Re: patch to add krb_server_hostname to postgresql.conf - Mailing list pgsql-patches

From Bruce Momjian
Subject Re: patch to add krb_server_hostname to postgresql.conf
Date
Msg-id 200506050202.j5522NS15909@candle.pha.pa.us
Whole thread Raw
In response to Re: patch to add krb_server_hostname to postgresql.conf  (Todd Kover <kovert@omniscient.com>)
List pgsql-patches
Updated description added.

Your patch has been added to the PostgreSQL unapplied patches list at:

    http://momjian.postgresql.org/cgi-bin/pgpatches

It will be applied as soon as one of the PostgreSQL committers reviews
and approves it.

---------------------------------------------------------------------------


Todd Kover wrote:
>
>  > >> Why is this necessary?
>  >
>  > > It's largely useful in combination with restricting the interfaces
>  > > listened to via the listen_addresses directive in the config file.  As
>  > > the code works now you can only connect via kerberos with a service
>  > > principal derived from the hostname of the box rather than any dns name
>  > > associated with any of the box's interfaces.
>  >
>  > Hmm.  I guess I was confusing this with the --with-krb-srvnam configure
>  > directive, and expecting that it ought to convert that from a
>  > frozen-at-configure value into a run-time-configuration variable.
>  > What is the relationship of these two values, anyway?
>
> A service principal is often of the form something/hostname@REALM, and
> by default in postgres, the "something" is postgres and as it is today,
> hostname is what gethostbyname() returns.
>
> A complete service principal might be: postgres/db.example.com@EXAMPLE.COM.
> The --with-krb-srvname changes this.
>
>  > The documentation additions are pretty poor in both proposed patches;
>  > they do nothing to clear up any confusion.
>
> Indeed, if you're not familiar with kerberos conventions this won't make
> too much sense.  Actually, the use of 'srvname' is kind of confusing.  I
> originally thought the hostname was compiled in by default.
>
> I'd imagine most people wouldn't want to change it and if they did it
> probably would be site wide.
>
> Something like:
>
>     sets the hostname that the postgres server will require to be
>     used for service principals. This is combined with the value
>     specified at configure time with --with-krb-srvnam (defaulting
>     to postgres).    Assuming the default of postgres, the service
>     principal would be of the form postgres/specified_hostname@REALM.
>
>     The default is to allow any service principal matching an entry
>     in the keytab
>
> (or)
>
>     The default is the hostname of the postgres server.
>
> depending on which patch.  That would have cleared up the confusion for
> me, anyway.
>
> -Todd
>
> ---------------------------(end of broadcast)---------------------------
> TIP 5: Have you checked our extensive FAQ?
>
>                http://www.postgresql.org/docs/faqs/FAQ.html
>

--
  Bruce Momjian                        |  http://candle.pha.pa.us
  pgman@candle.pha.pa.us               |  (610) 359-1001
  +  If your life is a hard drive,     |  13 Roberts Road
  +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073

pgsql-patches by date:

Previous
From: Bruce Momjian
Date:
Subject: Re: patch to add krb_server_hostname to postgresql.conf
Next
From: Bruce Momjian
Date:
Subject: Re: [HACKERS] Implementing RESET CONNECTION ...