Re: BUG #5559: Full SSL verification fails when hostaddr provided

Stephen Frost <sfrost(at)snowman(dot)net> writes:
> * Tom Lane (tgl(at)sss(dot)pgh(dot)pa(dot)us) wrote:
>> ... btw, the libpq documentation claims that
>>
>> If hostaddr is specified without host, the value for hostaddr
>> gives the remote address. When Kerberos is used, a reverse name
>> query occurs to obtain the host name for Kerberos.
>>
>> but so far as I can see this is flat wrong. pg_krb5_sendauth throws
>> an error if you didn't provide a host name, and so do the other places
>> in fe-auth.c that need the host name. What we're about to do to SSL
>> verification will match that. So I think the docs need a fix here.

> I think the confusion here is that the *Kerberos* libraries do the
> reverse-DNS lookup to get the hostname to request as part of the
> principal. It's true that we don't, but that doesn't mean it's not
> done. Not sure where or if we need to discuss how Kerberos works in the
> libpq documentation or what the context is for the above, but I'm pretty
> sure that's where the original wording came from.

Yeah, but the code in fe-auth.c throws an error before the Kerberos
libraries get a chance to do any such thing. I suppose that the
documentation text was accurate when written, but that was a long time
ago.

[ pokes in CVS a bit... ] It looks like the insistence that pghost be
supplied was added by Magnus on 2005-03-25, probably because the Windows
version of Kerberos didn't handle the case correctly; and it's been that
way in every release later than 8.0.1.
http://archives.postgresql.org/pgsql-committers/2005-03/msg00355.php
http://archives.postgresql.org/pgsql-committers/2005-03/msg00356.php

That patch did not adjust the documentation wording, but evidently
should have. (The claim about a reverse lookup has been in the docs
at least since 7.0.) Given the lack of complaints in the past five
years, I'm not interested in trying to go back to the old behavior,
but we do need to fix the docs.

regards, tom lane