Re: GSSAPI, SSPI - include_realm default

From: Magnus Hagander <magnus(at)hagander(dot)net>
To: Stephen Frost <sfrost(at)snowman(dot)net>
Cc: PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: GSSAPI, SSPI - include_realm default
Date: 2014-11-26 20:04:49
Message-ID: CABUevExE-QC767LO0LumtuLJAX4YwvGp2wYVLm1sr0qe=4mHRA@mail.gmail.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

On Wed, Nov 26, 2014 at 8:01 PM, Stephen Frost <sfrost(at)snowman(dot)net> wrote:
> Greetings,
>
> The include_realm default for GSSAPI and SSPI is currently
> 'include_realm=0', meaning that the realm is stripped off of the
> Kerberos principal (aka the 'system' username) prior to looking up the
> user in pg_authid.
>
> This is fine in a single-realm environment but extremely dangerous
> in a multi-realm environment, as user(at)REALMA is rarely the same as
> user(at)REALMB(dot) Worse, a given environment can go from single-realm to
> multi-realm with relative ease and most administrators aren't going to
> expect applications to have a problem with that change. Every other
> Kerberos-enabled application which I'm aware of requires either the
> full principal (including realm) be considered, or that the realm of
> the principal matches the realm of the system (which is what OpenSSH
> requires, as an example).
>
> As such, I'd like to propose changing the default to be
> 'include_realm=1'.

Per our previous discussions, but to make sure it's also on record for
others, +1 for this suggestion.

> Back when Kerberos support was originally added, we didn't have the
> pg_ident regex-based mapping capability. Today, users who wish to
> strip the realm off would be best served by configuring a mapping in
> pg_ident.conf which strips off exactly the realm name (or names, if
> they are multi-realm where the users actually are the same individuals
> in multiple realms) instead of using 'include_realm=0'.
>
> Users who really wish to strip off the realm for their environment
> would still be able to add 'include_realm=0' to their pg_hba.conf.
> We would recommend against that in the documentation, however, and
> explain how it's unsafe. I would recommend that this be coached as
> transistional support for users who wish to upgrade but don't want to
> (further) change their configuration immediately, with the implication
> that we might remove it some day.
>
> This would be done for 9.5 and we would need to note it in the release
> notes, of course.

I suggest we also backpatch some documentation suggesting that people
manually change the include_realm parameter (perhaps also with a note
saying that the default will change in 9.5).

--
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Stephen Frost 2014-11-26 20:05:59 Re: GSSAPI, SSPI - include_realm default
Previous Message Josh Berkus 2014-11-26 20:00:56 Re: bug in json_to_record with arrays