Thread: Updated kerberos service name patch
Here is an updated version of the patch from http://candle.pha.pa.us/mhonarc/patches2/msg00025.html. It handles the options for libpq connections the same way other options are handled, and it also updates the kerberos documentation. It contains a couple of minor changes to the Kerberos documentation that's not directly related to this patch, to make it easier to read. And it updates the Kerberos information URL to the current MIT pages. I refactored my own code so now the Kerberos 4 specific changes are very small. I have not verified them, but I think they shuold work. That doesn't mean I'm still in favour of ripping out the krb4 code, just that it's fairly easy to do it as a separate step instead. //Magnus
Attachment
Hi! Please do not apply this patch in it's current state. It contains a small bug that appears to trigger a DOS vulnerability in the MIT Kerberos libraries. I will submit a new patch shortly that does not expose this bug to a configurable parameter (it can still be exposed by hacking the code since the issue appears in the kerberos libs, but there's not much we can do there. I'm also contacting the MIT Kerberos team about a fix there) //Magnus >-----Original Message----- >From: Bruce Momjian [mailto:pgman@candle.pha.pa.us] >Sent: den 20 maj 2005 19:00 >To: Magnus Hagander >Cc: PostgreSQL-patches >Subject: Re: [PATCHES] Updated kerberos service name patch > > > >Your patch has been added to the PostgreSQL unapplied patches list at: > > http://momjian.postgresql.org/cgi-bin/pgpatches > >It will be applied as soon as one of the PostgreSQL committers reviews >and approves it. > >--------------------------------------------------------------- >------------ > > >Magnus Hagander wrote: >> Here is an updated version of the patch from >> http://candle.pha.pa.us/mhonarc/patches2/msg00025.html. It >handles the >> options for libpq connections the same way other options are handled, >> and it also updates the kerberos documentation. It contains >a couple of >> minor changes to the Kerberos documentation that's not >directly related >> to this patch, to make it easier to read. And it updates the Kerberos >> information URL to the current MIT pages. >> >> I refactored my own code so now the Kerberos 4 specific >changes are very >> small. I have not verified them, but I think they shuold work. That >> doesn't mean I'm still in favour of ripping out the krb4 >code, just that >> it's fairly easy to do it as a separate step instead. >> >> //Magnus > >Content-Description: krbsrvname.patch > >[ Attachment, skipping... ] > >> >> ---------------------------(end of >broadcast)--------------------------- >> TIP 9: the planner will ignore your desire to choose an >index scan if your >> joining column's datatypes do not match > >-- > Bruce Momjian | http://candle.pha.pa.us > pgman@candle.pha.pa.us | (610) 359-1001 > + If your life is a hard drive, | 13 Roberts Road > + Christ can be your backup. | Newtown Square, >Pennsylvania 19073 >
Here's an updated version of the patch, with the following changes: 1) No longer uses "service name" as "application version". It's instead hardcoded as "postgres". It could be argued that this part should be backpatched to 8.0, but it doesn't make a big difference until you can start changing it with GUC / connection parameters. This change only affects kerberos 5, not 4. 2) Now downcases kerberos usernames when the client is running on win32. 3) Adds guc option for "krb_caseins_users" to make the server ignore case mismatch which is required by some KDCs such as Active Directory. Off by default, per discussion with Tom. This change only affects kerberos 5, not 4. 4) Updated so it doesn't conflict with the rendevouz/bonjour patch already in ;-) //Magnus >-----Original Message----- >From: pgsql-patches-owner@postgresql.org >[mailto:pgsql-patches-owner@postgresql.org] On Behalf Of >Magnus Hagander >Sent: den 22 maj 2005 17:26 >To: Bruce Momjian >Cc: PostgreSQL-patches >Subject: Re: [PATCHES] Updated kerberos service name patch > > >Hi! > >Please do not apply this patch in it's current state. It contains a >small bug that appears to trigger a DOS vulnerability in the MIT >Kerberos libraries. I will submit a new patch shortly that does not >expose this bug to a configurable parameter (it can still be exposed by >hacking the code since the issue appears in the kerberos libs, but >there's not much we can do there. I'm also contacting the MIT Kerberos >team about a fix there) > >//Magnus > >>-----Original Message----- >>From: Bruce Momjian [mailto:pgman@candle.pha.pa.us] >>Sent: den 20 maj 2005 19:00 >>To: Magnus Hagander >>Cc: PostgreSQL-patches >>Subject: Re: [PATCHES] Updated kerberos service name patch >> >> >> >>Your patch has been added to the PostgreSQL unapplied patches list at: >> >> http://momjian.postgresql.org/cgi-bin/pgpatches >> >>It will be applied as soon as one of the PostgreSQL committers reviews >>and approves it. >> >>--------------------------------------------------------------- >>------------ >> >> >>Magnus Hagander wrote: >>> Here is an updated version of the patch from >>> http://candle.pha.pa.us/mhonarc/patches2/msg00025.html. It >>handles the >>> options for libpq connections the same way other options >are handled, >>> and it also updates the kerberos documentation. It contains >>a couple of >>> minor changes to the Kerberos documentation that's not >>directly related >>> to this patch, to make it easier to read. And it updates >the Kerberos >>> information URL to the current MIT pages. >>> >>> I refactored my own code so now the Kerberos 4 specific >>changes are very >>> small. I have not verified them, but I think they shuold work. That >>> doesn't mean I'm still in favour of ripping out the krb4 >>code, just that >>> it's fairly easy to do it as a separate step instead. >>> >>> //Magnus >> >>Content-Description: krbsrvname.patch >> >>[ Attachment, skipping... ] >> >>> >>> ---------------------------(end of >>broadcast)--------------------------- >>> TIP 9: the planner will ignore your desire to choose an >>index scan if your >>> joining column's datatypes do not match >> >>-- >> Bruce Momjian | http://candle.pha.pa.us >> pgman@candle.pha.pa.us | (610) 359-1001 >> + If your life is a hard drive, | 13 Roberts Road >> + Christ can be your backup. | Newtown Square, >>Pennsylvania 19073 >> > >---------------------------(end of >broadcast)--------------------------- >TIP 9: the planner will ignore your desire to choose an index >scan if your > joining column's datatypes do not match >
Attachment
Patch retracted for update. --------------------------------------------------------------------------- Magnus Hagander wrote: > Here is an updated version of the patch from > http://candle.pha.pa.us/mhonarc/patches2/msg00025.html. It handles the > options for libpq connections the same way other options are handled, > and it also updates the kerberos documentation. It contains a couple of > minor changes to the Kerberos documentation that's not directly related > to this patch, to make it easier to read. And it updates the Kerberos > information URL to the current MIT pages. > > I refactored my own code so now the Kerberos 4 specific changes are very > small. I have not verified them, but I think they shuold work. That > doesn't mean I'm still in favour of ripping out the krb4 code, just that > it's fairly easy to do it as a separate step instead. > > //Magnus Content-Description: krbsrvname.patch [ Attachment, skipping... ] > > ---------------------------(end of broadcast)--------------------------- > TIP 9: the planner will ignore your desire to choose an index scan if your > joining column's datatypes do not match -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 359-1001 + If your life is a hard drive, | 13 Roberts Road + Christ can be your backup. | Newtown Square, Pennsylvania 19073
Patch applied. Thanks. I manually updated postgresql.conf.sample. --------------------------------------------------------------------------- Magnus Hagander wrote: > Here's an updated version of the patch, with the following changes: > > 1) No longer uses "service name" as "application version". It's instead > hardcoded as "postgres". It could be argued that this part should be > backpatched to 8.0, but it doesn't make a big difference until you can > start changing it with GUC / connection parameters. This change only > affects kerberos 5, not 4. > > 2) Now downcases kerberos usernames when the client is running on win32. > > 3) Adds guc option for "krb_caseins_users" to make the server ignore > case mismatch which is required by some KDCs such as Active Directory. > Off by default, per discussion with Tom. This change only affects > kerberos 5, not 4. > > 4) Updated so it doesn't conflict with the rendevouz/bonjour patch > already in ;-) > > //Magnus > > > > >-----Original Message----- > >From: pgsql-patches-owner@postgresql.org > >[mailto:pgsql-patches-owner@postgresql.org] On Behalf Of > >Magnus Hagander > >Sent: den 22 maj 2005 17:26 > >To: Bruce Momjian > >Cc: PostgreSQL-patches > >Subject: Re: [PATCHES] Updated kerberos service name patch > > > > > >Hi! > > > >Please do not apply this patch in it's current state. It contains a > >small bug that appears to trigger a DOS vulnerability in the MIT > >Kerberos libraries. I will submit a new patch shortly that does not > >expose this bug to a configurable parameter (it can still be exposed by > >hacking the code since the issue appears in the kerberos libs, but > >there's not much we can do there. I'm also contacting the MIT Kerberos > >team about a fix there) > > > >//Magnus > > > >>-----Original Message----- > >>From: Bruce Momjian [mailto:pgman@candle.pha.pa.us] > >>Sent: den 20 maj 2005 19:00 > >>To: Magnus Hagander > >>Cc: PostgreSQL-patches > >>Subject: Re: [PATCHES] Updated kerberos service name patch > >> > >> > >> > >>Your patch has been added to the PostgreSQL unapplied patches list at: > >> > >> http://momjian.postgresql.org/cgi-bin/pgpatches > >> > >>It will be applied as soon as one of the PostgreSQL committers reviews > >>and approves it. > >> > >>--------------------------------------------------------------- > >>------------ > >> > >> > >>Magnus Hagander wrote: > >>> Here is an updated version of the patch from > >>> http://candle.pha.pa.us/mhonarc/patches2/msg00025.html. It > >>handles the > >>> options for libpq connections the same way other options > >are handled, > >>> and it also updates the kerberos documentation. It contains > >>a couple of > >>> minor changes to the Kerberos documentation that's not > >>directly related > >>> to this patch, to make it easier to read. And it updates > >the Kerberos > >>> information URL to the current MIT pages. > >>> > >>> I refactored my own code so now the Kerberos 4 specific > >>changes are very > >>> small. I have not verified them, but I think they shuold work. That > >>> doesn't mean I'm still in favour of ripping out the krb4 > >>code, just that > >>> it's fairly easy to do it as a separate step instead. > >>> > >>> //Magnus > >> > >>Content-Description: krbsrvname.patch > >> > >>[ Attachment, skipping... ] > >> > >>> > >>> ---------------------------(end of > >>broadcast)--------------------------- > >>> TIP 9: the planner will ignore your desire to choose an > >>index scan if your > >>> joining column's datatypes do not match > >> > >>-- > >> Bruce Momjian | http://candle.pha.pa.us > >> pgman@candle.pha.pa.us | (610) 359-1001 > >> + If your life is a hard drive, | 13 Roberts Road > >> + Christ can be your backup. | Newtown Square, > >>Pennsylvania 19073 > >> > > > >---------------------------(end of > >broadcast)--------------------------- > >TIP 9: the planner will ignore your desire to choose an index > >scan if your > > joining column's datatypes do not match > > Content-Description: kerberos3.patch [ Attachment, skipping... ] > > ---------------------------(end of broadcast)--------------------------- > TIP 9: the planner will ignore your desire to choose an index scan if your > joining column's datatypes do not match -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 359-1001 + If your life is a hard drive, | 13 Roberts Road + Christ can be your backup. | Newtown Square, Pennsylvania 19073