Hi! I recently got a Debian bug report [1] that says:
"It is not always possible to use krb5 authentication to a server that is listening on multiple interfaces other than to the 'primary' interface. More specifically: src/backend/libpq/auth.c pg_krb5_init() fills in the pg_krb5_server principal with a call to krb5_sname_to_principal with NULL as the second argument (the hostname argument). This invokes the hostname canonicalisation behaviour in the kerberos library which has insufficient information to be able to return the correct answer in all cases." The bug report describes this a little deeper with a detailled example. The reporter also proposes a patch, which I copied below for your convenience. It looks pretty sane and is relatively unintrusive. However, since I don't know much about Kerberos, I'd like to hear another opinion. Since this is by no way Debian specific, would you be interested to fix this upstream as well? Thanks for considering and have a nice day! Martin --------------- snip ------------------- --- postgresql-7.4.7-old/src/backend/libpq/auth.c 2003-12-20 18:25:02.000000000 +0000 +++ postgresql-7.4.7/src/backend/libpq/auth.c 2005-07-25 19:55:26.000000000 +0100 @@ -216,8 +216,18 @@ return STATUS_ERROR; } - retval = krb5_sname_to_principal(pg_krb5_context, NULL, PG_KRB_SRVNAM, + if( VirtualHost && VirtualHost[0] ) + { + char *host=VirtualHost; + while(*host==' ') host++; /* skip leading spaces (cf postmaster.c) */ + retval = krb5_sname_to_principal(pg_krb5_context, host, PG_KRB_SRVNAM, + KRB5_NT_SRV_HST, &pg_krb5_server); + } + else + { + retval = krb5_sname_to_principal(pg_krb5_context, NULL, PG_KRB_SRVNAM, KRB5_NT_SRV_HST, &pg_krb5_server); + } if (retval) { ereport(LOG, --------------- snip ------------------- [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=320049 -- Martin Pitt http://www.piware.de Ubuntu Developer http://www.ubuntu.com Debian Developer http://www.debian.org In a world without walls and fences, who needs Windows and Gates?
signature.asc
Description: Digital signature