Skip site navigation (1) Skip section navigation (2)

Re: [HACKERS] Kerberos brokenness and oops question in 8.1beta2

From: Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us>
To: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Cc: Magnus Hagander <mha(at)sollentuna(dot)net>,PostgreSQL-patches <pgsql-patches(at)postgresql(dot)org>,kovert(at)omniscient(dot)com
Subject: Re: [HACKERS] Kerberos brokenness and oops question in 8.1beta2
Date: 2005-10-13 22:47:10
Message-ID: (view raw, whole thread or download thread mbox)
Lists: pgsql-patches
Tom Lane wrote:
> BTW, it appears to me that this patch has also broken the claim in the
> manual that
> If [krb_server_hostname is] not set, the default is to allow any
> service principal matching an entry in the keytab.
> The reason that was true was that we passed a NULL "server" value to
> krb5_recvauth(), which with this patch we never do anymore.
> I'm not sure if this represents a serious loss of flexibility or not,
> but in any case the documentation needs an update.

I did some research on this and I think I have the answer.  The original
patch came from here (I have CC'ed the author):

I applied his second patch.  As part of that patch he states:

> The second patch (kovert-krb5-patch-newbehavior.txt) makes the default
> behavior to accept any principal in the keytab.  This means that people
> using kerberos will continue to work, but they'll be slightly more
> broad in what they accept as a valid service principal (I suspect
> there's very few people in the world who care about this since it still
> needs to be something in the keytab).

Now, our code has been modified since his patch was applied, but we now

     * If no hostname was specified, pg_krb_server_hostname is already
     * NULL. If it's set to blank, force it to NULL.
    khostname = pg_krb_server_hostname;
    if (khostname && khostname[0] == '\0')
        khostname = NULL;

    retval = krb5_sname_to_principal(pg_krb5_context,

The basic affect is if the GUC krb_server_hostname is empty/NULL,
krb5_sname_to_principal() gets called with a 2nd argument (hostname) of
NULL.  The documentation for this function says for this argument:

	hostname  (Input)
	The host containing the desired service instance. The local host is used
	if NULL is specified for this parameter.

Which says it doesn't accept any service entry in keytab, but rather
binds the server hostname to 'localhost'.  I think this is why it wasn't
working for Magnus.

I have applied the following patch which updates the documentation to
reflect 'localhost', and improves the error message to always print the
server name as well as the service name.  (We have had complaints about
poor Kerberos error messages before.)

  Bruce Momjian                        |
  pgman(at)candle(dot)pha(dot)pa(dot)us               |  (610) 359-1001
  +  If your life is a hard drive,     |  13 Roberts Road
  +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073

In response to

pgsql-patches by date

Next:From: Bruce MomjianDate: 2005-10-13 22:56:06
Subject: Re: Make 2PC error messages match docs
Previous:From: Josh BerkusDate: 2005-10-13 21:19:01
Subject: Re: roundoff problem in time datatype

Privacy Policy | About PostgreSQL
Copyright © 1996-2017 The PostgreSQL Global Development Group