[HACKERS] Allow change of kerberos service name without recompilation

Sat, 25 Sep 2004 06:40:31 -0700 

Hi

This is a two part patch against 7.4.5 implementing the option of
configuring what is now set using the #defined constant PG_KRB_SRVNAM
(the name of the service part of the kerberos principal the server
uses).

On the backend it can be configured by the (new) string option
krb_srvnam in postgresql.conf.

On the client it can be configured by setting the environment variable
PGKRBSRVNAM.

The default setting (for both) is the value given by PG_KRB_SRVNAM
mentioned above.


diff -uNr postgresql-7.4.5/src/backend/libpq/auth.c postgresql-7.4.5-mod/src/backend/libpq/auth.c
--- postgresql-7.4.5/src/backend/libpq/auth.c	2003-12-20 19:25:02.000000000 +0100
+++ postgresql-7.4.5-mod/src/backend/libpq/auth.c	2004-09-25 12:58:32.000000000 +0200
@@ -41,6 +41,7 @@
 static int	recv_and_check_password_packet(Port *port);
 
 char	   *pg_krb_server_keyfile;
+char       *pg_krb_srvnam;
 
 #ifdef USE_PAM
 #ifdef HAVE_PAM_PAM_APPL_H
@@ -99,7 +100,7 @@
 	status = krb_recvauth(krbopts,
 						  port->sock,
 						  &clttkt,
-						  PG_KRB_SRVNAM,
+						  pg_krb_srvnam,
 						  instance,
 						  &port->raddr.in,
 						  &port->laddr.in,
@@ -216,16 +217,16 @@
 		return STATUS_ERROR;
 	}
 
-	retval = krb5_sname_to_principal(pg_krb5_context, NULL, PG_KRB_SRVNAM,
+	retval = krb5_sname_to_principal(pg_krb5_context, NULL, pg_krb_srvnam,
 									 KRB5_NT_SRV_HST, &pg_krb5_server);
 	if (retval)
 	{
 		ereport(LOG,
 		 (errmsg("Kerberos sname_to_principal(\"%s\") returned error %d",
-				 PG_KRB_SRVNAM, retval)));
+				 pg_krb_srvnam, retval)));
 		com_err("postgres", retval,
 				"while getting server principal for service \"%s\"",
-				PG_KRB_SRVNAM);
+				pg_krb_srvnam);
 		krb5_kt_close(pg_krb5_context, pg_krb5_keytab);
 		krb5_free_context(pg_krb5_context);
 		return STATUS_ERROR;
@@ -261,7 +262,7 @@
 		return ret;
 
 	retval = krb5_recvauth(pg_krb5_context, &auth_context,
-						   (krb5_pointer) & port->sock, PG_KRB_SRVNAM,
+						   (krb5_pointer) & port->sock, pg_krb_srvnam,
 						   pg_krb5_server, 0, pg_krb5_keytab, &ticket);
 	if (retval)
 	{
diff -uNr postgresql-7.4.5/src/backend/utils/misc/guc.c postgresql-7.4.5-mod/src/backend/utils/misc/guc.c
--- postgresql-7.4.5/src/backend/utils/misc/guc.c	2004-08-11 23:10:52.000000000 +0200
+++ postgresql-7.4.5-mod/src/backend/utils/misc/guc.c	2004-09-25 11:47:45.000000000 +0200
@@ -59,6 +59,9 @@
 #ifndef PG_KRB_SRVTAB
 #define PG_KRB_SRVTAB ""
 #endif
+#ifndef PG_KRB_SRVNAM
+#define PG_KRB_SRVNAM ""
+#endif
 
 #ifdef EXEC_BACKEND
 #define CONFIG_EXEC_PARAMS "global/config_exec_params"
@@ -1375,6 +1378,15 @@
 	},
 
 	{
+		{"krb_srvnam", PGC_POSTMASTER, CONN_AUTH_SECURITY,
+			gettext_noop("Sets the name of the Postgres server Kerberos service."),
+			NULL
+		},
+		&pg_krb_srvnam,
+		PG_KRB_SRVNAM, NULL, NULL
+	},
+
+	{
 		{"rendezvous_name", PGC_POSTMASTER, CONN_AUTH_SETTINGS,
 			gettext_noop("Sets the Rendezvous broadcast service name."),
 			NULL
diff -uNr postgresql-7.4.5/src/include/libpq/auth.h postgresql-7.4.5-mod/src/include/libpq/auth.h
--- postgresql-7.4.5/src/include/libpq/auth.h	2003-08-04 04:40:13.000000000 +0200
+++ postgresql-7.4.5-mod/src/include/libpq/auth.h	2004-09-25 12:13:05.000000000 +0200
@@ -27,5 +27,6 @@
 #define PG_KRB5_VERSION "PGVER5.1"
 
 extern char *pg_krb_server_keyfile;
+extern char *pg_krb_srvnam;
 
 #endif   /* AUTH_H */

diff -uNr postgresql-7.4.5/src/interfaces/libpq/fe-auth.c postgresql-7.4.5-mod/src/interfaces/libpq/fe-auth.c
--- postgresql-7.4.5/src/interfaces/libpq/fe-auth.c	2003-12-20 19:46:02.000000000 +0100
+++ postgresql-7.4.5-mod/src/interfaces/libpq/fe-auth.c	2004-09-25 12:22:26.000000000 +0200
@@ -116,6 +116,7 @@
 
 /* for some reason, this is not defined in krb.h ... */
 extern char *tkt_string(void);
+static char *pg_krb_srvnam;
 
 /*
  * pg_krb4_init -- initialization performed before any Kerberos calls are made
@@ -145,6 +146,11 @@
 		(void) snprintf(tktbuf, sizeof(tktbuf), "[EMAIL PROTECTED]", tkt_string(), realm);
 		krb_set_tkt_string(tktbuf);
 	}
+
+	pg_krb_srvnam = getenv("PGKRBSRVNAM");
+	if (pg_krb_srvnam == NULL) {
+	     pg_krb_srvnam = PG_KRB_SRVNAM;
+	}
 }
 
 /*
@@ -216,7 +222,7 @@
 	status = krb_sendauth(krbopts,
 						  sock,
 						  &clttkt,
-						  PG_KRB_SRVNAM,
+						  pg_krb_srvnam,
 						  hostname,
 						  realm,
 						  (u_long) 0,
@@ -278,6 +284,7 @@
 static krb5_ccache pg_krb5_ccache;
 static krb5_principal pg_krb5_client;
 static char *pg_krb5_name;
+static char *pg_krb_srvnam;
 
 
 static int
@@ -333,6 +340,11 @@
 
 	pg_krb5_name = pg_an_to_ln(pg_krb5_name);
 
+	pg_krb_srvnam = getenv("PGKRBSRVNAM");
+	if (pg_krb_srvnam == NULL) {
+	     pg_krb_srvnam = PG_KRB_SRVNAM;
+	}
+	
 	pg_krb5_initialised = 1;
 	return STATUS_OK;
 }
@@ -370,7 +382,7 @@
 	if (ret != STATUS_OK)
 		return ret;
 
-	retval = krb5_sname_to_principal(pg_krb5_context, hostname, PG_KRB_SRVNAM,
+	retval = krb5_sname_to_principal(pg_krb5_context, hostname, pg_krb_srvnam,
 									 KRB5_NT_SRV_HST, &server);
 	if (retval)
 	{
@@ -397,7 +409,7 @@
 	}
 
 	retval = krb5_sendauth(pg_krb5_context, &auth_context,
-						   (krb5_pointer) & sock, PG_KRB_SRVNAM,
+						   (krb5_pointer) & sock, pg_krb_srvnam,
 						   pg_krb5_client, server,
 						   AP_OPTS_MUTUAL_REQUIRED,
 						   NULL, 0,		/* no creds, use ccache instead */

The use of this is mainly if several different users want to run their
own instance of postgresql on the same machine.

Regards
Daniel Ahlin

---------------------------(end of broadcast)---------------------------
TIP 2: you can get off all lists at once with the unregister command
    (send "unregister YourEmailAddressHere" to [EMAIL PROTECTED])

Reply via email to