From: | Stephen Frost <sfrost(at)snowman(dot)net> |
---|---|
To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
Cc: | Magnus Hagander <magnus(at)hagander(dot)net>, Christopher Head <chris2k01(at)hotmail(dot)com>, pgsql-bugs <pgsql-bugs(at)postgresql(dot)org> |
Subject: | Re: BUG #5559: Full SSL verification fails when hostaddr provided |
Date: | 2010-07-14 17:39:42 |
Message-ID: | 20100714173942.GM21875@tamriel.snowman.net |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-bugs |
* Tom Lane (tgl(at)sss(dot)pgh(dot)pa(dot)us) wrote:
> ... btw, the libpq documentation claims that
>
> If hostaddr is specified without host, the value for hostaddr
> gives the remote address. When Kerberos is used, a reverse name
> query occurs to obtain the host name for Kerberos.
>
> but so far as I can see this is flat wrong. pg_krb5_sendauth throws
> an error if you didn't provide a host name, and so do the other places
> in fe-auth.c that need the host name. What we're about to do to SSL
> verification will match that. So I think the docs need a fix here.
I think the confusion here is that the *Kerberos* libraries do the
reverse-DNS lookup to get the hostname to request as part of the
principal. It's true that we don't, but that doesn't mean it's not
done. Not sure where or if we need to discuss how Kerberos works in the
libpq documentation or what the context is for the above, but I'm pretty
sure that's where the original wording came from.
Thanks,
Stephen
From | Date | Subject | |
---|---|---|---|
Next Message | Tom Lane | 2010-07-14 17:55:14 | Re: BUG #5559: Full SSL verification fails when hostaddr provided |
Previous Message | Tom Lane | 2010-07-14 16:29:32 | Re: BUG #5559: Full SSL verification fails when hostaddr provided |