Re: Kerberos authentication, Active Directory, and PostgreSQL

2009/10/13 Heikki Linnakangas <heikki(dot)linnakangas(at)enterprisedb(dot)com>:
> Turner, Ian wrote:
>> While trying to connect our PostgreSQL database to our Kerberos realm, we encountered the obscure message "Invalid message length". Tracking this down, we discovered that it was emitted by src/backend/libpq/pqcomm.c in response to a rather large Kerberos message. The root cause is as follows, and a patch is below.
>>
>> The code in src/backend/libpq/auth.c contains a hard-coded limit on the size of GSS messages, and in particular on the message containing the client's Kerberos ticket for the postgres server. The limit was 2,000 bytes, which is normally adequate for tickets based on TGTs issued by Unix KDCs. However, TGTs issued by Windows domain controllers contain an authorization field known as the PAC (privilege attribute certificate), which contains the user's Windows permissions (group memberships etc.). The PAC is copied into all tickets obtained on the basis of this TGT (even those issued by Unix realms which the Windows realm trusts), and can be several K in size. Thus, GSS authentication was failing with a "invalid message length" error. We simply upped the limit to 32k, which ought to be sufficient.
>>
>> The patch is quite brief:
>>
>> --- postgresql-8.4-8.4.1/src/backend/libpq/auth.c       2009-06-25 12:30:08.000000000 +0100
>> +++ postgresql-8.4-8.4.1-fixed/src/backend/libpq/auth.c 2009-09-15 20:27:01.000000000 +0100
>> @@ -166,6 +166,8 @@
>>  #endif
>>
>>  static int     pg_GSS_recvauth(Port *port);
>> +
>> +#define GSS_MAX_TOKEN_LENGTH (32767)
>>  #endif   /* ENABLE_GSS */
>>
>>
>> @@ -937,7 +939,7 @@
>>
>>                 /* Get the actual GSS token */
>>                 initStringInfo(&buf);
>> -               if (pq_getmessage(&buf, 2000))
>> +               if (pq_getmessage(&buf, GSS_MAX_TOKEN_LENGTH))
>>                 {
>>                         /* EOF - pq_getmessage already logged error */
>>                         pfree(buf.data);
>>
>>
>> Please let me know if anything additional is required in order to get this fix into the next release.
>
> The corresponding limit in pg_SSPI_recvauth() probably needs to be
> raised too..

Probably, but ont entirely certainly. Given how SSPI works.

But for consistency that would certainly be a good idea :-)

> pq_getmessage() doesn't necessarily need a limit, we could accept
> arbitrarily long tokens. Although I guess we want to avoid simple
> denial-of-service attacks exhausting backend memory.

Yeah.
FWIW, the default max token size on Win2k is ~8Kb. In some service
pack and then in Win2003, it was increased to 12Kb. But it is possible
to increase that by a registry key on the domain controller - and I
read somewhere that Win2008 actually will increase this size
dynamically.

Actually, I found a note that said it's recommended to never increase
it about 65535 - so perhaps we should put our limit at that instead od
32767?

--
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/