Thread: local kerberos authentication?

local kerberos authentication?

From
Peter Koczan
Date:
Hi all,

I would like to, but can't seem to get Kerberos working for local
connections.

Here are the last few lines of my pg_hba.conf

# TYPE  DATABASE    USER        IP-ADDRESS        IP_MASK           METHOD
local   all         all                                             krb5
hostssl all         all         128.105.0.0       255.255.0.0       krb5
hostssl all         all         198.133.224.0     255.255.255.0     krb5

Here's what trying to connect got me (first locally, then via the
network and SSL).

[koczan@mitchell(1)] ~ $ psql postgres
psql: FATAL:  missing or erroneous pg_hba.conf file
HINT:  See server log for details.
[koczan@mitchell(2)] ~ $ psql -h mitchell -p 5432 postgres
psql: FATAL:  missing or erroneous pg_hba.conf file
HINT:  See server log for details.

And here are the last few lines of the server log.

Jul  9 19:58:16 mitchell postgres[10730]: [2-1] LOG:  connection
received: host=mitchell.cs.wisc.edu port=53829
Jul  9 19:58:16 mitchell postgres[10730]: [3-1] LOG:  missing field in
file "/scratch.1/postgres/testing-8.2/pg_hba.conf" at end of line 69
Jul  9 19:58:16 mitchell postgres[10730]: [4-1] FATAL:  missing or
erroneous pg_hba.conf file
Jul  9 19:58:16 mitchell postgres[10730]: [4-2] HINT:  See server log
for details.
Jul  9 19:58:16 mitchell postgres[10731]: [2-1] LOG:  connection
received: host=mitchell.cs.wisc.edu port=53830
Jul  9 19:58:16 mitchell postgres[10731]: [3-1] LOG:  missing field in
file "/scratch.1/postgres/testing-8.2/pg_hba.conf" at end of line 69
Jul  9 19:58:16 mitchell postgres[10731]: [4-1] FATAL:  missing or
erroneous pg_hba.conf file
Jul  9 19:58:16 mitchell postgres[10731]: [4-2] HINT:  See server log
for details.

If I change the method to trust, it works, so it looks like krb5 isn't
supported for local connections, at least not on the surface. I'd also
like to get away from trust authentication because of the wonderful
security problems it entails.

Has anyone done this? Is this even possible? It's not a huge deal if it
can't be done, but I'd like to know.

Peter

Re: local kerberos authentication?

From
Tom Lane
Date:
Peter Koczan <pjkoczan@gmail.com> writes:
> I would like to, but can't seem to get Kerberos working for local
> connections.

krb5_sendauth and krb5_recvauth only work with TCP or UDP connections,
according to what I can find on the net.  If you think your local
implementation might not have that restriction, try diking out these
lines in src/backend/libpq/hba.c:

        /* Disallow auth methods that always need TCP/IP sockets to work */
        if (port->auth_method == uaKrb5)
            goto hba_syntax;

and see what happens ...

            regards, tom lane

Re: local kerberos authentication?

From
Stephen Frost
Date:
* Peter Koczan (pjkoczan@gmail.com) wrote:
> If I change the method to trust, it works, so it looks like krb5 isn't
> supported for local connections, at least not on the surface. I'd also like
> to get away from trust authentication because of the wonderful security
> problems it entails.

'local' in this case means 'unix socket'.  Kerberos does a reverse-DNS
lookup on the IP address it's going to connect to in order to figure out
what service princ to ask the KDC for.  That doesn't work for unix
sockets.

> Has anyone done this? Is this even possible? It's not a huge deal if it
> can't be done, but I'd like to know.

Can't be done as far as I'm aware because Kerberos doesn't know what
princ to use.  I'm not sure if any of the Kerberos folks have really
looked into making it work, it might be possible to just use the fqdn or
some such.  You might google around for 'kerberos over unix sockets' or
ask folks on the Kerberos lists.

    Thanks,

        Stephen

Attachment