Re: patch to add krb_server_hostname to postgresql.conf - Mailing list pgsql-patches

 > Todd Kover <kovert@omniscient.com> writes:
 >
 > > The attached patch adds a directive to the config file,
 > > krb_server_hostname that allows the hostname that service tickets
 > > are obtained against to be different from the hostname of the db
 > > server.
 >
 > Why is this necessary?

It's largely useful in combination with restricting the interfaces
listened to via the listen_addresses directive in the config file.  As
the code works now you can only connect via kerberos with a service
principal derived from the hostname of the box rather than any dns name
associated with any of the box's interfaces.

For example, if the server is named server0.example.com, but the db is
bound to db.example.com via the listen_addresses directive, the pgsql
server won't authenticate properly.

Similarly, if server0.example.com is one interface and
server1.example.com is another, and the hostname is server.example.com
but doesn't correspond to any interfaces, connecting to neither will
work.

 > If it is necessary, wouldn't something similar be needed at the
 > client end as well?

No.  The decision of which principal to obtain a service ticket for is
based on what it connects to.

In the first above example, if running:

    psql -h server0.example.com

the client would obtain a service ticket for
postgres/server0.example.com.  If running:

    psql -h db.example.com

it would obtain a service ticket for postgres/db.example.com, and
without the directive I'm adding, it would fail to establish a
connection because the server wouldn't be expecting that.  Of course,
adding the directive would make the first case fail and the second
pass.  This works fine for our environment since we're binding to
db.example.com.

(as an aside, it's actually a bit more complicated then this since the
way the kerberos libraries are used, db.example.com is canonicalized, so
if it were a CNAME for server0.example.com it would do the right thing,
but we're using an A record).

 > I'd have thought that host information would be established by some
 > sort of system-wide configuration file, not by per-program options.

Different applications can use different service principals.  The use
of the hostname in the principal name at all is an application-specific
decision.  The krb5 api encourages it to be a DNS hostname pretty
strongly in the way it works, but it's not cast in stone.

However, other kerberos clients will accept using any kerberos principal
in the keytab but postgresql as shipped requires it to match the
hostname.  If you want that behavior instead, then change pg_krb5_server
to NULL when calling krb5_recvauth in src/backend/libpq/auth.c and it
won't require that the hostnames match. (but it's still necessary for
something to match).

The second patch (kovert-krb5-patch-newbehavior.txt) makes the default
behavior to accept any principal in the keytab.  This means that people
using kerberos will continue to work, but they'll be slightly more broad
in what they accept as a valid service principal (I suspect there's very
few people in the world who care about this since it still needs to be
something in the keytab).

I left the implementation of krb_server_hostname so that someone can
define this if they want. (and if they want to make it behave like
versions of pgsql up until now, they'd need to set it to the hostname).

The second patch's default case makes pgsql match the behavior of
eklogind (kerberized rlogind that ships with MIT kerberos) and the
gssapi/krb5-aware version of sshd and probably numerous other things.

 > Also, the available documentation says that PG_KRB_SRVNAM is a
 > service name, not a host name, so I feel like there's something wrong
 > with your description of what you're doing.

indeed, there was something wrong with what I was doing.  PG_KRB_SRVNAM
defaults to 'postgres' rather than the hostname.  This was fallout from
when I was first developing the patch.

The absence of the krb_server_hostname config flag should have left the
default behavior in place, it wasn't.  I just tested this patch against
both cases on a dev box and it works as expected.

both patches are against 8.0.0rc3.  The first implements what I
originally was doing without changing the default, the second changes
the default to be more accepting and also implements the directive in
case someone wants to go back to the old behavior.

-Todd

Index: doc/src/sgml/runtime.sgml
===================================================================
RCS file: postgresql-8.0.0rc3/doc/src/sgml/runtime.sgml,v
retrieving revision 1.1.1.1
retrieving revision 1.2
diff -u -r1.1.1.1 -r1.2
--- doc/src/sgml/runtime.sgml    26 Dec 2004 23:06:56 -0000    1.1.1.1
+++ doc/src/sgml/runtime.sgml    3 Jan 2005 23:18:44 -0000    1.2
@@ -952,6 +952,20 @@
       </listitem>
      </varlistentry>

+     <varlistentry id="guc-krb_server_hostname" xreflabel="krb_server_hostname">
+      <term><varname>krb_server_hostname</varname> (<type>string</type>)</term>
+      <indexterm>
+       <primary><varname>krb_server_hostname</> configuration parameter</primary>
+      </indexterm>
+      <listitem>
+       <para>
+        Sets the hostname that service tickets will be obtained against
+    (defaults to the hostname of the postgresql server)
+        <xref linkend="kerberos-auth"> for details.
+       </para>
+      </listitem>
+     </varlistentry>
+
      <varlistentry id="guc-db-user-namespace" xreflabel="db_user_namespace">
       <term><varname>db_user_namespace</varname> (<type>boolean</type>)</term>
       <indexterm>
Index: src/backend/libpq/auth.c
===================================================================
RCS file: postgresql-8.0.0rc3/src/backend/libpq/auth.c,v
retrieving revision 1.1.1.1
retrieving revision 1.3
diff -u -r1.1.1.1 -r1.3
--- src/backend/libpq/auth.c    31 Dec 2004 21:59:50 -0000    1.1.1.1
+++ src/backend/libpq/auth.c    4 Jan 2005 11:14:08 -0000    1.3
@@ -41,6 +41,7 @@
 static int    recv_and_check_password_packet(Port *port);

 char       *pg_krb_server_keyfile;
+char       *pg_krb_server_hostname = NULL;

 #ifdef USE_PAM
 #ifdef HAVE_PAM_PAM_APPL_H
@@ -215,9 +222,10 @@
         return STATUS_ERROR;
     }

-    retval = krb5_sname_to_principal(pg_krb5_context, NULL, PG_KRB_SRVNAM,
-                                     KRB5_NT_SRV_HST, &pg_krb5_server);
-    if (retval)
+    retval = krb5_sname_to_principal(pg_krb5_context,
+                pg_krb_server_hostname, PG_KRB_SRVNAM,
+                 KRB5_NT_SRV_HST, &pg_krb5_server);
+     if (retval)
     {
         ereport(LOG,
          (errmsg("Kerberos sname_to_principal(\"%s\") returned error %d",
Index: src/backend/utils/misc/guc.c
===================================================================
RCS file: postgresql-8.0.0rc3/src/backend/utils/misc/guc.c,v
retrieving revision 1.1.1.1
retrieving revision 1.2
diff -u -r1.1.1.1 -r1.2
--- src/backend/utils/misc/guc.c    20 Dec 2004 18:15:07 -0000    1.1.1.1
+++ src/backend/utils/misc/guc.c    3 Jan 2005 14:59:45 -0000    1.2
@@ -1546,6 +1546,15 @@
     },

     {
+        {"krb_server_hostname", PGC_POSTMASTER, CONN_AUTH_SECURITY,
+            gettext_noop("Sets the hostname of the Kerberos server."),
+            NULL
+        },
+        &pg_krb_server_hostname,
+        NULL, NULL, NULL
+    },
+
+    {
         {"rendezvous_name", PGC_POSTMASTER, CONN_AUTH_SETTINGS,
             gettext_noop("Sets the Rendezvous broadcast service name."),
             NULL
Index: src/bin/psql/tab-complete.c
===================================================================
RCS file: postgresql-8.0.0rc3/src/bin/psql/tab-complete.c,v
retrieving revision 1.1.1.1
retrieving revision 1.2
diff -u -r1.1.1.1 -r1.2
--- src/bin/psql/tab-complete.c    24 Dec 2004 15:42:05 -0000    1.1.1.1
+++ src/bin/psql/tab-complete.c    3 Jan 2005 14:59:46 -0000    1.2
@@ -552,6 +552,7 @@
         "geqo_threshold",
         "join_collapse_limit",
         "krb_server_keyfile",
+        "krb_server_hostname",
         "lc_messages",
         "lc_monetary",
         "lc_numeric",
Index: src/include/libpq/auth.h
===================================================================
RCS file: postgresql-8.0.0rc3/src/include/libpq/auth.h,v
retrieving revision 1.1.1.1
retrieving revision 1.2
diff -u -r1.1.1.1 -r1.2
--- src/include/libpq/auth.h    31 Dec 2004 22:03:32 -0000    1.1.1.1
+++ src/include/libpq/auth.h    3 Jan 2005 14:59:47 -0000    1.2
@@ -27,5 +27,6 @@
 #define PG_KRB5_VERSION "PGVER5.1"

 extern char *pg_krb_server_keyfile;
+extern char *pg_krb_server_hostname;

 #endif   /* AUTH_H */
Index: doc/src/sgml/runtime.sgml
===================================================================
RCS file: postgresql-8.0.0rc3/doc/src/sgml/runtime.sgml,v
retrieving revision 1.1.1.1
retrieving revision 1.2
diff -u -r1.1.1.1 -r1.2
--- doc/src/sgml/runtime.sgml    26 Dec 2004 23:06:56 -0000    1.1.1.1
+++ doc/src/sgml/runtime.sgml    3 Jan 2005 23:18:44 -0000    1.2
@@ -952,6 +952,20 @@
       </listitem>
      </varlistentry>

+     <varlistentry id="guc-krb_server_hostname" xreflabel="krb_server_hostname">
+      <term><varname>krb_server_hostname</varname> (<type>string</type>)</term>
+      <indexterm>
+       <primary><varname>krb_server_hostname</> configuration parameter</primary>
+      </indexterm>
+      <listitem>
+       <para>
+        Sets the hostname that service tickets will be obtained against
+    (the default is any accept any service principal in the keytab)
+        <xref linkend="kerberos-auth"> for details.
+       </para>
+      </listitem>
+     </varlistentry>
+
      <varlistentry id="guc-db-user-namespace" xreflabel="db_user_namespace">
       <term><varname>db_user_namespace</varname> (<type>boolean</type>)</term>
       <indexterm>
Index: src/backend/libpq/auth.c
===================================================================
RCS file: postgresql-8.0.0rc3/src/backend/libpq/auth.c,v
retrieving revision 1.1.1.1
diff -u -r1.1.1.1 auth.c
--- src/backend/libpq/auth.c    31 Dec 2004 21:59:50 -0000    1.1.1.1
+++ src/backend/libpq/auth.c    4 Jan 2005 12:09:45 -0000
@@ -41,6 +41,7 @@
 static int    recv_and_check_password_packet(Port *port);

 char       *pg_krb_server_keyfile;
+char       *pg_krb_server_hostname = NULL;

 #ifdef USE_PAM
 #ifdef HAVE_PAM_PAM_APPL_H
@@ -215,19 +216,24 @@
         return STATUS_ERROR;
     }

-    retval = krb5_sname_to_principal(pg_krb5_context, NULL, PG_KRB_SRVNAM,
-                                     KRB5_NT_SRV_HST, &pg_krb5_server);
-    if (retval)
-    {
-        ereport(LOG,
-         (errmsg("Kerberos sname_to_principal(\"%s\") returned error %d",
-                 PG_KRB_SRVNAM, retval)));
-        com_err("postgres", retval,
-                "while getting server principal for service \"%s\"",
-                PG_KRB_SRVNAM);
-        krb5_kt_close(pg_krb5_context, pg_krb5_keytab);
-        krb5_free_context(pg_krb5_context);
-        return STATUS_ERROR;
+    if(pg_krb_server_hostname) {
+        retval = krb5_sname_to_principal(pg_krb5_context,
+                    pg_krb_server_hostname, PG_KRB_SRVNAM,
+                     KRB5_NT_SRV_HST, &pg_krb5_server);
+         if (retval)
+        {
+            ereport(LOG,
+             (errmsg("Kerberos sname_to_principal(\"%s\") returned error %d",
+                     PG_KRB_SRVNAM, retval)));
+            com_err("postgres", retval,
+                    "while getting server principal for service \"%s\"",
+                    PG_KRB_SRVNAM);
+            krb5_kt_close(pg_krb5_context, pg_krb5_keytab);
+            krb5_free_context(pg_krb5_context);
+            return STATUS_ERROR;
+        }
+    } else {
+        pg_krb5_server = NULL;
     }

     pg_krb5_initialised = 1;
Index: src/backend/utils/misc/guc.c
===================================================================
RCS file: postgresql-8.0.0rc3/src/backend/utils/misc/guc.c,v
retrieving revision 1.1.1.1
retrieving revision 1.2
diff -u -r1.1.1.1 -r1.2
--- src/backend/utils/misc/guc.c    20 Dec 2004 18:15:07 -0000    1.1.1.1
+++ src/backend/utils/misc/guc.c    3 Jan 2005 14:59:45 -0000    1.2
@@ -1546,6 +1546,15 @@
     },

     {
+        {"krb_server_hostname", PGC_POSTMASTER, CONN_AUTH_SECURITY,
+            gettext_noop("Sets the hostname of the Kerberos server."),
+            NULL
+        },
+        &pg_krb_server_hostname,
+        NULL, NULL, NULL
+    },
+
+    {
         {"rendezvous_name", PGC_POSTMASTER, CONN_AUTH_SETTINGS,
             gettext_noop("Sets the Rendezvous broadcast service name."),
             NULL
Index: src/bin/psql/tab-complete.c
===================================================================
RCS file: postgresql-8.0.0rc3/src/bin/psql/tab-complete.c,v
retrieving revision 1.1.1.1
retrieving revision 1.2
diff -u -r1.1.1.1 -r1.2
--- src/bin/psql/tab-complete.c    24 Dec 2004 15:42:05 -0000    1.1.1.1
+++ src/bin/psql/tab-complete.c    3 Jan 2005 14:59:46 -0000    1.2
@@ -552,6 +552,7 @@
         "geqo_threshold",
         "join_collapse_limit",
         "krb_server_keyfile",
+        "krb_server_hostname",
         "lc_messages",
         "lc_monetary",
         "lc_numeric",
Index: src/include/libpq/auth.h
===================================================================
RCS file: postgresql-8.0.0rc3/src/include/libpq/auth.h,v
retrieving revision 1.1.1.1
retrieving revision 1.2
diff -u -r1.1.1.1 -r1.2
--- src/include/libpq/auth.h    31 Dec 2004 22:03:32 -0000    1.1.1.1
+++ src/include/libpq/auth.h    3 Jan 2005 14:59:47 -0000    1.2
@@ -27,5 +27,6 @@
 #define PG_KRB5_VERSION "PGVER5.1"

 extern char *pg_krb_server_keyfile;
+extern char *pg_krb_server_hostname;

 #endif   /* AUTH_H */

pgsql-patches by date:

Previous
From: Kris Jurka
Date:
Subject: Re: Implementing RESET CONNECTION ...
Next
From: Oliver Jowett
Date:
Subject: Re: Implementing RESET CONNECTION ...