Skip site navigation (1) Skip section navigation (2)

Re: Patch to add Heimdal kerberos support

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: Bill Studenmund <wrstuden(at)netbsd(dot)org>
Cc: pgsql-patches(at)postgresql(dot)org
Subject: Re: Patch to add Heimdal kerberos support
Date: 2001-11-12 23:52:42
Message-ID: (view raw, whole thread or download thread mbox)
Lists: pgsql-patches
Bill Studenmund <wrstuden(at)netbsd(dot)org> writes:
> Attached please find a patch to make Postgres compile with Heimdal krb5
> support. This patch adds a new option, --with-heimdal. "--with-krb5" now
> implies MIT krb5 support.

Couldn't we do this in a way that doesn't require a user configure switch?

--- src/backend/libpq/auth.c	2001/10/28 06:25:44	1.71
+++ src/backend/libpq/auth.c	2001/11/12 22:32:00
@@ -229,7 +229,7 @@
 				 " Kerberos error %d\n", retval);
 		com_err("postgres", retval,
 				"while getting server principal for service %s",
-				pg_krb_server_keyfile);
 		krb5_kt_close(pg_krb5_context, pg_krb5_keytab);

This change seems like a step backwards.

 		return STATUS_ERROR;
@@ -283,8 +283,13 @@
 	 * I have no idea why this is considered necessary.
+#ifdef KRB5_MIT
 	retval = krb5_unparse_name(pg_krb5_context,
 							   ticket->enc_part2->client, &kusername);
+	retval = krb5_unparse_name(pg_krb5_context,
+							   ticket->client, &kusername);

If this is the only code change needed, couldn't we dispense with it
somehow?  I notice that the previous authors of this code had grave
doubts about comparing the username at all.  I don't know much about
Kerberos' security model --- is the fact that we got a ticket sufficient
authentication, and if not why not?

			regards, tom lane

In response to


pgsql-patches by date

Next:From: Bill StudenmundDate: 2001-11-13 00:03:51
Subject: Re: Patch to add Heimdal kerberos support
Previous:From: Hiroshi InoueDate: 2001-11-12 23:48:03

Privacy Policy | About PostgreSQL
Copyright © 1996-2017 The PostgreSQL Global Development Group