Thread: [patch] krb5 authentication on multihomed server hosts

[patch] krb5 authentication on multihomed server hosts

From

Martin Pitt

Date:

29 September 2005, 22:45:53

Hi!

I recently got a Debian bug report [1] that says:

  "It is not always possible to use krb5 authentication to a server
  that is listening on multiple interfaces other than to the 'primary'
  interface.

  More specifically: src/backend/libpq/auth.c pg_krb5_init() fills in
  the pg_krb5_server principal with a call to krb5_sname_to_principal
  with NULL as the second argument (the hostname argument).  This
  invokes the hostname canonicalisation behaviour in the kerberos
  library which has insufficient information to be able to return the
  correct answer in all cases."

The bug report describes this a little deeper with a detailled
example. The reporter also proposes a patch, which I copied below for
your convenience. It looks pretty sane and is relatively unintrusive.
However, since I don't know much about Kerberos, I'd like to hear
another opinion.

Since this is by no way Debian specific, would you be interested to
fix this upstream as well?

Thanks for considering and have a nice day!

Martin

--------------- snip -------------------
--- postgresql-7.4.7-old/src/backend/libpq/auth.c    2003-12-20 18:25:02.00000=
0000 +0000
+++ postgresql-7.4.7/src/backend/libpq/auth.c    2005-07-25 19:55:26.000000000=
 +0100
@@ -216,8 +216,18 @@
         return STATUS_ERROR;
     }
=20
-    retval =3D krb5_sname_to_principal(pg_krb5_context, NULL, PG_KRB_SRVNAM,
+    if( VirtualHost && VirtualHost[0] )
+    {
+        char *host=3DVirtualHost;
+        while(*host=3D=3D' ') host++; /* skip leading spaces (cf postmaster.c) */
+        retval =3D krb5_sname_to_principal(pg_krb5_context, host, PG_KRB_SRVNAM,
+                                     KRB5_NT_SRV_HST, &pg_krb5_server);
+    }
+    else
+    {
+        retval =3D krb5_sname_to_principal(pg_krb5_context, NULL, PG_KRB_SRVNAM,
                                      KRB5_NT_SRV_HST, &pg_krb5_server);
+    }
     if (retval)
     {
         ereport(LOG,
--------------- snip -------------------


[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=3D320049

--=20
Martin Pitt        http://www.piware.de
Ubuntu Developer   http://www.ubuntu.com
Debian Developer   http://www.debian.org

In a world without walls and fences, who needs Windows and Gates?

Re: [patch] krb5 authentication on multihomed server hosts

From

Bruce Momjian

Date:

30 September 2005, 01:14:25

I think this is fixed in CVS and will be in 8.1.  We now have in
postgresql.conf:

    # Kerberos
    #krb_server_keyfile = ''
    #krb_srvname = 'postgres'
    #krb_server_hostname = '(any)'          # if not set, matches any keytab entry
    #krb_caseins_users = off


---------------------------------------------------------------------------

Martin Pitt wrote:
-- Start of PGP signed section.
> Hi!
>
> I recently got a Debian bug report [1] that says:
>
>   "It is not always possible to use krb5 authentication to a server
>   that is listening on multiple interfaces other than to the 'primary'
>   interface.
>
>   More specifically: src/backend/libpq/auth.c pg_krb5_init() fills in
>   the pg_krb5_server principal with a call to krb5_sname_to_principal
>   with NULL as the second argument (the hostname argument).  This
>   invokes the hostname canonicalisation behaviour in the kerberos
>   library which has insufficient information to be able to return the
>   correct answer in all cases."
>
> The bug report describes this a little deeper with a detailled
> example. The reporter also proposes a patch, which I copied below for
> your convenience. It looks pretty sane and is relatively unintrusive.
> However, since I don't know much about Kerberos, I'd like to hear
> another opinion.
>
> Since this is by no way Debian specific, would you be interested to
> fix this upstream as well?
>
> Thanks for considering and have a nice day!
>
> Martin
>
> --------------- snip -------------------
> --- postgresql-7.4.7-old/src/backend/libpq/auth.c    2003-12-20 18:25:02.000000000 +0000
> +++ postgresql-7.4.7/src/backend/libpq/auth.c    2005-07-25 19:55:26.000000000 +0100
> @@ -216,8 +216,18 @@
>          return STATUS_ERROR;
>      }
>
> -    retval = krb5_sname_to_principal(pg_krb5_context, NULL, PG_KRB_SRVNAM,
> +    if( VirtualHost && VirtualHost[0] )
> +    {
> +        char *host=VirtualHost;
> +        while(*host==' ') host++; /* skip leading spaces (cf postmaster.c) */
> +        retval = krb5_sname_to_principal(pg_krb5_context, host, PG_KRB_SRVNAM,
> +                                     KRB5_NT_SRV_HST, &pg_krb5_server);
> +    }
> +    else
> +    {
> +        retval = krb5_sname_to_principal(pg_krb5_context, NULL, PG_KRB_SRVNAM,
>                                       KRB5_NT_SRV_HST, &pg_krb5_server);
> +    }
>      if (retval)
>      {
>          ereport(LOG,
> --------------- snip -------------------
>
>
> [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=320049
>
> --
> Martin Pitt        http://www.piware.de
> Ubuntu Developer   http://www.ubuntu.com
> Debian Developer   http://www.debian.org
>
> In a world without walls and fences, who needs Windows and Gates?
-- End of PGP section, PGP failed!

--
  Bruce Momjian                        |  http://candle.pha.pa.us
  pgman@candle.pha.pa.us               |  (610) 359-1001
  +  If your life is a hard drive,     |  13 Roberts Road
  +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073