Re: [HACKERS] Kerberos brokenness and oops question in 8.1beta2 - Mailing list pgsql-patches

From Bruce Momjian
Subject Re: [HACKERS] Kerberos brokenness and oops question in 8.1beta2
Date
Msg-id 200510132247.j9DMlAp12913@candle.pha.pa.us
Whole thread Raw
In response to Re: [HACKERS] Kerberos brokenness and oops question in 8.1beta2  (Tom Lane <tgl@sss.pgh.pa.us>)
List pgsql-patches
Tom Lane wrote:
> BTW, it appears to me that this patch has also broken the claim in the
> manual that
>
> If [krb_server_hostname is] not set, the default is to allow any
> service principal matching an entry in the keytab.
>
> The reason that was true was that we passed a NULL "server" value to
> krb5_recvauth(), which with this patch we never do anymore.
>
> I'm not sure if this represents a serious loss of flexibility or not,
> but in any case the documentation needs an update.

I did some research on this and I think I have the answer.  The original
patch came from here (I have CC'ed the author):

        http://archives.postgresql.org/pgsql-patches/2005-06/msg00293.php

I applied his second patch.  As part of that patch he states:

> The second patch (kovert-krb5-patch-newbehavior.txt) makes the default
> behavior to accept any principal in the keytab.  This means that people
> using kerberos will continue to work, but they'll be slightly more
> broad in what they accept as a valid service principal (I suspect
> there's very few people in the world who care about this since it still
> needs to be something in the keytab).

Now, our code has been modified since his patch was applied, but we now
have:

    /*
     * If no hostname was specified, pg_krb_server_hostname is already
     * NULL. If it's set to blank, force it to NULL.
     */
    khostname = pg_krb_server_hostname;
    if (khostname && khostname[0] == '\0')
        khostname = NULL;

    retval = krb5_sname_to_principal(pg_krb5_context,
                                     khostname,
                                     pg_krb_srvnam,
                                     KRB5_NT_SRV_HST,
                                     &pg_krb5_server);

The basic affect is if the GUC krb_server_hostname is empty/NULL,
krb5_sname_to_principal() gets called with a 2nd argument (hostname) of
NULL.  The documentation for this function says for this argument:

    http://publib.boulder.ibm.com/iseries/v5r1/ic2924/index.htm?info/apis/krb5list.htm

    hostname  (Input)

    The host containing the desired service instance. The local host is used
    if NULL is specified for this parameter.

Which says it doesn't accept any service entry in keytab, but rather
binds the server hostname to 'localhost'.  I think this is why it wasn't
working for Magnus.

I have applied the following patch which updates the documentation to
reflect 'localhost', and improves the error message to always print the
server name as well as the service name.  (We have had complaints about
poor Kerberos error messages before.)

--
  Bruce Momjian                        |  http://candle.pha.pa.us
  pgman@candle.pha.pa.us               |  (610) 359-1001
  +  If your life is a hard drive,     |  13 Roberts Road
  +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073
Index: doc/src/sgml/config.sgml
===================================================================
RCS file: /cvsroot/pgsql/doc/src/sgml/config.sgml,v
retrieving revision 1.27
diff -c -c -r1.27 config.sgml
*** doc/src/sgml/config.sgml    13 Oct 2005 20:58:42 -0000    1.27
--- doc/src/sgml/config.sgml    13 Oct 2005 22:43:43 -0000
***************
*** 596,604 ****
          <varname>krb_srvname</><literal>/</><varname>krb_server_hostname</><literal>@</>REALM.
         </para>
         <para>
!         If not set, the default is to allow any service principal matching an entry
!         in the keytab.  See <xref linkend="kerberos-auth"> for details.
!         This parameter can only be set at server start.
         </para>
        </listitem>
       </varlistentry>
--- 596,603 ----
          <varname>krb_srvname</><literal>/</><varname>krb_server_hostname</><literal>@</>REALM.
         </para>
         <para>
!         If not set, the default is <literal>localhost</>.  See <xref linkend="kerberos-auth">
!         for details.  This parameter can only be set at server start.
         </para>
        </listitem>
       </varlistentry>
Index: src/backend/libpq/auth.c
===================================================================
RCS file: /cvsroot/pgsql/src/backend/libpq/auth.c,v
retrieving revision 1.128
diff -c -c -r1.128 auth.c
*** src/backend/libpq/auth.c    8 Oct 2005 19:32:57 -0000    1.128
--- src/backend/libpq/auth.c    13 Oct 2005 22:43:44 -0000
***************
*** 162,172 ****
      if (retval)
      {
          ereport(LOG,
!                 (errmsg("Kerberos sname_to_principal(\"%s\") returned error %d",
!                         pg_krb_srvnam, retval)));
          com_err("postgres", retval,
!                 "while getting server principal for service \"%s\"",
!                 pg_krb_srvnam);
          krb5_kt_close(pg_krb5_context, pg_krb5_keytab);
          krb5_free_context(pg_krb5_context);
          return STATUS_ERROR;
--- 162,172 ----
      if (retval)
      {
          ereport(LOG,
!                 (errmsg("Kerberos sname_to_principal(\"%s\", \"%s\") returned error %d",
!                         khostname ? khostname : "localhost", pg_krb_srvnam, retval)));
          com_err("postgres", retval,
!                 "while getting server principal for server \"%s\" for service \"%s\"",
!                 khostname ? khostname : "localhost", pg_krb_srvnam);
          krb5_kt_close(pg_krb5_context, pg_krb5_keytab);
          krb5_free_context(pg_krb5_context);
          return STATUS_ERROR;

pgsql-patches by date:

Previous
From: Bruce Momjian
Date:
Subject: Re: [HACKERS] Kerberos brokenness and oops question in 8.1beta2
Next
From: Bruce Momjian
Date:
Subject: Re: Make 2PC error messages match docs