Re: Patch to add Heimdal kerberos support

From: Bill Studenmund <wrstuden(at)netbsd(dot)org>
To: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Cc: <pgsql-patches(at)postgresql(dot)org>
Subject: Re: Patch to add Heimdal kerberos support
Date: 2001-11-13 00:03:51
Message-ID: Pine.NEB.4.33.0111121553370.24761-100000@vespasia.home-net.internetconnect.net
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-patches

On Mon, 12 Nov 2001, Tom Lane wrote:

> Bill Studenmund <wrstuden(at)netbsd(dot)org> writes:
> > Attached please find a patch to make Postgres compile with Heimdal krb5
> > support. This patch adds a new option, --with-heimdal. "--with-krb5" now
> > implies MIT krb5 support.
>
> Couldn't we do this in a way that doesn't require a user configure switch?

Not that I know of. There are slight differences in the APIs, and Heimdal
needs a different set of libraries compiled in.

I'll ask around.

> --- src/backend/libpq/auth.c 2001/10/28 06:25:44 1.71
> +++ src/backend/libpq/auth.c 2001/11/12 22:32:00
> @@ -229,7 +229,7 @@
> " Kerberos error %d\n", retval);
> com_err("postgres", retval,
> "while getting server principal for service %s",
> - pg_krb_server_keyfile);
> + PG_KRB_SRVNAM);
> krb5_kt_close(pg_krb5_context, pg_krb5_keytab);
>
> This change seems like a step backwards.

This patch really isn't Heimdal-related. If you look at the code
preceeding this, we are looking for the principal for service
PG_KRB_SRVNAM in the file pg_krb_server_keyfile. Unpatched, this error
message says,

"...error.. while getting server principal for service
/usr/local/psql/data/krb5.srvtab"

which makes no sense. It was really "... while getting server principal
for service postgres" for instance; PG_KRB_SRVNAM is the service name we
looked up, so it is the one we should mention.

>
> krb5_free_context(pg_krb5_context);
> return STATUS_ERROR;
> @@ -283,8 +283,13 @@
> *
> * I have no idea why this is considered necessary.
> */
> +#ifdef KRB5_MIT
> retval = krb5_unparse_name(pg_krb5_context,
> ticket->enc_part2->client, &kusername);
> +#else
> + retval = krb5_unparse_name(pg_krb5_context,
> + ticket->client, &kusername);
> +#endif
>
> If this is the only code change needed, couldn't we dispense with it

There is one more a little later on in the patch, in the front-end code.

> somehow? I notice that the previous authors of this code had grave
> doubts about comparing the username at all. I don't know much about
> Kerberos' security model --- is the fact that we got a ticket sufficient
> authentication, and if not why not?

I'll be honest that I'm still learning kerberos and all of the twists and
turns of its code.

I think the point is this test and the code after it makes sure that your
kerberos and your postgres usernames match. I think that's VERY important.

Otherwise I could log into kerberos as wrstuden and access postgres as
user tgl. That seems BAD to me. :-)

Take care,

Bill

In response to

Responses

Browse pgsql-patches by date

  From Date Subject
Next Message Tom Lane 2001-11-13 00:14:05 Re: Patch to add Heimdal kerberos support
Previous Message Tom Lane 2001-11-12 23:52:42 Re: Patch to add Heimdal kerberos support