext_noop("ident, peer, krb5, gssapi, sspi, and cert"));
+			INVALID_AUTH_OPTION("map", gettext_noop("ident, peer, gssapi, sspi, and cert"));
 		hbaline->usermap = pstrdup(val);
 	}
 	else if (strcmp(name, "clientcert") == 0)
@@ -1578,25 +1560,18 @@ parse_hba_auth_opt(char *name, char *val, HbaLine *hbaline, int line_num)
 		REQUIRE_AUTH_OPTION(uaLDAP, "ldapsuffix", "ldap");
 		hbaline->ldapsuffix = pstrdup(val);
 	}
-	else if (strcmp(name, "krb_server_hostname") == 0)
-	{
-		REQUIRE_AUTH_OPTION(uaKrb5, "krb_server_hostname", "krb5");
-		hbaline->krb_server_hostname = pstrdup(val);
-	}
 	else if (strcmp(name, "krb_realm") == 0)
 	{
-		if (hbaline->auth_method != uaKrb5 &&
-			hbaline->auth_method != uaGSS &&
+		if (hbaline->auth_method != uaGSS &&
 			hbaline->auth_method != uaSSPI)
-			INVALID_AUTH_OPTION("krb_realm", gettext_noop("krb5, gssapi, and sspi"));
+			INVALID_AUTH_OPTION("krb_realm", gettext_noop("gssapi and sspi"));
 		hbaline->krb_realm = pstrdup(val);
 	}
 	else if (strcmp(name, "include_realm") == 0)
 	{
-		if (hbaline->auth_method != uaKrb5 &&
-			hbaline->auth_method != uaGSS &&
+		if (hbaline->auth_method != uaGSS &&
 			hbaline->auth_method != uaSSPI)
-			INVALID_AUTH_OPTION("include_realm", gettext_noop("krb5, gssapi, and sspi"));
+			INVALID_AUTH_OPTION("include_realm", gettext_noop("gssapi and sspi"));
 		if (strcmp(val, "1") == 0)
 			hbaline->include_realm = true;
 		else
diff --git a/src/backend/libpq/pg_hba.conf.sample b/src/backend/libpq/pg_hba.conf.sample
index a12ba26ad57..86a89edf9ad 100644
--- a/src/backend/libpq/pg_hba.conf.sample
+++ b/src/backend/libpq/pg_hba.conf.sample
@@ -43,7 +43,7 @@
 # directly connected to.
 #
 # METHOD can be "trust", "reject", "md5", "password", "gss", "sspi",
-# "krb5", "ident", "peer", "pam", "ldap", "radius" or "cert".  Note that
+# "ident", "peer", "pam", "ldap", "radius" or "cert".  Note that
 # "password" sends passwords in clear text; "md5" is preferred since
 # it sends encrypted passwords.
 #
diff --git a/src/bin/initdb/initdb.c b/src/bin/initdb/initdb.c
index a9aa7a487f6..7e934b75abb 100644
--- a/src/bin/initdb/initdb.c
+++ b/src/bin/initdb/initdb.c
@@ -76,9 +76,6 @@ static const char *auth_methods_host[] = {"trust", "reject", "md5", "password",
 #ifdef ENABLE_SSPI
 	"sspi",
 #endif
-#ifdef KRB5
-	"krb5",
-#endif
 #ifdef USE_PAM
 	"pam", "pam ",
 #endif
diff --git a/src/include/libpq/hba.h b/src/include/libpq/hba.h
index 73ae5105eb9..5a103aed195 100644
--- a/src/include/libpq/hba.h
+++ b/src/include/libpq/hba.h
@@ -20,7 +20,6 @@ typedef enum UserAuth
 {
 	uaReject,
 	uaImplicitReject,
-	uaKrb5,
 	uaTrust,
 	uaIdent,
 	uaPassword,
diff --git a/src/include/libpq/pqcomm.h b/src/include/libpq/pqcomm.h
index 0be839c23cc..969fe5e105d 100644
--- a/src/include/libpq/pqcomm.h
+++ b/src/include/libpq/pqcomm.h
@@ -164,7 +164,7 @@ extern bool Db_user_namespace;
 
 #define AUTH_REQ_OK			0	/* User is authenticated  */
 #define AUTH_REQ_KRB4		1	/* Kerberos V4. Not supported any more. */
-#define AUTH_REQ_KRB5		2	/* Kerberos V5 */
+#define AUTH_REQ_KRB5		2	/* Kerberos V5. Not supported any more. */
 #define AUTH_REQ_PASSWORD	3	/* Password */
 #define AUTH_REQ_CRYPT		4	/* crypt password. Not supported any more. */
 #define AUTH_REQ_MD5		5	/* md5 password */
diff --git a/src/include/pg_config.h.in b/src/include/pg_config.h.in
index 64717dfcd41..0bade28b972 100644
--- a/src/include/pg_config.h.in
+++ b/src/include/pg_config.h.in
@@ -260,21 +260,6 @@
 /* Define to 1 if you have isinf(). */
 #undef HAVE_ISINF
 
-/* Define to 1 if `e_data' is a member of `krb5_error'. */
-#undef HAVE_KRB5_ERROR_E_DATA
-
-/* Define to 1 if `text.data' is a member of `krb5_error'. */
-#undef HAVE_KRB5_ERROR_TEXT_DATA
-
-/* Define to 1 if you have krb5_free_unparsed_name. */
-#undef HAVE_KRB5_FREE_UNPARSED_NAME
-
-/* Define to 1 if `client' is a member of `krb5_ticket'. */
-#undef HAVE_KRB5_TICKET_CLIENT
-
-/* Define to 1 if `enc_part2' is a member of `krb5_ticket'. */
-#undef HAVE_KRB5_TICKET_ENC_PART2
-
 /* Define to 1 if you have the <langinfo.h> header file. */
 #undef HAVE_LANGINFO_H
 
@@ -656,9 +641,6 @@
 /* Define to the appropriate snprintf format for 64-bit ints. */
 #undef INT64_FORMAT
 
-/* Define to build with Kerberos 5 support. (--with-krb5) */
-#undef KRB5
-
 /* Define to 1 if `locale_t' requires <xlocale.h>. */
 #undef LOCALE_T_IN_XLOCALE
 
diff --git a/src/include/pg_config.h.win32 b/src/include/pg_config.h.win32
index b69414fd484..19ef4c1a9fb 100644
--- a/src/include/pg_config.h.win32
+++ b/src/include/pg_config.h.win32
@@ -193,18 +193,6 @@
 /* Define to 1 if you have isinf(). */
 #define HAVE_ISINF 1
 
-/* Define to 1 if `e_data' is member of `krb5_error'. */
-/* #undef HAVE_KRB5_ERROR_E_DATA */
-
-/* Define to 1 if `text.data' is member of `krb5_error'. */
-/* #undef HAVE_KRB5_ERROR_TEXT_DATA */
-
-/* Define to 1 if `client' is member of `krb5_ticket'. */
-/* #undef HAVE_KRB5_TICKET_CLIENT */
-
-/* Define to 1 if `enc_part2' is member of `krb5_ticket'. */
-/* #undef HAVE_KRB5_TICKET_ENC_PART2 */
-
 /* Define to 1 if you have the <langinfo.h> header file. */
 /* #undef HAVE_LANGINFO_H */
 
@@ -541,9 +529,6 @@
 /* Define to the appropriate snprintf format for 64-bit ints, if any. */
 #define INT64_FORMAT "%lld"
 
-/* Define to build with Kerberos 5 support. (--with-krb5) */
-/* #undef KRB5 */
-
 /* Define to 1 if `locale_t' requires <xlocale.h>. */
 /* #undef LOCALE_T_IN_XLOCALE */
 
diff --git a/src/interfaces/libpq/fe-auth.c b/src/interfaces/libpq/fe-auth.c
index 91f7c501c78..e10c9709108 100644
--- a/src/interfaces/libpq/fe-auth.c
+++ b/src/interfaces/libpq/fe-auth.c
@@ -43,258 +43,6 @@
 #include "libpq/md5.h"
 
 
-#ifdef KRB5
-/*
- * MIT Kerberos authentication system - protocol version 5
- */
-
-#include <krb5.h>
-/* Some old versions of Kerberos do not include <com_err.h> in <krb5.h> */
-#if !defined(__COM_ERR_H) && !defined(__COM_ERR_H__)
-#include <com_err.h>
-#endif
-
-/*
- * Heimdal doesn't have a free function for unparsed names. Just pass it to
- * standard free() which should work in these cases.
- */
-#ifndef HAVE_KRB5_FREE_UNPARSED_NAME
-static void
-krb5_free_unparsed_name(krb5_context context, char *val)
-{
-	free(val);
-}
-#endif
-
-/*
- * pg_an_to_ln -- return the local name corresponding to an authentication
- *				  name
- *
- * XXX Assumes that the first aname component is the user name.  This is NOT
- *	   necessarily so, since an aname can actually be something out of your
- *	   worst X.400 nightmare, like
- *		  ORGANIZATION=U. C. Berkeley/NAME=Paul M. Aoki@CS.BERKELEY.EDU
- *	   Note that the MIT an_to_ln code does the same thing if you don't
- *	   provide an aname mapping database...it may be a better idea to use
- *	   krb5_an_to_ln, except that it punts if multiple components are found,
- *	   and we can't afford to punt.
- *
- * For WIN32, convert username to lowercase because the Win32 kerberos library
- * generates tickets with the username as the user entered it instead of as
- * it is entered in the directory.
- */
-static char *
-pg_an_to_ln(char *aname)
-{
-	char	   *p;
-
-	if ((p = strchr(aname, '/')) || (p = strchr(aname, '@')))
-		*p = '\0';
-#ifdef WIN32
-	for (p = aname; *p; p++)
-		*p = pg_tolower((unsigned char) *p);
-#endif
-
-	return aname;
-}
-
-
-/*
- * Various krb5 state which is not connection specific, and a flag to
- * indicate whether we have initialised it yet.
- */
-/*
-static int	pg_krb5_initialised;
-static krb5_context pg_krb5_context;
-static krb5_ccache pg_krb5_ccache;
-static krb5_principal pg_krb5_client;
-static char *pg_krb5_name;
-*/
-
-struct krb5_info
-{
-	int			pg_krb5_initialised;
-	krb5_context pg_krb5_context;
-	krb5_ccache pg_krb5_ccache;
-	krb5_principal pg_krb5_client;
-	char	   *pg_krb5_name;
-};
-
-
-static int
-pg_krb5_init(PQExpBuffer errorMessage, struct krb5_info * info)
-{
-	krb5_error_code retval;
-
-	if (info->pg_krb5_initialised)
-		return STATUS_OK;
-
-	retval = krb5_init_context(&(info->pg_krb5_context));
-	if (retval)
-	{
-		printfPQExpBuffer(errorMessage,
-						  "pg_krb5_init: krb5_init_context: %s\n",
-						  error_message(retval));
-		return STATUS_ERROR;
-	}
-
-	retval = krb5_cc_default(info->pg_krb5_context, &(info->pg_krb5_ccache));
-	if (retval)
-	{
-		printfPQExpBuffer(errorMessage,
-						  "pg_krb5_init: krb5_cc_default: %s\n",
-						  error_message(retval));
-		krb5_free_context(info->pg_krb5_context);
-		return STATUS_ERROR;
-	}
-
-	retval = krb5_cc_get_principal(info->pg_krb5_context, info->pg_krb5_ccache,
-								   &(info->pg_krb5_client));
-	if (retval)
-	{
-		printfPQExpBuffer(errorMessage,
-						  "pg_krb5_init: krb5_cc_get_principal: %s\n",
-						  error_message(retval));
-		krb5_cc_close(info->pg_krb5_context, info->pg_krb5_ccache);
-		krb5_free_context(info->pg_krb5_context);
-		return STATUS_ERROR;
-	}
-
-	retval = krb5_unparse_name(info->pg_krb5_context, info->pg_krb5_client, &(info->pg_krb5_name));
-	if (retval)
-	{
-		printfPQExpBuffer(errorMessage,
-						  "pg_krb5_init: krb5_unparse_name: %s\n",
-						  error_message(retval));
-		krb5_free_principal(info->pg_krb5_context, info->pg_krb5_client);
-		krb5_cc_close(info->pg_krb5_context, info->pg_krb5_ccache);
-		krb5_free_context(info->pg_krb5_context);
-		return STATUS_ERROR;
-	}
-
-	info->pg_krb5_name = pg_an_to_ln(info->pg_krb5_name);
-
-	info->pg_krb5_initialised = 1;
-	return STATUS_OK;
-}
-
-static void
-pg_krb5_destroy(struct krb5_info * info)
-{
-	krb5_free_principal(info->pg_krb5_context, info->pg_krb5_client);
-	krb5_cc_close(info->pg_krb5_context, info->pg_krb5_ccache);
-	krb5_free_unparsed_name(info->pg_krb5_context, info->pg_krb5_name);
-	krb5_free_context(info->pg_krb5_context);
-}
-
-
-/*
- * pg_krb5_sendauth -- client routine to send authentication information to
- *					   the server
- */
-static int
-pg_krb5_sendauth(PGconn *conn)
-{
-	krb5_error_code retval;
-	int			ret;
-	krb5_principal server;
-	krb5_auth_context auth_context = NULL;
-	krb5_error *err_ret = NULL;
-	struct krb5_info info;
-
-	info.pg_krb5_initialised = 0;
-
-	if (!(conn->pghost && conn->pghost[0] != '\0'))
-	{
-		printfPQExpBuffer(&conn->errorMessage,
-						  libpq_gettext("host name must be specified\n"));
-		return STATUS_ERROR;
-	}
-
-	ret = pg_krb5_init(&conn->errorMessage, &info);
-	if (ret != STATUS_OK)
-		return ret;
-
-	retval = krb5_sname_to_principal(info.pg_krb5_context, conn->pghost,
-									 conn->krbsrvname,
-									 KRB5_NT_SRV_HST, &server);
-	if (retval)
-	{
-		printfPQExpBuffer(&conn->errorMessage,
-						  "pg_krb5_sendauth: krb5_sname_to_principal: %s\n",
-						  error_message(retval));
-		pg_krb5_destroy(&info);
-		return STATUS_ERROR;
-	}
-
-	/*
-	 * libpq uses a non-blocking socket. But kerberos needs a blocking socket,
-	 * and we have to block somehow to do mutual authentication anyway. So we
-	 * temporarily make it blocking.
-	 */
-	if (!pg_set_block(conn->sock))
-	{
-		char		sebuf[256];
-
-		printfPQExpBuffer(&conn->errorMessage,
-						  libpq_gettext("could not set socket to blocking mode: %s\n"), pqStrerror(errno, sebuf, sizeof(sebuf)));
-		krb5_free_principal(info.pg_krb5_context, server);
-		pg_krb5_destroy(&info);
-		return STATUS_ERROR;
-	}
-
-	retval = krb5_sendauth(info.pg_krb5_context, &auth_context,
-					  (krb5_pointer) & conn->sock, (char *) conn->krbsrvname,
-						   info.pg_krb5_client, server,
-						   AP_OPTS_MUTUAL_REQUIRED,
-						   NULL, 0,		/* no creds, use ccache instead */
-						   info.pg_krb5_ccache, &err_ret, NULL, NULL);
-	if (retval)
-	{
-		if (retval == KRB5_SENDAUTH_REJECTED && err_ret)
-		{
-#if defined(HAVE_KRB5_ERROR_TEXT_DATA)
-			printfPQExpBuffer(&conn->errorMessage,
-				  libpq_gettext("Kerberos 5 authentication rejected: %*s\n"),
-							  (int) err_ret->text.length, err_ret->text.data);
-#elif defined(HAVE_KRB5_ERROR_E_DATA)
-			printfPQExpBuffer(&conn->errorMessage,
-				  libpq_gettext("Kerberos 5 authentication rejected: %*s\n"),
-							  (int) err_ret->e_data->length,
-							  (const char *) err_ret->e_data->data);
-#else
-#error "bogus configuration"
-#endif
-		}
-		else
-		{
-			printfPQExpBuffer(&conn->errorMessage,
-							  "krb5_sendauth: %s\n", error_message(retval));
-		}
-
-		if (err_ret)
-			krb5_free_error(info.pg_krb5_context, err_ret);
-
-		ret = STATUS_ERROR;
-	}
-
-	krb5_free_principal(info.pg_krb5_context, server);
-
-	if (!pg_set_noblock(conn->sock))
-	{
-		char		sebuf[256];
-
-		printfPQExpBuffer(&conn->errorMessage,
-		 libpq_gettext("could not restore nonblocking mode on socket: %s\n"),
-						  pqStrerror(errno, sebuf, sizeof(sebuf)));
-		ret = STATUS_ERROR;
-	}
-	pg_krb5_destroy(&info);
-
-	return ret;
-}
-#endif   /* KRB5 */
-
 #ifdef ENABLE_GSS
 /*
  * GSSAPI authentication system.
@@ -816,21 +564,9 @@ pg_fe_sendauth(AuthRequest areq, PGconn *conn)
 			return STATUS_ERROR;
 
 		case AUTH_REQ_KRB5:
-#ifdef KRB5
-			pglock_thread();
-			if (pg_krb5_sendauth(conn) != STATUS_OK)
-			{
-				/* Error message already filled in */
-				pgunlock_thread();
-				return STATUS_ERROR;
-			}
-			pgunlock_thread();
-			break;
-#else
 			printfPQExpBuffer(&conn->errorMessage,
 				 libpq_gettext("Kerberos 5 authentication not supported\n"));
 			return STATUS_ERROR;
-#endif
 
 #if defined(ENABLE_GSS) || defined(ENABLE_SSPI)
 		case AUTH_REQ_GSS:
diff --git a/src/interfaces/libpq/fe-connect.c b/src/interfaces/libpq/fe-connect.c
index 3a9ddf19d7d..fa88c874945 100644
--- a/src/interfaces/libpq/fe-connect.c
+++ b/src/interfaces/libpq/fe-connect.c
@@ -278,7 +278,7 @@ static const internalPQconninfoOption PQconninfoOptions[] = {
 		"Require-Peer", "", 10,
 	offsetof(struct pg_conn, requirepeer)},
 
-#if defined(KRB5) || defined(ENABLE_GSS) || defined(ENABLE_SSPI)
+#if defined(ENABLE_GSS) || defined(ENABLE_SSPI)
 	/* Kerberos and GSSAPI authentication support specifying the service name */
 	{"krbsrvname", "PGKRBSRVNAME", PG_KRB_SRVNAM, NULL,
 		"Kerberos-service-name", "", 20,
@@ -2823,7 +2823,7 @@ freePGconn(PGconn *conn)
 		free(conn->sslcompression);
 	if (conn->requirepeer)
 		free(conn->requirepeer);
-#if defined(KRB5) || defined(ENABLE_GSS) || defined(ENABLE_SSPI)
+#if defined(ENABLE_GSS) || defined(ENABLE_SSPI)
 	if (conn->krbsrvname)
 		free(conn->krbsrvname);
 #endif
diff --git a/src/interfaces/libpq/libpq-int.h b/src/interfaces/libpq/libpq-int.h
index 0fb926bbd45..22bbe4a48eb 100644
--- a/src/interfaces/libpq/libpq-int.h
+++ b/src/interfaces/libpq/libpq-int.h
@@ -331,7 +331,7 @@ struct pg_conn
 	char	   *sslcrl;			/* certificate revocation list filename */
 	char	   *requirepeer;	/* required peer credentials for local sockets */
 
-#if defined(KRB5) || defined(ENABLE_GSS) || defined(ENABLE_SSPI)
+#if defined(ENABLE_GSS) || defined(ENABLE_SSPI)
 	char	   *krbsrvname;		/* Kerberos service name */
 #endif
 
diff --git a/src/tools/msvc/Solution.pm b/src/tools/msvc/Solution.pm
index bc52086fc8a..7921596a48f 100644
--- a/src/tools/msvc/Solution.pm
+++ b/src/tools/msvc/Solution.pm
@@ -221,10 +221,6 @@ s{PG_VERSION_STR "[^"]+"}{__STRINGIFY(x) #x\n#define __STRINGIFY2(z) __STRINGIFY
 		}
 		if ($self->{options}->{krb5})
 		{
-			print O "#define KRB5 1\n";
-			print O "#define HAVE_KRB5_ERROR_TEXT_DATA 1\n";
-			print O "#define HAVE_KRB5_TICKET_ENC_PART2 1\n";
-			print O "#define HAVE_KRB5_FREE_UNPARSED_NAME 1\n";
 			print O "#define ENABLE_GSS 1\n";
 		}
 		if (my $port = $self->{options}->{"--with-pgport"})
@@ -625,7 +621,7 @@ sub GetFakeConfigure
 	$cfg .= ' --with-ossp-uuid' if ($self->{options}->{uuid});
 	$cfg .= ' --with-libxml'    if ($self->{options}->{xml});
 	$cfg .= ' --with-libxslt'   if ($self->{options}->{xslt});
-	$cfg .= ' --with-krb5'      if ($self->{options}->{krb5});
+	$cfg .= ' --with-gssapi'    if ($self->{options}->{krb5});
 	$cfg .= ' --with-tcl'       if ($self->{options}->{tcl});
 	$cfg .= ' --with-perl'      if ($self->{options}->{perl});
 	$cfg .= ' --with-python'    if ($self->{options}->{python});
diff --git a/src/tools/msvc/config_default.pl b/src/tools/msvc/config_default.pl
index 2489d3827fd..ebb47ab40e3 100644
--- a/src/tools/msvc/config_default.pl
+++ b/src/tools/msvc/config_default.pl
@@ -15,7 +15,6 @@ our $config = {
 	tcl     => undef,    # --with-tls=<path>
 	perl    => undef,    # --with-perl
 	python  => undef,    # --with-python=<path>
-	krb5    => undef,    # --with-krb5=<path>
 	openssl => undef,    # --with-ssl=<path>
 	uuid    => undef,    # --with-ossp-uuid
 	xml     => undef,    # --with-libxml=<path>