Fix up usage of krb_server_keyfile GUC parameter.
secure_open_gssapi() installed the krb_server_keyfile setting as
KRB5_KTNAME unconditionally, so long as it's not empty. However,
pg_GSS_recvauth() only installed it if KRB5_KTNAME wasn't set already,
leading to a troubling inconsistency: in theory, clients could see
different sets of server principal names depending on whether they
use GSSAPI encryption. Always using krb_server_keyfile seems like
the right thing, so make both places do that. Also fix up
secure_open_gssapi()'s lack of a check for setenv() failure ---
it's unlikely, surely, but security-critical actions are no place
to be sloppy.
Also improve the associated documentation.
This patch does nothing about secure_open_gssapi()'s use of setenv(),
and indeed causes pg_GSS_recvauth() to use it too. That's nominally
against project portability rules, but since this code is only built
with --with-gssapi, I do not feel a need to do something about this
in the back branches. A fix will be forthcoming for HEAD though.
Back-patch to v12 where GSSAPI encryption was introduced. The
dubious behavior in pg_GSS_recvauth() goes back further, but it
didn't have anything to be inconsistent with, so let it be.
Discussion: https://postgr.es/m/2187460.1609263156@sss.pgh.pa.us
Branch
------
REL_13_STABLE
Details
-------
https://git.postgresql.org/pg/commitdiff/861e967176e99da9122bb19bc2312c2ecdf6673c
Modified Files
--------------
doc/src/sgml/client-auth.sgml | 6 +-----
doc/src/sgml/config.sgml | 12 ++++++++---
src/backend/libpq/auth.c | 31 +++++++++------------------
src/backend/libpq/be-secure-gssapi.c | 12 +++++++++--
src/backend/utils/misc/postgresql.conf.sample | 2 +-
5 files changed, 31 insertions(+), 32 deletions(-)
