| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Stephen Frost <sfrost(at)snowman(dot)net> |
| Cc: | Magnus Hagander <magnus(at)hagander(dot)net>, Christopher Head <chris2k01(at)hotmail(dot)com>, pgsql-bugs <pgsql-bugs(at)postgresql(dot)org> |
| Subject: | Re: BUG #5559: Full SSL verification fails when hostaddr provided |
| Date: | 2010-07-14 21:35:21 |
| Message-ID: | 18347.1279143321@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
Stephen Frost <sfrost(at)snowman(dot)net> writes:
> krb5_sname_to_principal() will use the passed hostname for the second
> component. If type is KRB5_NT_SRV_HST this name will be looked up with
> gethostbyname(). If hostname is NULL, the local hostname will be used.
> If we were passing in NULL before when hostaddr was set and host wasn't,
> then we were probably ending up with Kerberos trying to use the local
> hostname, which almost certainly wasn't right.
Ah. I agree that that would be unexpected behavior.
> I expect that the
> correct answer here would be to do whatever the actual connection logic
> does- if it connects using host, then use host, if it connects using
> hostaddr, then use hostaddr.
Uh, no, because hostaddr is (required to be) a numeric IP. The odds of
it being useful in this context seem negligible.
At this point I'm satisfied that what the code is doing is right. We
can't authenticate against Kerberos without knowing the server host
name, because we can't form a correct principal name. Whether use of
hostaddr would avoid an rDNS lookup inside the library is not relevant.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Stephen Frost | 2010-07-14 21:44:03 | Re: BUG #5559: Full SSL verification fails when hostaddr provided |
| Previous Message | Stephen Frost | 2010-07-14 21:28:05 | Re: BUG #5559: Full SSL verification fails when hostaddr provided |