From: | Peter Koczan <pjkoczan(at)gmail(dot)com> |
---|---|
To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
Cc: | pgsql-bugs(at)postgresql(dot)org, Magnus Hagander <magnus(at)hagander(dot)net> |
Subject: | Re: BUG #4824: KRB5/GSSAPI authentication fails when user != principal |
Date: | 2009-05-27 16:25:07 |
Message-ID: | 4544e0330905270925m27bce8c2m60a7a7cec3257161@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-bugs |
> We should probably at least clarify this release note. Do you want
> to make an argument that this is a fundamental breakage and we need
> to revert it? If so, what's the argument?
Certainly.
It seems like with the changes in 8.4, krb5/gssapi auth looks for a
valid ticket, and if it finds one, connects without regard for the
principal in that ticket. This is a gaping security hole, because it
is very nearly the same as trust authentication.
I'm me...
[koczan(at)mitchell] ~ $ klist
...
Default principal: koczan(at)CS(dot)WISC(dot)EDU
...
I connect as me...
[koczan(at)mitchell] ~ $ /s/postgresql-8.4-beta/bin/psql -h mitchell -p
49173 postgres
psql (8.4beta2)
SSL connection (cipher: DHE-RSA-AES256-SHA, bits: 256)
Type "help" for help.
postgres=> select current_role;
current_user
--------------
koczan
(1 row)
Now, I connect as someone else...
[koczan(at)mitchell] ~ $ /s/postgresql-8.4-beta/bin/psql -h mitchell -p
49173 -U strivia postgres
psql (8.4beta2)
SSL connection (cipher: DHE-RSA-AES256-SHA, bits: 256)
Type "help" for help.
postgres=> select current_role;
current_user
--------------
strivia
(1 row)
Now, I connect as superuser...
[koczan(at)mitchell] ~ $ /s/postgresql-8.4-beta/bin/psql -h mitchell -p
49173 -U postgres postgres
psql (8.4beta2)
SSL connection (cipher: DHE-RSA-AES256-SHA, bits: 256)
Type "help" for help.
postgres=# select current_role;
current_user
--------------
postgres
(1 row)
Old clients also exhibit this behavior, so it's also a server-side issue.
[koczan(at)mitchell] ~ $ /s/postgresql-8.3.6/bin/psql -h mitchell -p
49173 -U postgres postgres
Welcome to psql 8.3.6 (server 8.4beta2), the PostgreSQL interactive terminal.
Type: \copyright for distribution terms
\h for help with SQL commands
\? for help with psql commands
\g or terminate with semicolon to execute query
\q to quit
WARNING: You are connected to a server with major version 8.4,
but your psql client is major version 8.3. Some backslash commands,
such as \d, might not work properly.
SSL connection (cipher: DHE-RSA-AES256-SHA, bits: 256)
postgres=# select current_role;
current_user
--------------
postgres
(1 row)
And just to show you that there is no trickery, I will attempt to
connect without Kerberos tickets.
bash-3.2$ whoami
koczan
bash-3.2$ klist
klist: No credentials cache found (ticket cache
FILE:/var/adm/krb5/tmp/tkt/krb5cc_0_N26236)
...
bash-3.2$ /s/postgresql-8.4-beta/bin/psql -h mitchell -p 49173
postgrespsql: GSSAPI continuation error: Unspecified GSS failure.
Minor code may provide more information
GSSAPI continuation error: Unknown code krb5 195
bash-3.2$ /s/postgresql-8.4-beta/bin/psql -h mitchell -p 49173 -U
postgres postgres
psql: GSSAPI continuation error: Unspecified GSS failure. Minor code
may provide more information
GSSAPI continuation error: Unknown code krb5 195
This is trust authentication with one rather inconsequential bit of
verification, that's a fundamental breakage. One of the major points
of Kerberos is that, for anything that talks Kerberos, you are the
principal in that ticket. I understand the desire to change some of
that old code, but why is that principal being ignored?
Peter
From | Date | Subject | |
---|---|---|---|
Next Message | Tom Lane | 2009-05-27 20:06:35 | Re: BUG #4824: KRB5/GSSAPI authentication fails when user != principal |
Previous Message | Herbert Bonaffini | 2009-05-27 15:43:29 | BUG #4825: Before installation the server not running |