Re: GSSAPI, SSPI - include_realm default - Mailing list pgsql-hackers
From | Magnus Hagander |
---|---|
Subject | Re: GSSAPI, SSPI - include_realm default |
Date | |
Msg-id | CABUevExE-QC767LO0LumtuLJAX4YwvGp2wYVLm1sr0qe=4mHRA@mail.gmail.com Whole thread Raw |
In response to | GSSAPI, SSPI - include_realm default (Stephen Frost <sfrost@snowman.net>) |
Responses |
Re: GSSAPI, SSPI - include_realm default
(Stephen Frost <sfrost@snowman.net>)
Re: GSSAPI, SSPI - include_realm default (Stephen Frost <sfrost@snowman.net>) |
List | pgsql-hackers |
On Wed, Nov 26, 2014 at 8:01 PM, Stephen Frost <sfrost@snowman.net> wrote: > Greetings, > > The include_realm default for GSSAPI and SSPI is currently > 'include_realm=0', meaning that the realm is stripped off of the > Kerberos principal (aka the 'system' username) prior to looking up the > user in pg_authid. > > This is fine in a single-realm environment but extremely dangerous > in a multi-realm environment, as user@REALMA is rarely the same as > user@REALMB. Worse, a given environment can go from single-realm to > multi-realm with relative ease and most administrators aren't going to > expect applications to have a problem with that change. Every other > Kerberos-enabled application which I'm aware of requires either the > full principal (including realm) be considered, or that the realm of > the principal matches the realm of the system (which is what OpenSSH > requires, as an example). > > As such, I'd like to propose changing the default to be > 'include_realm=1'. Per our previous discussions, but to make sure it's also on record for others, +1 for this suggestion. > Back when Kerberos support was originally added, we didn't have the > pg_ident regex-based mapping capability. Today, users who wish to > strip the realm off would be best served by configuring a mapping in > pg_ident.conf which strips off exactly the realm name (or names, if > they are multi-realm where the users actually are the same individuals > in multiple realms) instead of using 'include_realm=0'. > > Users who really wish to strip off the realm for their environment > would still be able to add 'include_realm=0' to their pg_hba.conf. > We would recommend against that in the documentation, however, and > explain how it's unsafe. I would recommend that this be coached as > transistional support for users who wish to upgrade but don't want to > (further) change their configuration immediately, with the implication > that we might remove it some day. > > This would be done for 9.5 and we would need to note it in the release > notes, of course. I suggest we also backpatch some documentation suggesting that people manually change the include_realm parameter (perhaps also with a note saying that the default will change in 9.5). -- Magnus HaganderMe: http://www.hagander.net/Work: http://www.redpill-linpro.com/
pgsql-hackers by date: