| From: | Bill Studenmund <wrstuden(at)netbsd(dot)org> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | <pgsql-patches(at)postgresql(dot)org> |
| Subject: | Re: Patch to add Heimdal kerberos support |
| Date: | 2001-11-13 00:03:51 |
| Message-ID: | Pine.NEB.4.33.0111121553370.24761-100000@vespasia.home-net.internetconnect.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-patches |
On Mon, 12 Nov 2001, Tom Lane wrote:
> Bill Studenmund <wrstuden(at)netbsd(dot)org> writes:
> > Attached please find a patch to make Postgres compile with Heimdal krb5
> > support. This patch adds a new option, --with-heimdal. "--with-krb5" now
> > implies MIT krb5 support.
>
> Couldn't we do this in a way that doesn't require a user configure switch?
Not that I know of. There are slight differences in the APIs, and Heimdal
needs a different set of libraries compiled in.
I'll ask around.
> --- src/backend/libpq/auth.c 2001/10/28 06:25:44 1.71
> +++ src/backend/libpq/auth.c 2001/11/12 22:32:00
> @@ -229,7 +229,7 @@
> " Kerberos error %d\n", retval);
> com_err("postgres", retval,
> "while getting server principal for service %s",
> - pg_krb_server_keyfile);
> + PG_KRB_SRVNAM);
> krb5_kt_close(pg_krb5_context, pg_krb5_keytab);
>
> This change seems like a step backwards.
This patch really isn't Heimdal-related. If you look at the code
preceeding this, we are looking for the principal for service
PG_KRB_SRVNAM in the file pg_krb_server_keyfile. Unpatched, this error
message says,
"...error.. while getting server principal for service
/usr/local/psql/data/krb5.srvtab"
which makes no sense. It was really "... while getting server principal
for service postgres" for instance; PG_KRB_SRVNAM is the service name we
looked up, so it is the one we should mention.
>
> krb5_free_context(pg_krb5_context);
> return STATUS_ERROR;
> @@ -283,8 +283,13 @@
> *
> * I have no idea why this is considered necessary.
> */
> +#ifdef KRB5_MIT
> retval = krb5_unparse_name(pg_krb5_context,
> ticket->enc_part2->client, &kusername);
> +#else
> + retval = krb5_unparse_name(pg_krb5_context,
> + ticket->client, &kusername);
> +#endif
>
> If this is the only code change needed, couldn't we dispense with it
There is one more a little later on in the patch, in the front-end code.
> somehow? I notice that the previous authors of this code had grave
> doubts about comparing the username at all. I don't know much about
> Kerberos' security model --- is the fact that we got a ticket sufficient
> authentication, and if not why not?
I'll be honest that I'm still learning kerberos and all of the twists and
turns of its code.
I think the point is this test and the code after it makes sure that your
kerberos and your postgres usernames match. I think that's VERY important.
Otherwise I could log into kerberos as wrstuden and access postgres as
user tgl. That seems BAD to me. :-)
Take care,
Bill
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2001-11-13 00:14:05 | Re: Patch to add Heimdal kerberos support |
| Previous Message | Tom Lane | 2001-11-12 23:52:42 | Re: Patch to add Heimdal kerberos support |