Cleanups from the remove-native-krb5 patch

krb_srvname is actually not available anymore as a parameter server-side, since with gssapi we accept all principals in our keytab. It's still used in libpq for client side specification. In passing remove declaration of krb_server_hostname, where all the functionality was already removed. Noted by Stephen Frost, though a different solution than his suggestion
12 years ago · 0294023a6b
parent e3c9f23250
commit 0294023a6b
7 changed files with 9 additions and 40 deletions
--- a/doc/src/sgml/client-auth.sgml
+++ b/doc/src/sgml/client-auth.sgml
@ -923,17 +923,15 @@ omicron         bryanh                  guest1
    <productname>Kerberos</productname>, it uses a standard principal
    in the format
    <literal><replaceable>servicename</>/<replaceable>hostname</>@<replaceable>realm</></literal>.
-    <replaceable>servicename</> can be set on the server side using the
-    <xref linkend="guc-krb-srvname"> configuration parameter, and on the
-    client side using the <literal>krbsrvname</> connection parameter. (See
+    The PostgreSQL server will accept any principal that is included in the keytab used by
+    the server, but care needs to be taken to specify the correct principal details when
+    making the connection from the client using the <literal>krbsrvname</> connection parameter. (See
    also <xref linkend="libpq-paramkeywords">.) The installation default can be
    changed from the default <literal>postgres</literal> at build time using
    <literal>./configure --with-krb-srvnam=</><replaceable>whatever</>.
    In most environments,
-    this parameter never needs to be changed. However, it is necessary
-    when supporting multiple <productname>PostgreSQL</> installations
-    on the same host.
-    Some Kerberos implementations might also require a different service name,
+    this parameter never needs to be changed.
+    Some Kerberos implementations might require a different service name,
    such as Microsoft Active Directory which requires the service name
    to be in upper case (<literal>POSTGRES</literal>).
   </para>
@ -964,6 +962,9 @@ omicron         bryanh                  guest1
    parameter. The default is
    <filename>/usr/local/pgsql/etc/krb5.keytab</> (or whatever
    directory was specified as <varname>sysconfdir</> at build time).
+    For security reasons, it is recommended to use a separate keytab
+    just for the <productname>PostgreSQL</productname> server rather
+    than opening up permissions on the system keytab file.
   </para>
   <para>
    The keytab file is generated by the Kerberos software; see the
--- a/doc/src/sgml/config.sgml
+++ b/doc/src/sgml/config.sgml
@ -1033,20 +1033,6 @@ include 'filename'
      </listitem>
     </varlistentry>

-     <varlistentry id="guc-krb-srvname" xreflabel="krb_srvname">
-      <term><varname>krb_srvname</varname> (<type>string</type>)</term>
-      <indexterm>
-       <primary><varname>krb_srvname</> configuration parameter</primary>
-      </indexterm>
-      <listitem>
-       <para>
-        Sets the Kerberos service name. See <xref linkend="gssapi-auth">
-        for details. This parameter can only be set in the
-        <filename>postgresql.conf</> file or on the server command line.
-       </para>
-      </listitem>
-     </varlistentry>
-
     <varlistentry id="guc-krb-caseins-users" xreflabel="krb_caseins_users">
      <term><varname>krb_caseins_users</varname> (<type>boolean</type>)</term>
      <indexterm>
--- a/src/backend/libpq/auth.c
+++ b/src/backend/libpq/auth.c
@ -129,7 +129,6 @@ static int	CheckCertAuth(Port *port);
 *----------------------------------------------------------------
 */
 char	   *pg_krb_server_keyfile;
-char	   *pg_krb_srvnam;
 bool		pg_krb_caseins_users;


--- a/src/backend/utils/misc/guc.c
+++ b/src/backend/utils/misc/guc.c
@ -85,9 +85,6 @@
 #ifndef PG_KRB_SRVTAB
 #define PG_KRB_SRVTAB ""
 #endif
-#ifndef PG_KRB_SRVNAM
-#define PG_KRB_SRVNAM ""
-#endif

 #define CONFIG_FILENAME "postgresql.conf"
 #define HBA_FILENAME	"pg_hba.conf"
@ -2802,16 +2799,6 @@ static struct config_string ConfigureNamesString[] =
 		NULL, NULL, NULL
 	},

-	{
-		{"krb_srvname", PGC_SIGHUP, CONN_AUTH_SECURITY,
-			gettext_noop("Sets the name of the Kerberos service."),
-			NULL
-		},
-		&pg_krb_srvnam,
-		PG_KRB_SRVNAM,
-		NULL, NULL, NULL
-	},
-
 	{
 		{"bonjour_name", PGC_POSTMASTER, CONN_AUTH_SETTINGS,
 			gettext_noop("Sets the Bonjour service name."),
--- a/src/backend/utils/misc/postgresql.conf.sample
+++ b/src/backend/utils/misc/postgresql.conf.sample
@ -91,9 +91,8 @@
 #password_encryption = on
 #db_user_namespace = off

-# Kerberos and GSSAPI
+# GSSAPI using Kerberos
 #krb_server_keyfile = ''
-#krb_srvname = 'postgres'		# (Kerberos only)
 #krb_caseins_users = off

 # - TCP Keepalives -
--- a/src/include/libpq/auth.h
+++ b/src/include/libpq/auth.h
@ -17,9 +17,7 @@
 #include "libpq/libpq-be.h"

 extern char *pg_krb_server_keyfile;
-extern char *pg_krb_srvnam;
 extern bool pg_krb_caseins_users;
-extern char *pg_krb_server_hostname;
 extern char *pg_krb_realm;

 extern void ClientAuthentication(Port *port);
--- a/src/include/libpq/hba.h
+++ b/src/include/libpq/hba.h
@ -75,7 +75,6 @@ typedef struct HbaLine
 	char	   *ldapprefix;
 	char	   *ldapsuffix;
 	bool		clientcert;
-	char	   *krb_server_hostname;
 	char	   *krb_realm;
 	bool		include_realm;
 	char	   *radiusserver;