| From: | Magnus Hagander <magnus(at)hagander(dot)net> |
|---|---|
| To: | Stephen Frost <sfrost(at)snowman(dot)net> |
| Cc: | PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: GSSAPI, SSPI - include_realm default |
| Date: | 2014-11-26 20:04:49 |
| Message-ID: | CABUevExE-QC767LO0LumtuLJAX4YwvGp2wYVLm1sr0qe=4mHRA@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Wed, Nov 26, 2014 at 8:01 PM, Stephen Frost <sfrost(at)snowman(dot)net> wrote:
> Greetings,
>
> The include_realm default for GSSAPI and SSPI is currently
> 'include_realm=0', meaning that the realm is stripped off of the
> Kerberos principal (aka the 'system' username) prior to looking up the
> user in pg_authid.
>
> This is fine in a single-realm environment but extremely dangerous
> in a multi-realm environment, as user(at)REALMA is rarely the same as
> user(at)REALMB(dot) Worse, a given environment can go from single-realm to
> multi-realm with relative ease and most administrators aren't going to
> expect applications to have a problem with that change. Every other
> Kerberos-enabled application which I'm aware of requires either the
> full principal (including realm) be considered, or that the realm of
> the principal matches the realm of the system (which is what OpenSSH
> requires, as an example).
>
> As such, I'd like to propose changing the default to be
> 'include_realm=1'.
Per our previous discussions, but to make sure it's also on record for
others, +1 for this suggestion.
> Back when Kerberos support was originally added, we didn't have the
> pg_ident regex-based mapping capability. Today, users who wish to
> strip the realm off would be best served by configuring a mapping in
> pg_ident.conf which strips off exactly the realm name (or names, if
> they are multi-realm where the users actually are the same individuals
> in multiple realms) instead of using 'include_realm=0'.
>
> Users who really wish to strip off the realm for their environment
> would still be able to add 'include_realm=0' to their pg_hba.conf.
> We would recommend against that in the documentation, however, and
> explain how it's unsafe. I would recommend that this be coached as
> transistional support for users who wish to upgrade but don't want to
> (further) change their configuration immediately, with the implication
> that we might remove it some day.
>
> This would be done for 9.5 and we would need to note it in the release
> notes, of course.
I suggest we also backpatch some documentation suggesting that people
manually change the include_realm parameter (perhaps also with a note
saying that the default will change in 9.5).
--
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Stephen Frost | 2014-11-26 20:05:59 | Re: GSSAPI, SSPI - include_realm default |
| Previous Message | Josh Berkus | 2014-11-26 20:00:56 | Re: bug in json_to_record with arrays |