Re: Patch to add Heimdal kerberos support - Mailing list pgsql-patches

From Bill Studenmund
Subject Re: Patch to add Heimdal kerberos support
Date
Msg-id Pine.NEB.4.33.0111272138260.11101-100000@vespasia.home-net.internetconnect.net
Whole thread Raw
In response to Re: Patch to add Heimdal kerberos support  (Peter Eisentraut <peter_e@gmx.net>)
List pgsql-patches
On Sat, 17 Nov 2001, Peter Eisentraut wrote:

> Bill Studenmund writes:
>
> > The problem I had with AC_SEARCH_LIBS was that if I don't add all of the
> > libraries (-lasn1 -lroken etc.) the test program won't compile, even
> > though the .o compiles fine. Can we make the test only depend on
> > generating a .o?
>
> That wouldn't tell you a whole lot about the existence of a function.  You
> do need to link to be able to verify that.

Oh. Looking back on this, I see a step I forgot to mention. I was jumping
from AC_SEARCH_LIBS, which does need linking to see a function is there,
to making a test which would make just a .o, to see if __heimdal_version
is in krb5.h. That way we could see if we're heimdal or MIT directly.
Sorry.

> > I'd like to make it a bug fix for 7.2 if we can, so I'd appreciate the
> > help. I can test any new versions of the patch. :-)
>
> The attached patch should handle the different struct members (at least it
> doesn't break them for me) and it doesn't gratuitously fail on libraries
> that are not really needed.  I haven't done anything about -lasn1 -lroken
> -lcrypto because I'd need to know what functions you need from there.  You
> should be able to get it to work when you configure thus:

Ok. The patch didn't work. I'm attaching my revised version.

I did a couple of things, and can break it into different patches if
desired.

1) I moved the test for the struct members to before the check for
libraries. I don't like this as it means looking in a .h out of order with
looking for the other .h's, but, well, you have to have the .h for the
lib search test to really work.

2) I changed the krb5 lib test to look for libasn1, libroken, and
libcrypto as needed. The thing I don't like about this is I'm basing the
test on the presence of some of the struct fields. I know there is active
work on consolidating the APIs, so this might not be a good long-term
test. It also is a hack, though perhaps good enough for now.

3) I pulled in a few of the changes I made in response to our earlier
discussion. pg_an_to_ln() is not used, we use a routine out of libkrb5
instead. I don't understand the comment that, "we can't punt," if we can't
find a name as if we can't find a name, how can we say anything about the
security of the authentication?

4) I also added changes to make the PAM authenitcation method behave like
the kerberos ones; the PAM authentication method is always part of the
protocol, just if it's not compiled in and you try to use it, you get an
error message about it.

This change, besides being consistent with the other auth methods, makes
it possible to add another auth method. Adding encrypted sessions will
probably need it (but that's a seperate thread).

I realize it's probably too late for 7.2, but I'd like to submit these (at
least 1, 2, and 3) for consideration for 7.2.1 whenever it happens. :-)

Peter, what comments on this do you have?

Take care,

Bill


pgsql-patches by date:

Previous
From: Thomas Lockhart
Date:
Subject: Re: fixes for date_part micro/millisecond precision
Next
From: Bill Studenmund
Date:
Subject: Re: Patch to add Heimdal kerberos support, with patch