Re: BUG #5559: Full SSL verification fails when hostaddr provided

From: Stephen Frost <sfrost(at)snowman(dot)net>
To: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Cc: Magnus Hagander <magnus(at)hagander(dot)net>, Christopher Head <chris2k01(at)hotmail(dot)com>, pgsql-bugs <pgsql-bugs(at)postgresql(dot)org>
Subject: Re: BUG #5559: Full SSL verification fails when hostaddr provided
Date: 2010-07-14 18:32:40
Message-ID: 20100714183240.GO21875@tamriel.snowman.net
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-bugs

* Tom Lane (tgl(at)sss(dot)pgh(dot)pa(dot)us) wrote:
> Yeah, but the code in fe-auth.c throws an error before the Kerberos
> libraries get a chance to do any such thing. I suppose that the
> documentation text was accurate when written, but that was a long time
> ago.

errrr, yeah, there are some issues with the wording that's there, that's
for sure. For starters, Kerberos doesn't require nor care if you give
it a host name or an IP address; regardless, it will do a reverse-DNS
lookup on whatever host is connected to and then use *that* hostname to
request the principal from the KDC. If that fails, it will use what you
gave it to try and find the principal (but that generally needs to be a
fully-qualified DNS name and needs to match exactly what's in the KDC).
I wouldn't bomb out if you've only been given a hostaddr, but I would
warn people that using Kerberos means it'll do a reverse DNS lookup, if
they care about minimizing those.

> [ pokes in CVS a bit... ] It looks like the insistence that pghost be
> supplied was added by Magnus on 2005-03-25, probably because the Windows
> version of Kerberos didn't handle the case correctly; and it's been that
> way in every release later than 8.0.1.

It's possible that SSPI does something different and may expect you to
provide the FQDN when connecting, but I'd be suprised. It could have
been a misconfiguration or a bug in older versions that prevented it
from doing the normal rDNS lookup. In fact, I just had someone test,
and even SSPI, on a recent version of Windows, does the rDNS lookup to
request the principal.

> That patch did not adjust the documentation wording, but evidently
> should have. (The claim about a reverse lookup has been in the docs
> at least since 7.0.) Given the lack of complaints in the past five
> years, I'm not interested in trying to go back to the old behavior,
> but we do need to fix the docs.

I've never found a reason to use hostaddr, so I don't particularly care,
but it doesn't seem right to break Kerberos auth if you were only given
an IP address unless hostaddr's entire point is that it will prevent a
DNS lookup from happening, ever. If that's the case, it should probably
be made more clear in the docs that you can't use hostaddr w/ Kerberos
but you *can* use an IP address in 'host' and have Kerberos work (or at
least, it should).

Thanks,

Stephen

In response to

Responses

Browse pgsql-bugs by date

  From Date Subject
Next Message Tom Lane 2010-07-14 19:20:09 Re: BUG #5559: Full SSL verification fails when hostaddr provided
Previous Message Tom Lane 2010-07-14 17:55:14 Re: BUG #5559: Full SSL verification fails when hostaddr provided