Re: [patch] krb5 authentication on multihomed server hosts

From: Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us>
To: Martin Pitt <martin(at)piware(dot)de>
Cc: PostgreSQL Bugs <pgsql-bugs(at)postgresql(dot)org>
Subject: Re: [patch] krb5 authentication on multihomed server hosts
Date: 2005-09-30 01:14:22
Message-ID: 200509300114.j8U1EMV20554@candle.pha.pa.us
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-bugs


I think this is fixed in CVS and will be in 8.1. We now have in
postgresql.conf:

# Kerberos
#krb_server_keyfile = ''
#krb_srvname = 'postgres'
#krb_server_hostname = '(any)' # if not set, matches any keytab entry
#krb_caseins_users = off

---------------------------------------------------------------------------

Martin Pitt wrote:
-- Start of PGP signed section.
> Hi!
>
> I recently got a Debian bug report [1] that says:
>
> "It is not always possible to use krb5 authentication to a server
> that is listening on multiple interfaces other than to the 'primary'
> interface.
>
> More specifically: src/backend/libpq/auth.c pg_krb5_init() fills in
> the pg_krb5_server principal with a call to krb5_sname_to_principal
> with NULL as the second argument (the hostname argument). This
> invokes the hostname canonicalisation behaviour in the kerberos
> library which has insufficient information to be able to return the
> correct answer in all cases."
>
> The bug report describes this a little deeper with a detailled
> example. The reporter also proposes a patch, which I copied below for
> your convenience. It looks pretty sane and is relatively unintrusive.
> However, since I don't know much about Kerberos, I'd like to hear
> another opinion.
>
> Since this is by no way Debian specific, would you be interested to
> fix this upstream as well?
>
> Thanks for considering and have a nice day!
>
> Martin
>
> --------------- snip -------------------
> --- postgresql-7.4.7-old/src/backend/libpq/auth.c 2003-12-20 18:25:02.000000000 +0000
> +++ postgresql-7.4.7/src/backend/libpq/auth.c 2005-07-25 19:55:26.000000000 +0100
> @@ -216,8 +216,18 @@
> return STATUS_ERROR;
> }
>
> - retval = krb5_sname_to_principal(pg_krb5_context, NULL, PG_KRB_SRVNAM,
> + if( VirtualHost && VirtualHost[0] )
> + {
> + char *host=VirtualHost;
> + while(*host==' ') host++; /* skip leading spaces (cf postmaster.c) */
> + retval = krb5_sname_to_principal(pg_krb5_context, host, PG_KRB_SRVNAM,
> + KRB5_NT_SRV_HST, &pg_krb5_server);
> + }
> + else
> + {
> + retval = krb5_sname_to_principal(pg_krb5_context, NULL, PG_KRB_SRVNAM,
> KRB5_NT_SRV_HST, &pg_krb5_server);
> + }
> if (retval)
> {
> ereport(LOG,
> --------------- snip -------------------
>
>
> [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=320049
>
> --
> Martin Pitt http://www.piware.de
> Ubuntu Developer http://www.ubuntu.com
> Debian Developer http://www.debian.org
>
> In a world without walls and fences, who needs Windows and Gates?
-- End of PGP section, PGP failed!

--
Bruce Momjian | http://candle.pha.pa.us
pgman(at)candle(dot)pha(dot)pa(dot)us | (610) 359-1001
+ If your life is a hard drive, | 13 Roberts Road
+ Christ can be your backup. | Newtown Square, Pennsylvania 19073

In response to

Browse pgsql-bugs by date

  From Date Subject
Next Message Steve Peterson 2005-09-30 03:04:04 Bug?: Text after right paren in query is ignored
Previous Message vishal saberwal 2005-09-30 00:09:02 Re: Column Name parameter problem