Re: BUG #4824: KRB5/GSSAPI authentication fails when user != principal

From: Magnus Hagander <magnus(at)hagander(dot)net>
To: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Cc: Peter Koczan <pjkoczan(at)gmail(dot)com>, pgsql-bugs(at)postgresql(dot)org
Subject: Re: BUG #4824: KRB5/GSSAPI authentication fails when user != principal
Date: 2009-05-27 20:21:16
Message-ID: 4A1DA0BC.3000106@hagander.net
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-bugs

Magnus Hagander wrote:
> Tom Lane wrote:
>> Peter Koczan <pjkoczan(at)gmail(dot)com> writes:
>>> This is trust authentication with one rather inconsequential bit of
>>> verification, that's a fundamental breakage. One of the major points
>>> of Kerberos is that, for anything that talks Kerberos, you are the
>>> principal in that ticket. I understand the desire to change some of
>>> that old code, but why is that principal being ignored?
>> Well, the reason for that change was that the libpq code was absorbing
>> userid from any available Kerberos ticket, even if the server
>> subsequently issued a non-Kerberos authentication challenge. I still
>> think that was wrong. What your complaint seems to suggest is that
>> the server-side Kerberos auth code should be insisting that the supplied
>> principal's first component match the requested database userid.
>> I kinda thought we *had* been doing that, but can't claim to have read
>> that code closely. Magnus?
>
> We are certainly *supposed* to do that. And we have been doing that. So
> if that's not done, it's been broken in 8.4 (most likely by me).
>
> Peter, are you using gssapi or krb5? Only krb5 has changed wrt libpq,
> but from your messages it looks like you have gssapi?
>
> Can you show us your pg_hba.conf file, and all lines with krb in them
> from postgresql.conf?
>
> Also, can you try it with the server set to log at DEBUG4, and let us
> know what output you get?

Crap, I think I found the problem.

Tom, or someone else... auth.c line 1076. I'm pretty sure that should be
"return ret" not "return STATUS_OK".

Wow, that's a bad bug :-O

//Magnus

In response to

Responses

Browse pgsql-bugs by date

  From Date Subject
Next Message Peter Koczan 2009-05-27 20:40:40 Re: BUG #4824: KRB5/GSSAPI authentication fails when user != principal
Previous Message Magnus Hagander 2009-05-27 20:15:14 Re: BUG #4824: KRB5/GSSAPI authentication fails when user != principal