Skip site navigation (1) Skip section navigation (2)

Re: BUG #4824: KRB5/GSSAPI authentication fails when user != principal

From: Magnus Hagander <magnus(at)hagander(dot)net>
To: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Cc: Peter Koczan <pjkoczan(at)gmail(dot)com>, pgsql-bugs(at)postgresql(dot)org
Subject: Re: BUG #4824: KRB5/GSSAPI authentication fails when user != principal
Date: 2009-05-27 20:21:16
Message-ID: 4A1DA0BC.3000106@hagander.net (view raw or flat)
Thread:
Lists: pgsql-bugs
Magnus Hagander wrote:
> Tom Lane wrote:
>> Peter Koczan <pjkoczan(at)gmail(dot)com> writes:
>>> This is trust authentication with one rather inconsequential bit of
>>> verification, that's a fundamental breakage. One of the major points
>>> of Kerberos is that, for anything that talks Kerberos, you are the
>>> principal in that ticket. I understand the desire to change some of
>>> that old code, but why is that principal being ignored?
>> Well, the reason for that change was that the libpq code was absorbing
>> userid from any available Kerberos ticket, even if the server
>> subsequently issued a non-Kerberos authentication challenge.  I still
>> think that was wrong.  What your complaint seems to suggest is that
>> the server-side Kerberos auth code should be insisting that the supplied
>> principal's first component match the requested database userid.
>> I kinda thought we *had* been doing that, but can't claim to have read
>> that code closely.  Magnus?
> 
> We are certainly *supposed* to do that. And we have been doing that. So
> if that's not done, it's been broken in 8.4 (most likely by me).
> 
> Peter, are you using gssapi or krb5? Only krb5 has changed wrt libpq,
> but from your messages it looks like you have gssapi?
> 
> Can you show us your pg_hba.conf file, and all lines with krb in them
> from postgresql.conf?
> 
> Also, can you try it with the server set to log at DEBUG4, and let us
> know what output you get?

Crap, I think I found the problem.

Tom, or someone else... auth.c line 1076. I'm pretty sure that should be
"return ret" not "return STATUS_OK".

Wow, that's a bad bug :-O

//Magnus


In response to

Responses

pgsql-bugs by date

Next:From: Peter KoczanDate: 2009-05-27 20:40:40
Subject: Re: BUG #4824: KRB5/GSSAPI authentication fails when user != principal
Previous:From: Magnus HaganderDate: 2009-05-27 20:15:14
Subject: Re: BUG #4824: KRB5/GSSAPI authentication fails when user != principal

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group