Re: Kerberos authentication, Active Directory, and PostgreSQL - Mailing list pgsql-bugs
| From | Magnus Hagander |
|---|---|
| Subject | Re: Kerberos authentication, Active Directory, and PostgreSQL |
| Date | |
| Msg-id | 9837222c0910130636t24647743m290ff6e63b3848d8@mail.gmail.com Whole thread Raw |
| In response to | Re: Kerberos authentication, Active Directory, and PostgreSQL (Heikki Linnakangas <heikki.linnakangas@enterprisedb.com>) |
| Responses |
Re: Kerberos authentication, Active Directory, and PostgreSQL
|
| List | pgsql-bugs |
2009/10/13 Heikki Linnakangas <heikki.linnakangas@enterprisedb.com>:
> Turner, Ian wrote:
>> While trying to connect our PostgreSQL database to our Kerberos realm, w=
e encountered the obscure message "Invalid message length". Tracking this d=
own, we discovered that it was emitted by src/backend/libpq/pqcomm.c in res=
ponse to a rather large Kerberos message. The root cause is as follows, and=
a patch is below.
>>
>> The code in src/backend/libpq/auth.c contains a hard-coded limit on the =
size of GSS messages, and in particular on the message containing the clien=
t's Kerberos ticket for the postgres server. The limit was 2,000 bytes, whi=
ch is normally adequate for tickets based on TGTs issued by Unix KDCs. Howe=
ver, TGTs issued by Windows domain controllers contain an authorization fie=
ld known as the PAC (privilege attribute certificate), which contains the u=
ser's Windows permissions (group memberships etc.). The PAC is copied into =
all tickets obtained on the basis of this TGT (even those issued by Unix re=
alms which the Windows realm trusts), and can be several K in size. Thus, G=
SS authentication was failing with a "invalid message length" error. We sim=
ply upped the limit to 32k, which ought to be sufficient.
>>
>> The patch is quite brief:
>>
>> --- postgresql-8.4-8.4.1/src/backend/libpq/auth.c =A0 =A0 =A0 2009-06-25=
12:30:08.000000000 +0100
>> +++ postgresql-8.4-8.4.1-fixed/src/backend/libpq/auth.c 2009-09-15 20:27=
:01.000000000 +0100
>> @@ -166,6 +166,8 @@
>> =A0#endif
>>
>> =A0static int =A0 =A0 pg_GSS_recvauth(Port *port);
>> +
>> +#define GSS_MAX_TOKEN_LENGTH (32767)
>> =A0#endif =A0 /* ENABLE_GSS */
>>
>>
>> @@ -937,7 +939,7 @@
>>
>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 /* Get the actual GSS token */
>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 initStringInfo(&buf);
>> - =A0 =A0 =A0 =A0 =A0 =A0 =A0 if (pq_getmessage(&buf, 2000))
>> + =A0 =A0 =A0 =A0 =A0 =A0 =A0 if (pq_getmessage(&buf, GSS_MAX_TOKEN_LENG=
TH))
>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 {
>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 /* EOF - pq_getmessage a=
lready logged error */
>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 pfree(buf.data);
>>
>>
>> Please let me know if anything additional is required in order to get th=
is fix into the next release.
>
> The corresponding limit in pg_SSPI_recvauth() probably needs to be
> raised too..
Probably, but ont entirely certainly. Given how SSPI works.
But for consistency that would certainly be a good idea :-)
> pq_getmessage() doesn't necessarily need a limit, we could accept
> arbitrarily long tokens. Although I guess we want to avoid simple
> denial-of-service attacks exhausting backend memory.
Yeah.
FWIW, the default max token size on Win2k is ~8Kb. In some service
pack and then in Win2003, it was increased to 12Kb. But it is possible
to increase that by a registry key on the domain controller - and I
read somewhere that Win2008 actually will increase this size
dynamically.
Actually, I found a note that said it's recommended to never increase
it about 65535 - so perhaps we should put our limit at that instead od
32767?
--=20
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/
pgsql-bugs by date: