Postgres Pro
Downloads
Home   >   mailing lists

krb5 authentication and multihomed server hosts - Mailing list pgsql-bugs

From pod@herald.ox.ac.uk (pod)
Subject krb5 authentication and multihomed server hosts
Date
Msg-id 20050726131430.0A5A03E76@plutonium.oucs.ox.ac.uk
Whole thread Raw
Responses Re: krb5 authentication and multihomed server hosts  (Tom Lane <tgl@sss.pgh.pa.us>)
List pgsql-bugs
Tree view 
PostgreSQL-Version: 7.4.7
Operating-Sytem: Debian GNU/Linux 3.1 (sarge)

It is not always possible to use krb5 authentication to a server that is
listening on multiple interfaces other than to the 'primary' interface.

More specifically: src/backend/libpq/auth.c pg_krb5_init() fills in the
pg_krb5_server principal with a call to krb5_sname_to_principal with NULL
as the second argument (the hostname argument).  This invokes the hostname
canonicalisation behaviour in the kerberos library which has insufficient
information to be able to return the correct answer in all cases.

zero-credibility:~# host zero-credibility.oucs.ox.ac.uk
zero-credibility.oucs.ox.ac.uk has address 163.1.2.14
zero-credibility:~# host pgsql-dev.oucs.ox.ac.uk
pgsql-dev.oucs.ox.ac.uk has address 163.1.2.37
zero-credibility:~# netstat -nie # check interfaces are up
Kernel Interface table
eth0      Link encap:Ethernet  HWaddr 00:E0:81:63:D6:08
          inet addr:163.1.2.14  Bcast:163.1.2.255  Mask:255.255.255.0
          inet6 addr: fe80::2e0:81ff:fe63:d608/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:4603401 errors:0 dropped:0 overruns:0 frame:0
          TX packets:197179 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:342050931 (326.2 MiB)  TX bytes:26094767 (24.8 MiB)
          Base address:0xa000 Memory:f4020000-f4040000

eth0:37   Link encap:Ethernet  HWaddr 00:E0:81:63:D6:08
          inet addr:163.1.2.37  Bcast:163.1.255.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Base address:0xa000 Memory:f4020000-f4040000

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:222060 errors:0 dropped:0 overruns:0 frame:0
          TX packets:222060 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:94776903 (90.3 MiB)  TX bytes:94776903 (90.3 MiB)

zero-credibility:~# netstat -natp | grep 5432 # check postmaster is listening
tcp        0      0 0.0.0.:5432         0.0.0.0:*               LISTEN     25267/postmaster
zero-credibility:~# klist -k /etc/postgresql/krb5.keytab # confirm keytab contents
Keytab name: FILE:/etc/postgresql/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   3 postgres/pgsql-dev.oucs.ox.ac.uk@OX.AC.UK
   3 postgres/pgsql-dev.oucs.ox.ac.uk@OX.AC.UK

[...flip to client...]

pod@plutonium$ psql -h pgsql-dev.oucs.ox.ac.uk template1 # try to connect
psql: Kerberos 5 authentication failed
pod@plutonium$ klist # confirm we got a service ticket
Ticket cache: FILE:/tmp/krb5cc_1000_rnx4Z0
Default principal: pod@OX.AC.UK

Valid starting     Expires            Service principal
07/26/05 09:48:01  07/26/05 19:48:01  krbtgt/OX.AC.UK@OX.AC.UK
07/26/05 13:26:33  07/26/05 19:48:01  postgres/pgsql-dev.oucs.ox.ac.uk@OX.AC.UK

[...back to server...]

zero-credibility:~# tail /var/log/postgresql/postgres.log
[...]
Jul 26 13:35:23 zero-credibility postgres[25963]: [1-1] LOG:  connection received: host=129.67.100.155 port=33718
Jul 26 13:35:23 zero-credibility postgres[25963]: [2-1] LOG:  Kerberos recvauth returned error -1765328240
Jul 26 13:35:23 zero-credibility postgres[25963]: [3-1] FATAL:  Kerberos5 authentication failed for user "pod"
zero-credibility:~# grep -e -1765328240 /usr/include/krb5.h # what is that err?
#define KRB5KRB_AP_WRONG_PRINC                   (-1765328240L)

I append a patch that 'fixes' behaviour for the limited case where a
virtual_host is specified in /etc/postgresql/postgresql.conf.  I'm not
sure it is possible to fix the INADDR_ANY case without changes to
krb5_recvauth() which is, of course, not your concern.

[...apply patch, run patched server...]

zero-credibility:~# grep -e virtual_host /etc/postgresql/postgresql.conf
virtual_host = '163.1.2.37'

[...try again on client...]

pod@plutonium$ psql -h pgsql-dev.oucs.ox.ac.uk template1
Welcome to psql 7.4.7, the PostgreSQL interactive terminal.

Type:  \copyright for distribution terms
       \h for help with SQL commands
       \? for help on internal slash commands
       \g or terminate with semicolon to execute query
       \q to quit

SSL connection (cipher: DHE-RSA-AES256-SHA, bits: 256)

template1=> \q

--------------------
--- postgresql-7.4.7-old/src/backend/libpq/auth.c    2003-12-20 18:25:02.000000000 +0000
+++ postgresql-7.4.7/src/backend/libpq/auth.c    2005-07-25 19:55:26.000000000 +0100
@@ -216,8 +216,18 @@
         return STATUS_ERROR;
     }

-    retval = krb5_sname_to_principal(pg_krb5_context, NULL, PG_KRB_SRVNAM,
+    if( VirtualHost && VirtualHost[0] )
+    {
+        char *host=VirtualHost;
+        while(*host==' ') host++; /* skip leading spaces (cf postmaster.c) */
+        retval = krb5_sname_to_principal(pg_krb5_context, host, PG_KRB_SRVNAM,
+                                     KRB5_NT_SRV_HST, &pg_krb5_server);
+    }
+    else
+    {
+        retval = krb5_sname_to_principal(pg_krb5_context, NULL, PG_KRB_SRVNAM,
                                      KRB5_NT_SRV_HST, &pg_krb5_server);
+    }
     if (retval)
     {
         ereport(LOG,

pgsql-bugs by date:

Previous
From: Tom Lane
Date:
Subject: Re: BUG #1784: "adding missing FROM-clause" when not needed
Next
From: "lunter"
Date:
Subject: BUG #1788: charset of sorting bug