krb5 authentication and multihomed server hosts

PostgreSQL-Version: 7.4.7
Operating-Sytem: Debian GNU/Linux 3.1 (sarge)

It is not always possible to use krb5 authentication to a server that is
listening on multiple interfaces other than to the 'primary' interface.

More specifically: src/backend/libpq/auth.c pg_krb5_init() fills in the
pg_krb5_server principal with a call to krb5_sname_to_principal with NULL
as the second argument (the hostname argument). This invokes the hostname
canonicalisation behaviour in the kerberos library which has insufficient
information to be able to return the correct answer in all cases.

zero-credibility:~# host zero-credibility.oucs.ox.ac.uk
zero-credibility.oucs.ox.ac.uk has address 163.1.2.14
zero-credibility:~# host pgsql-dev.oucs.ox.ac.uk
pgsql-dev.oucs.ox.ac.uk has address 163.1.2.37
zero-credibility:~# netstat -nie # check interfaces are up
Kernel Interface table
eth0 Link encap:Ethernet HWaddr 00:E0:81:63:D6:08
inet addr:163.1.2.14 Bcast:163.1.2.255 Mask:255.255.255.0
inet6 addr: fe80::2e0:81ff:fe63:d608/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:4603401 errors:0 dropped:0 overruns:0 frame:0
TX packets:197179 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:342050931 (326.2 MiB) TX bytes:26094767 (24.8 MiB)
Base address:0xa000 Memory:f4020000-f4040000

eth0:37 Link encap:Ethernet HWaddr 00:E0:81:63:D6:08
inet addr:163.1.2.37 Bcast:163.1.255.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Base address:0xa000 Memory:f4020000-f4040000

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:222060 errors:0 dropped:0 overruns:0 frame:0
TX packets:222060 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:94776903 (90.3 MiB) TX bytes:94776903 (90.3 MiB)

zero-credibility:~# netstat -natp | grep 5432 # check postmaster is listening
tcp 0 0 0.0.0.:5432 0.0.0.0:* LISTEN 25267/postmaster
zero-credibility:~# klist -k /etc/postgresql/krb5.keytab # confirm keytab contents
Keytab name: FILE:/etc/postgresql/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
3 postgres/pgsql-dev(dot)oucs(dot)ox(dot)ac(dot)uk(at)OX(dot)AC(dot)UK
3 postgres/pgsql-dev(dot)oucs(dot)ox(dot)ac(dot)uk(at)OX(dot)AC(dot)UK

[...flip to client...]

pod(at)plutonium$ psql -h pgsql-dev.oucs.ox.ac.uk template1 # try to connect
psql: Kerberos 5 authentication failed
pod(at)plutonium$ klist # confirm we got a service ticket
Ticket cache: FILE:/tmp/krb5cc_1000_rnx4Z0
Default principal: pod(at)OX(dot)AC(dot)UK

Valid starting Expires Service principal
07/26/05 09:48:01 07/26/05 19:48:01 krbtgt/OX(dot)AC(dot)UK(at)OX(dot)AC(dot)UK
07/26/05 13:26:33 07/26/05 19:48:01 postgres/pgsql-dev(dot)oucs(dot)ox(dot)ac(dot)uk(at)OX(dot)AC(dot)UK

[...back to server...]

zero-credibility:~# tail /var/log/postgresql/postgres.log
[...]
Jul 26 13:35:23 zero-credibility postgres[25963]: [1-1] LOG: connection received: host=129.67.100.155 port=33718
Jul 26 13:35:23 zero-credibility postgres[25963]: [2-1] LOG: Kerberos recvauth returned error -1765328240
Jul 26 13:35:23 zero-credibility postgres[25963]: [3-1] FATAL: Kerberos5 authentication failed for user "pod"
zero-credibility:~# grep -e -1765328240 /usr/include/krb5.h # what is that err?
#define KRB5KRB_AP_WRONG_PRINC (-1765328240L)

I append a patch that 'fixes' behaviour for the limited case where a
virtual_host is specified in /etc/postgresql/postgresql.conf. I'm not
sure it is possible to fix the INADDR_ANY case without changes to
krb5_recvauth() which is, of course, not your concern.

[...apply patch, run patched server...]

zero-credibility:~# grep -e virtual_host /etc/postgresql/postgresql.conf
virtual_host = '163.1.2.37'

[...try again on client...]

pod(at)plutonium$ psql -h pgsql-dev.oucs.ox.ac.uk template1
Welcome to psql 7.4.7, the PostgreSQL interactive terminal.

Type: \copyright for distribution terms
\h for help with SQL commands
\? for help on internal slash commands
\g or terminate with semicolon to execute query
\q to quit

SSL connection (cipher: DHE-RSA-AES256-SHA, bits: 256)

template1=> \q

--------------------
--- postgresql-7.4.7-old/src/backend/libpq/auth.c 2003-12-20 18:25:02.000000000 +0000
+++ postgresql-7.4.7/src/backend/libpq/auth.c 2005-07-25 19:55:26.000000000 +0100
@@ -216,8 +216,18 @@
return STATUS_ERROR;
}

- retval = krb5_sname_to_principal(pg_krb5_context, NULL, PG_KRB_SRVNAM,
+ if( VirtualHost && VirtualHost[0] )
+ {
+ char *host=VirtualHost;
+ while(*host==' ') host++; /* skip leading spaces (cf postmaster.c) */
+ retval = krb5_sname_to_principal(pg_krb5_context, host, PG_KRB_SRVNAM,
+ KRB5_NT_SRV_HST, &pg_krb5_server);
+ }
+ else
+ {
+ retval = krb5_sname_to_principal(pg_krb5_context, NULL, PG_KRB_SRVNAM,
KRB5_NT_SRV_HST, &pg_krb5_server);
+ }
if (retval)
{
ereport(LOG,