| Lists: | pgsql-bugs |
|---|
| From: | Martin Pitt <martin(at)piware(dot)de> |
|---|---|
| To: | PostgreSQL Bugs <pgsql-bugs(at)postgresql(dot)org> |
| Subject: | [patch] krb5 authentication on multihomed server hosts |
| Date: | 2005-09-29 22:45:49 |
| Message-ID: | 20050929224549.GA9606@piware.de |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Lists: | pgsql-bugs |
Hi!
I recently got a Debian bug report [1] that says:
"It is not always possible to use krb5 authentication to a server
that is listening on multiple interfaces other than to the 'primary'
interface.
More specifically: src/backend/libpq/auth.c pg_krb5_init() fills in
the pg_krb5_server principal with a call to krb5_sname_to_principal
with NULL as the second argument (the hostname argument). This
invokes the hostname canonicalisation behaviour in the kerberos
library which has insufficient information to be able to return the
correct answer in all cases."
The bug report describes this a little deeper with a detailled
example. The reporter also proposes a patch, which I copied below for
your convenience. It looks pretty sane and is relatively unintrusive.
However, since I don't know much about Kerberos, I'd like to hear
another opinion.
Since this is by no way Debian specific, would you be interested to
fix this upstream as well?
Thanks for considering and have a nice day!
Martin
--------------- snip -------------------
--- postgresql-7.4.7-old/src/backend/libpq/auth.c 2003-12-20 18:25:02.000000000 +0000
+++ postgresql-7.4.7/src/backend/libpq/auth.c 2005-07-25 19:55:26.000000000 +0100
@@ -216,8 +216,18 @@
return STATUS_ERROR;
}
- retval = krb5_sname_to_principal(pg_krb5_context, NULL, PG_KRB_SRVNAM,
+ if( VirtualHost && VirtualHost[0] )
+ {
+ char *host=VirtualHost;
+ while(*host==' ') host++; /* skip leading spaces (cf postmaster.c) */
+ retval = krb5_sname_to_principal(pg_krb5_context, host, PG_KRB_SRVNAM,
+ KRB5_NT_SRV_HST, &pg_krb5_server);
+ }
+ else
+ {
+ retval = krb5_sname_to_principal(pg_krb5_context, NULL, PG_KRB_SRVNAM,
KRB5_NT_SRV_HST, &pg_krb5_server);
+ }
if (retval)
{
ereport(LOG,
--------------- snip -------------------
[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=320049
--
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntu.com
Debian Developer http://www.debian.org
In a world without walls and fences, who needs Windows and Gates?
| From: | Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us> |
|---|---|
| To: | Martin Pitt <martin(at)piware(dot)de> |
| Cc: | PostgreSQL Bugs <pgsql-bugs(at)postgresql(dot)org> |
| Subject: | Re: [patch] krb5 authentication on multihomed server hosts |
| Date: | 2005-09-30 01:14:22 |
| Message-ID: | 200509300114.j8U1EMV20554@candle.pha.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Lists: | pgsql-bugs |
I think this is fixed in CVS and will be in 8.1. We now have in
postgresql.conf:
# Kerberos
#krb_server_keyfile = ''
#krb_srvname = 'postgres'
#krb_server_hostname = '(any)' # if not set, matches any keytab entry
#krb_caseins_users = off
---------------------------------------------------------------------------
Martin Pitt wrote:
-- Start of PGP signed section.
> Hi!
>
> I recently got a Debian bug report [1] that says:
>
> "It is not always possible to use krb5 authentication to a server
> that is listening on multiple interfaces other than to the 'primary'
> interface.
>
> More specifically: src/backend/libpq/auth.c pg_krb5_init() fills in
> the pg_krb5_server principal with a call to krb5_sname_to_principal
> with NULL as the second argument (the hostname argument). This
> invokes the hostname canonicalisation behaviour in the kerberos
> library which has insufficient information to be able to return the
> correct answer in all cases."
>
> The bug report describes this a little deeper with a detailled
> example. The reporter also proposes a patch, which I copied below for
> your convenience. It looks pretty sane and is relatively unintrusive.
> However, since I don't know much about Kerberos, I'd like to hear
> another opinion.
>
> Since this is by no way Debian specific, would you be interested to
> fix this upstream as well?
>
> Thanks for considering and have a nice day!
>
> Martin
>
> --------------- snip -------------------
> --- postgresql-7.4.7-old/src/backend/libpq/auth.c 2003-12-20 18:25:02.000000000 +0000
> +++ postgresql-7.4.7/src/backend/libpq/auth.c 2005-07-25 19:55:26.000000000 +0100
> @@ -216,8 +216,18 @@
> return STATUS_ERROR;
> }
>
> - retval = krb5_sname_to_principal(pg_krb5_context, NULL, PG_KRB_SRVNAM,
> + if( VirtualHost && VirtualHost[0] )
> + {
> + char *host=VirtualHost;
> + while(*host==' ') host++; /* skip leading spaces (cf postmaster.c) */
> + retval = krb5_sname_to_principal(pg_krb5_context, host, PG_KRB_SRVNAM,
> + KRB5_NT_SRV_HST, &pg_krb5_server);
> + }
> + else
> + {
> + retval = krb5_sname_to_principal(pg_krb5_context, NULL, PG_KRB_SRVNAM,
> KRB5_NT_SRV_HST, &pg_krb5_server);
> + }
> if (retval)
> {
> ereport(LOG,
> --------------- snip -------------------
>
>
> [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=320049
>
> --
> Martin Pitt http://www.piware.de
> Ubuntu Developer http://www.ubuntu.com
> Debian Developer http://www.debian.org
>
> In a world without walls and fences, who needs Windows and Gates?
-- End of PGP section, PGP failed!
--
Bruce Momjian | http://candle.pha.pa.us
pgman(at)candle(dot)pha(dot)pa(dot)us | (610) 359-1001
+ If your life is a hard drive, | 13 Roberts Road
+ Christ can be your backup. | Newtown Square, Pennsylvania 19073