Fix Kerberos authentication in wake of virtual-hosts changes --- need
to call krb5_sname_to_principal() always. Also, use krb_srvname rather than the hardwired string 'postgres' as the appl_version string in the krb5_sendauth/recvauth calls, to avoid breaking compatibility with PG 8.0. Magnus Hagander
This commit is contained in:
Tom Lane
parent
4909357237
commit
18d0ca2d1b
@ -8,7 +8,7 @@
|
||||
*
|
||||
*
|
||||
* IDENTIFICATION
|
||||
* $PostgreSQL: pgsql/src/backend/libpq/auth.c,v 1.127 2005/07/25 04:52:31 tgl Exp $
|
||||
* $PostgreSQL: pgsql/src/backend/libpq/auth.c,v 1.128 2005/10/08 19:32:57 tgl Exp $
|
||||
*
|
||||
*-------------------------------------------------------------------------
|
||||
*/
|
||||
@ -119,6 +119,7 @@ static int
|
||||
pg_krb5_init(void)
|
||||
{
|
||||
krb5_error_code retval;
|
||||
char *khostname;
|
||||
|
||||
if (pg_krb5_initialised)
|
||||
return STATUS_OK;
|
||||
@ -145,25 +146,31 @@ pg_krb5_init(void)
|
||||
return STATUS_ERROR;
|
||||
}
|
||||
|
||||
if (pg_krb_server_hostname)
|
||||
/*
|
||||
* If no hostname was specified, pg_krb_server_hostname is already
|
||||
* NULL. If it's set to blank, force it to NULL.
|
||||
*/
|
||||
khostname = pg_krb_server_hostname;
|
||||
if (khostname && khostname[0] == '\0')
|
||||
khostname = NULL;
|
||||
|
||||
retval = krb5_sname_to_principal(pg_krb5_context,
|
||||
khostname,
|
||||
pg_krb_srvnam,
|
||||
KRB5_NT_SRV_HST,
|
||||
&pg_krb5_server);
|
||||
if (retval)
|
||||
{
|
||||
retval = krb5_sname_to_principal(pg_krb5_context,
|
||||
pg_krb_server_hostname, pg_krb_srvnam,
|
||||
KRB5_NT_SRV_HST, &pg_krb5_server);
|
||||
if (retval)
|
||||
{
|
||||
ereport(LOG,
|
||||
(errmsg("Kerberos sname_to_principal(\"%s\") returned error %d",
|
||||
pg_krb_srvnam, retval)));
|
||||
com_err("postgres", retval,
|
||||
"while getting server principal for service \"%s\"",
|
||||
pg_krb_srvnam);
|
||||
krb5_kt_close(pg_krb5_context, pg_krb5_keytab);
|
||||
krb5_free_context(pg_krb5_context);
|
||||
return STATUS_ERROR;
|
||||
}
|
||||
} else
|
||||
pg_krb5_server = NULL;
|
||||
ereport(LOG,
|
||||
(errmsg("Kerberos sname_to_principal(\"%s\") returned error %d",
|
||||
pg_krb_srvnam, retval)));
|
||||
com_err("postgres", retval,
|
||||
"while getting server principal for service \"%s\"",
|
||||
pg_krb_srvnam);
|
||||
krb5_kt_close(pg_krb5_context, pg_krb5_keytab);
|
||||
krb5_free_context(pg_krb5_context);
|
||||
return STATUS_ERROR;
|
||||
}
|
||||
|
||||
pg_krb5_initialised = 1;
|
||||
return STATUS_OK;
|
||||
@ -194,7 +201,7 @@ pg_krb5_recvauth(Port *port)
|
||||
return ret;
|
||||
|
||||
retval = krb5_recvauth(pg_krb5_context, &auth_context,
|
||||
(krb5_pointer) & port->sock, "postgres",
|
||||
(krb5_pointer) & port->sock, pg_krb_srvnam,
|
||||
pg_krb5_server, 0, pg_krb5_keytab, &ticket);
|
||||
if (retval)
|
||||
{
|
||||
|
||||
@ -70,7 +70,7 @@
|
||||
# Kerberos
|
||||
#krb_server_keyfile = ''
|
||||
#krb_srvname = 'postgres'
|
||||
#krb_server_hostname = '(any)' # if not set, matches any keytab entry
|
||||
#krb_server_hostname = '' # empty string matches any keytab entry
|
||||
#krb_caseins_users = off
|
||||
|
||||
# - TCP Keepalives -
|
||||
|
||||
@ -10,7 +10,7 @@
|
||||
* exceed INITIAL_EXPBUFFER_SIZE (currently 256 bytes).
|
||||
*
|
||||
* IDENTIFICATION
|
||||
* $PostgreSQL: pgsql/src/interfaces/libpq/fe-auth.c,v 1.103 2005/06/30 01:59:20 neilc Exp $
|
||||
* $PostgreSQL: pgsql/src/interfaces/libpq/fe-auth.c,v 1.104 2005/10/08 19:32:58 tgl Exp $
|
||||
*
|
||||
*-------------------------------------------------------------------------
|
||||
*/
|
||||
@ -280,7 +280,7 @@ pg_krb5_sendauth(char *PQerrormsg, int sock, const char *hostname, const char *s
|
||||
}
|
||||
|
||||
retval = krb5_sendauth(pg_krb5_context, &auth_context,
|
||||
(krb5_pointer) & sock, "postgres",
|
||||
(krb5_pointer) & sock, (char *) servicename,
|
||||
pg_krb5_client, server,
|
||||
AP_OPTS_MUTUAL_REQUIRED,
|
||||
NULL, 0, /* no creds, use ccache instead */
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user