Re: [patch] krb5 authentication on multihomed server hosts - Mailing list pgsql-bugs
| From | Bruce Momjian |
|---|---|
| Subject | Re: [patch] krb5 authentication on multihomed server hosts |
| Date | |
| Msg-id | 200509300114.j8U1EMV20554@candle.pha.pa.us Whole thread Raw |
| In response to | [patch] krb5 authentication on multihomed server hosts (Martin Pitt <martin@piware.de>) |
| List | pgsql-bugs |
I think this is fixed in CVS and will be in 8.1. We now have in
postgresql.conf:
# Kerberos
#krb_server_keyfile = ''
#krb_srvname = 'postgres'
#krb_server_hostname = '(any)' # if not set, matches any keytab entry
#krb_caseins_users = off
---------------------------------------------------------------------------
Martin Pitt wrote:
-- Start of PGP signed section.
> Hi!
>
> I recently got a Debian bug report [1] that says:
>
> "It is not always possible to use krb5 authentication to a server
> that is listening on multiple interfaces other than to the 'primary'
> interface.
>
> More specifically: src/backend/libpq/auth.c pg_krb5_init() fills in
> the pg_krb5_server principal with a call to krb5_sname_to_principal
> with NULL as the second argument (the hostname argument). This
> invokes the hostname canonicalisation behaviour in the kerberos
> library which has insufficient information to be able to return the
> correct answer in all cases."
>
> The bug report describes this a little deeper with a detailled
> example. The reporter also proposes a patch, which I copied below for
> your convenience. It looks pretty sane and is relatively unintrusive.
> However, since I don't know much about Kerberos, I'd like to hear
> another opinion.
>
> Since this is by no way Debian specific, would you be interested to
> fix this upstream as well?
>
> Thanks for considering and have a nice day!
>
> Martin
>
> --------------- snip -------------------
> --- postgresql-7.4.7-old/src/backend/libpq/auth.c 2003-12-20 18:25:02.000000000 +0000
> +++ postgresql-7.4.7/src/backend/libpq/auth.c 2005-07-25 19:55:26.000000000 +0100
> @@ -216,8 +216,18 @@
> return STATUS_ERROR;
> }
>
> - retval = krb5_sname_to_principal(pg_krb5_context, NULL, PG_KRB_SRVNAM,
> + if( VirtualHost && VirtualHost[0] )
> + {
> + char *host=VirtualHost;
> + while(*host==' ') host++; /* skip leading spaces (cf postmaster.c) */
> + retval = krb5_sname_to_principal(pg_krb5_context, host, PG_KRB_SRVNAM,
> + KRB5_NT_SRV_HST, &pg_krb5_server);
> + }
> + else
> + {
> + retval = krb5_sname_to_principal(pg_krb5_context, NULL, PG_KRB_SRVNAM,
> KRB5_NT_SRV_HST, &pg_krb5_server);
> + }
> if (retval)
> {
> ereport(LOG,
> --------------- snip -------------------
>
>
> [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=320049
>
> --
> Martin Pitt http://www.piware.de
> Ubuntu Developer http://www.ubuntu.com
> Debian Developer http://www.debian.org
>
> In a world without walls and fences, who needs Windows and Gates?
-- End of PGP section, PGP failed!
--
Bruce Momjian | http://candle.pha.pa.us
pgman@candle.pha.pa.us | (610) 359-1001
+ If your life is a hard drive, | 13 Roberts Road
+ Christ can be your backup. | Newtown Square, Pennsylvania 19073
pgsql-bugs by date: