Re: patch to add krb_server_hostname to postgresql.conf

Updated description added.

Your patch has been added to the PostgreSQL unapplied patches list at:

http://momjian.postgresql.org/cgi-bin/pgpatches

It will be applied as soon as one of the PostgreSQL committers reviews
and approves it.

---------------------------------------------------------------------------

Todd Kover wrote:
>
> > >> Why is this necessary?
> >
> > > It's largely useful in combination with restricting the interfaces
> > > listened to via the listen_addresses directive in the config file. As
> > > the code works now you can only connect via kerberos with a service
> > > principal derived from the hostname of the box rather than any dns name
> > > associated with any of the box's interfaces.
> >
> > Hmm. I guess I was confusing this with the --with-krb-srvnam configure
> > directive, and expecting that it ought to convert that from a
> > frozen-at-configure value into a run-time-configuration variable.
> > What is the relationship of these two values, anyway?
>
> A service principal is often of the form something/hostname(at)REALM, and
> by default in postgres, the "something" is postgres and as it is today,
> hostname is what gethostbyname() returns.
>
> A complete service principal might be: postgres/db(dot)example(dot)com(at)EXAMPLE(dot)COM(dot)
> The --with-krb-srvname changes this.
>
> > The documentation additions are pretty poor in both proposed patches;
> > they do nothing to clear up any confusion.
>
> Indeed, if you're not familiar with kerberos conventions this won't make
> too much sense. Actually, the use of 'srvname' is kind of confusing. I
> originally thought the hostname was compiled in by default.
>
> I'd imagine most people wouldn't want to change it and if they did it
> probably would be site wide.
>
> Something like:
>
> sets the hostname that the postgres server will require to be
> used for service principals. This is combined with the value
> specified at configure time with --with-krb-srvnam (defaulting
> to postgres). Assuming the default of postgres, the service
> principal would be of the form postgres/specified_hostname(at)REALM(dot)
>
> The default is to allow any service principal matching an entry
> in the keytab
>
> (or)
>
> The default is the hostname of the postgres server.
>
> depending on which patch. That would have cleared up the confusion for
> me, anyway.
>
> -Todd
>
> ---------------------------(end of broadcast)---------------------------
> TIP 5: Have you checked our extensive FAQ?
>
> http://www.postgresql.org/docs/faqs/FAQ.html
>

--
Bruce Momjian | http://candle.pha.pa.us
pgman(at)candle(dot)pha(dot)pa(dot)us | (610) 359-1001
+ If your life is a hard drive, | 13 Roberts Road
+ Christ can be your backup. | Newtown Square, Pennsylvania 19073