Re: BUG #5559: Full SSL verification fails when hostaddr provided - Mailing list pgsql-bugs

From Stephen Frost
Subject Re: BUG #5559: Full SSL verification fails when hostaddr provided
Date
Msg-id 20100714173942.GM21875@tamriel.snowman.net
Whole thread Raw
In response to Re: BUG #5559: Full SSL verification fails when hostaddr provided  (Tom Lane <tgl@sss.pgh.pa.us>)
Responses Re: BUG #5559: Full SSL verification fails when hostaddr provided
List pgsql-bugs
* Tom Lane (tgl@sss.pgh.pa.us) wrote:
> ... btw, the libpq documentation claims that
>=20
>     If hostaddr is specified without host, the value for hostaddr
>     gives the remote address. When Kerberos is used, a reverse name
>     query occurs to obtain the host name for Kerberos.
>=20
> but so far as I can see this is flat wrong.  pg_krb5_sendauth throws
> an error if you didn't provide a host name, and so do the other places
> in fe-auth.c that need the host name.  What we're about to do to SSL
> verification will match that.  So I think the docs need a fix here.

I think the confusion here is that the *Kerberos* libraries do the
reverse-DNS lookup to get the hostname to request as part of the
principal.  It's true that we don't, but that doesn't mean it's not
done.  Not sure where or if we need to discuss how Kerberos works in the
libpq documentation or what the context is for the above, but I'm pretty
sure that's where the original wording came from.

    Thanks,

        Stephen

pgsql-bugs by date:

Previous
From: Tom Lane
Date:
Subject: Re: BUG #5559: Full SSL verification fails when hostaddr provided
Next
From: Tom Lane
Date:
Subject: Re: BUG #5559: Full SSL verification fails when hostaddr provided