Re: Patch to add Heimdal kerberos support - Mailing list pgsql-patches
| From | Bill Studenmund |
|---|---|
| Subject | Re: Patch to add Heimdal kerberos support |
| Date | |
| Msg-id | Pine.NEB.4.33.0111121553370.24761-100000@vespasia.home-net.internetconnect.net Whole thread Raw |
| In response to | Re: Patch to add Heimdal kerberos support (Tom Lane <tgl@sss.pgh.pa.us>) |
| Responses |
Re: Patch to add Heimdal kerberos support
|
| List | pgsql-patches |
On Mon, 12 Nov 2001, Tom Lane wrote:
> Bill Studenmund <wrstuden@netbsd.org> writes:
> > Attached please find a patch to make Postgres compile with Heimdal krb5
> > support. This patch adds a new option, --with-heimdal. "--with-krb5" now
> > implies MIT krb5 support.
>
> Couldn't we do this in a way that doesn't require a user configure switch?
Not that I know of. There are slight differences in the APIs, and Heimdal
needs a different set of libraries compiled in.
I'll ask around.
> --- src/backend/libpq/auth.c 2001/10/28 06:25:44 1.71
> +++ src/backend/libpq/auth.c 2001/11/12 22:32:00
> @@ -229,7 +229,7 @@
> " Kerberos error %d\n", retval);
> com_err("postgres", retval,
> "while getting server principal for service %s",
> - pg_krb_server_keyfile);
> + PG_KRB_SRVNAM);
> krb5_kt_close(pg_krb5_context, pg_krb5_keytab);
>
> This change seems like a step backwards.
This patch really isn't Heimdal-related. If you look at the code
preceeding this, we are looking for the principal for service
PG_KRB_SRVNAM in the file pg_krb_server_keyfile. Unpatched, this error
message says,
"...error.. while getting server principal for service
/usr/local/psql/data/krb5.srvtab"
which makes no sense. It was really "... while getting server principal
for service postgres" for instance; PG_KRB_SRVNAM is the service name we
looked up, so it is the one we should mention.
>
> krb5_free_context(pg_krb5_context);
> return STATUS_ERROR;
> @@ -283,8 +283,13 @@
> *
> * I have no idea why this is considered necessary.
> */
> +#ifdef KRB5_MIT
> retval = krb5_unparse_name(pg_krb5_context,
> ticket->enc_part2->client, &kusername);
> +#else
> + retval = krb5_unparse_name(pg_krb5_context,
> + ticket->client, &kusername);
> +#endif
>
> If this is the only code change needed, couldn't we dispense with it
There is one more a little later on in the patch, in the front-end code.
> somehow? I notice that the previous authors of this code had grave
> doubts about comparing the username at all. I don't know much about
> Kerberos' security model --- is the fact that we got a ticket sufficient
> authentication, and if not why not?
I'll be honest that I'm still learning kerberos and all of the twists and
turns of its code.
I think the point is this test and the code after it makes sure that your
kerberos and your postgres usernames match. I think that's VERY important.
Otherwise I could log into kerberos as wrstuden and access postgres as
user tgl. That seems BAD to me. :-)
Take care,
Bill
pgsql-patches by date: