Skip site navigation (1) Skip section navigation (2)

Re: Patch to add Heimdal kerberos support

From: Bill Studenmund <wrstuden(at)netbsd(dot)org>
To: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Cc: <pgsql-patches(at)postgresql(dot)org>
Subject: Re: Patch to add Heimdal kerberos support
Date: 2001-11-13 00:03:51
Message-ID: Pine.NEB.4.33.0111121553370.24761-100000@vespasia.home-net.internetconnect.net (view raw or flat)
Thread:
Lists: pgsql-patches
On Mon, 12 Nov 2001, Tom Lane wrote:

> Bill Studenmund <wrstuden(at)netbsd(dot)org> writes:
> > Attached please find a patch to make Postgres compile with Heimdal krb5
> > support. This patch adds a new option, --with-heimdal. "--with-krb5" now
> > implies MIT krb5 support.
>
> Couldn't we do this in a way that doesn't require a user configure switch?

Not that I know of. There are slight differences in the APIs, and Heimdal
needs a different set of libraries compiled in.

I'll ask around.

> --- src/backend/libpq/auth.c	2001/10/28 06:25:44	1.71
> +++ src/backend/libpq/auth.c	2001/11/12 22:32:00
> @@ -229,7 +229,7 @@
>  				 " Kerberos error %d\n", retval);
>  		com_err("postgres", retval,
>  				"while getting server principal for service %s",
> -				pg_krb_server_keyfile);
> +				PG_KRB_SRVNAM);
>  		krb5_kt_close(pg_krb5_context, pg_krb5_keytab);
>
> This change seems like a step backwards.

This patch really isn't Heimdal-related. If you look at the code
preceeding this, we are looking for the principal for service
PG_KRB_SRVNAM in the file pg_krb_server_keyfile. Unpatched, this error
message says,

"...error.. while getting server principal for service
/usr/local/psql/data/krb5.srvtab"

which makes no sense. It was really "... while getting server principal
for service postgres" for instance; PG_KRB_SRVNAM is the service name we
looked up, so it is the one we should mention.

>
>  		krb5_free_context(pg_krb5_context);
>  		return STATUS_ERROR;
> @@ -283,8 +283,13 @@
>  	 *
>  	 * I have no idea why this is considered necessary.
>  	 */
> +#ifdef KRB5_MIT
>  	retval = krb5_unparse_name(pg_krb5_context,
>  							   ticket->enc_part2->client, &kusername);
> +#else
> +	retval = krb5_unparse_name(pg_krb5_context,
> +							   ticket->client, &kusername);
> +#endif
>
> If this is the only code change needed, couldn't we dispense with it

There is one more a little later on in the patch, in the front-end code.

> somehow?  I notice that the previous authors of this code had grave
> doubts about comparing the username at all.  I don't know much about
> Kerberos' security model --- is the fact that we got a ticket sufficient
> authentication, and if not why not?

I'll be honest that I'm still learning kerberos and all of the twists and
turns of its code.

I think the point is this test and the code after it makes sure that your
kerberos and your postgres usernames match. I think that's VERY important.

Otherwise I could log into kerberos as wrstuden and access postgres as
user tgl. That seems BAD to me. :-)

Take care,

Bill


In response to

Responses

pgsql-patches by date

Next:From: Tom LaneDate: 2001-11-13 00:14:05
Subject: Re: Patch to add Heimdal kerberos support
Previous:From: Tom LaneDate: 2001-11-12 23:52:42
Subject: Re: Patch to add Heimdal kerberos support

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group