Skip site navigation (1) Skip section navigation (2)

Re: [patch] krb5 authentication on multihomed server hosts

From: Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us>
To: Martin Pitt <martin(at)piware(dot)de>
Cc: PostgreSQL Bugs <pgsql-bugs(at)postgresql(dot)org>
Subject: Re: [patch] krb5 authentication on multihomed server hosts
Date: 2005-09-30 01:14:22
Message-ID: 200509300114.j8U1EMV20554@candle.pha.pa.us (view raw or flat)
Thread:
Lists: pgsql-bugs
I think this is fixed in CVS and will be in 8.1.  We now have in
postgresql.conf:
	
	# Kerberos
	#krb_server_keyfile = ''
	#krb_srvname = 'postgres'
	#krb_server_hostname = '(any)'          # if not set, matches any keytab entry
	#krb_caseins_users = off


---------------------------------------------------------------------------

Martin Pitt wrote:
-- Start of PGP signed section.
> Hi!
> 
> I recently got a Debian bug report [1] that says:
> 
>   "It is not always possible to use krb5 authentication to a server
>   that is listening on multiple interfaces other than to the 'primary'
>   interface.
> 
>   More specifically: src/backend/libpq/auth.c pg_krb5_init() fills in
>   the pg_krb5_server principal with a call to krb5_sname_to_principal
>   with NULL as the second argument (the hostname argument).  This
>   invokes the hostname canonicalisation behaviour in the kerberos
>   library which has insufficient information to be able to return the
>   correct answer in all cases."
> 
> The bug report describes this a little deeper with a detailled
> example. The reporter also proposes a patch, which I copied below for
> your convenience. It looks pretty sane and is relatively unintrusive.
> However, since I don't know much about Kerberos, I'd like to hear
> another opinion.
> 
> Since this is by no way Debian specific, would you be interested to
> fix this upstream as well?
> 
> Thanks for considering and have a nice day!
> 
> Martin
> 
> --------------- snip -------------------
> --- postgresql-7.4.7-old/src/backend/libpq/auth.c	2003-12-20 18:25:02.000000000 +0000
> +++ postgresql-7.4.7/src/backend/libpq/auth.c	2005-07-25 19:55:26.000000000 +0100
> @@ -216,8 +216,18 @@
>  		return STATUS_ERROR;
>  	}
>  
> -	retval = krb5_sname_to_principal(pg_krb5_context, NULL, PG_KRB_SRVNAM,
> +	if( VirtualHost && VirtualHost[0] )
> +	{
> +		char *host=VirtualHost;
> +		while(*host==' ') host++; /* skip leading spaces (cf postmaster.c) */
> +		retval = krb5_sname_to_principal(pg_krb5_context, host, PG_KRB_SRVNAM,
> +									 KRB5_NT_SRV_HST, &pg_krb5_server);
> +	}
> +	else
> +	{
> +		retval = krb5_sname_to_principal(pg_krb5_context, NULL, PG_KRB_SRVNAM,
>  									 KRB5_NT_SRV_HST, &pg_krb5_server);
> +	}
>  	if (retval)
>  	{
>  		ereport(LOG,
> --------------- snip -------------------
> 
> 
> [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=320049
> 
> -- 
> Martin Pitt        http://www.piware.de
> Ubuntu Developer   http://www.ubuntu.com
> Debian Developer   http://www.debian.org
> 
> In a world without walls and fences, who needs Windows and Gates?
-- End of PGP section, PGP failed!

-- 
  Bruce Momjian                        |  http://candle.pha.pa.us
  pgman(at)candle(dot)pha(dot)pa(dot)us               |  (610) 359-1001
  +  If your life is a hard drive,     |  13 Roberts Road
  +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073

In response to

pgsql-bugs by date

Next:From: Steve PetersonDate: 2005-09-30 03:04:04
Subject: Bug?: Text after right paren in query is ignored
Previous:From: vishal saberwalDate: 2005-09-30 00:09:02
Subject: Re: Column Name parameter problem

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group