Re: [HACKERS] Kerberos brokenness and oops question in 8.1beta2

From: Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us>
To: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Cc: Magnus Hagander <mha(at)sollentuna(dot)net>, PostgreSQL-patches <pgsql-patches(at)postgresql(dot)org>, kovert(at)omniscient(dot)com
Subject: Re: [HACKERS] Kerberos brokenness and oops question in 8.1beta2
Date: 2005-10-13 22:47:10
Message-ID: 200510132247.j9DMlAp12913@candle.pha.pa.us
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-patches

Tom Lane wrote:
> BTW, it appears to me that this patch has also broken the claim in the
> manual that
>
> If [krb_server_hostname is] not set, the default is to allow any
> service principal matching an entry in the keytab.
>
> The reason that was true was that we passed a NULL "server" value to
> krb5_recvauth(), which with this patch we never do anymore.
>
> I'm not sure if this represents a serious loss of flexibility or not,
> but in any case the documentation needs an update.

I did some research on this and I think I have the answer. The original
patch came from here (I have CC'ed the author):

http://archives.postgresql.org/pgsql-patches/2005-06/msg00293.php

I applied his second patch. As part of that patch he states:

> The second patch (kovert-krb5-patch-newbehavior.txt) makes the default
> behavior to accept any principal in the keytab. This means that people
> using kerberos will continue to work, but they'll be slightly more
> broad in what they accept as a valid service principal (I suspect
> there's very few people in the world who care about this since it still
> needs to be something in the keytab).

Now, our code has been modified since his patch was applied, but we now
have:

/*
* If no hostname was specified, pg_krb_server_hostname is already
* NULL. If it's set to blank, force it to NULL.
*/
khostname = pg_krb_server_hostname;
if (khostname && khostname[0] == '\0')
khostname = NULL;

retval = krb5_sname_to_principal(pg_krb5_context,
khostname,
pg_krb_srvnam,
KRB5_NT_SRV_HST,
&pg_krb5_server);

The basic affect is if the GUC krb_server_hostname is empty/NULL,
krb5_sname_to_principal() gets called with a 2nd argument (hostname) of
NULL. The documentation for this function says for this argument:

http://publib.boulder.ibm.com/iseries/v5r1/ic2924/index.htm?info/apis/krb5list.htm

hostname (Input)

The host containing the desired service instance. The local host is used
if NULL is specified for this parameter.

Which says it doesn't accept any service entry in keytab, but rather
binds the server hostname to 'localhost'. I think this is why it wasn't
working for Magnus.

I have applied the following patch which updates the documentation to
reflect 'localhost', and improves the error message to always print the
server name as well as the service name. (We have had complaints about
poor Kerberos error messages before.)

--
Bruce Momjian | http://candle.pha.pa.us
pgman(at)candle(dot)pha(dot)pa(dot)us | (610) 359-1001
+ If your life is a hard drive, | 13 Roberts Road
+ Christ can be your backup. | Newtown Square, Pennsylvania 19073

Attachment Content-Type Size
unknown_filename text/plain 2.3 KB

In response to

Browse pgsql-patches by date

  From Date Subject
Next Message Bruce Momjian 2005-10-13 22:56:06 Re: Make 2PC error messages match docs
Previous Message Josh Berkus 2005-10-13 21:19:01 Re: roundoff problem in time datatype