From: | Magnus Hagander <magnus(at)hagander(dot)net> |
---|---|
To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
Cc: | Peter Koczan <pjkoczan(at)gmail(dot)com>, pgsql-bugs(at)postgresql(dot)org |
Subject: | Re: BUG #4824: KRB5/GSSAPI authentication fails when user != principal |
Date: | 2009-05-27 20:21:16 |
Message-ID: | 4A1DA0BC.3000106@hagander.net |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-bugs |
Magnus Hagander wrote:
> Tom Lane wrote:
>> Peter Koczan <pjkoczan(at)gmail(dot)com> writes:
>>> This is trust authentication with one rather inconsequential bit of
>>> verification, that's a fundamental breakage. One of the major points
>>> of Kerberos is that, for anything that talks Kerberos, you are the
>>> principal in that ticket. I understand the desire to change some of
>>> that old code, but why is that principal being ignored?
>> Well, the reason for that change was that the libpq code was absorbing
>> userid from any available Kerberos ticket, even if the server
>> subsequently issued a non-Kerberos authentication challenge. I still
>> think that was wrong. What your complaint seems to suggest is that
>> the server-side Kerberos auth code should be insisting that the supplied
>> principal's first component match the requested database userid.
>> I kinda thought we *had* been doing that, but can't claim to have read
>> that code closely. Magnus?
>
> We are certainly *supposed* to do that. And we have been doing that. So
> if that's not done, it's been broken in 8.4 (most likely by me).
>
> Peter, are you using gssapi or krb5? Only krb5 has changed wrt libpq,
> but from your messages it looks like you have gssapi?
>
> Can you show us your pg_hba.conf file, and all lines with krb in them
> from postgresql.conf?
>
> Also, can you try it with the server set to log at DEBUG4, and let us
> know what output you get?
Crap, I think I found the problem.
Tom, or someone else... auth.c line 1076. I'm pretty sure that should be
"return ret" not "return STATUS_OK".
Wow, that's a bad bug :-O
//Magnus
From | Date | Subject | |
---|---|---|---|
Next Message | Peter Koczan | 2009-05-27 20:40:40 | Re: BUG #4824: KRB5/GSSAPI authentication fails when user != principal |
Previous Message | Magnus Hagander | 2009-05-27 20:15:14 | Re: BUG #4824: KRB5/GSSAPI authentication fails when user != principal |