Fix Kerberos authentication in wake of virtual-hosts changes --- need

to call krb5_sname_to_principal() always. Also, use krb_srvname rather than the hardwired string 'postgres' as the appl_version string in the krb5_sendauth/recvauth calls, to avoid breaking compatibility with PG 8.0. Magnus Hagander
20 years ago · 18d0ca2d1b
parent 4909357237
commit 18d0ca2d1b
3 changed files with 30 additions and 23 deletions
--- a/src/backend/libpq/auth.c
+++ b/src/backend/libpq/auth.c
@ -8,7 +8,7 @@
 *
 *
 * IDENTIFICATION
- *	  $PostgreSQL: pgsql/src/backend/libpq/auth.c,v 1.127 2005/07/25 04:52:31 tgl Exp $
+ *	  $PostgreSQL: pgsql/src/backend/libpq/auth.c,v 1.128 2005/10/08 19:32:57 tgl Exp $
 *
 *-------------------------------------------------------------------------
 */
@ -119,6 +119,7 @@ static int
 pg_krb5_init(void)
 {
 	krb5_error_code retval;
+	char *khostname;

 	if (pg_krb5_initialised)
 		return STATUS_OK;
@ -145,25 +146,31 @@ pg_krb5_init(void)
 		return STATUS_ERROR;
 	}

-	if (pg_krb_server_hostname)
+	/*
+	 * If no hostname was specified, pg_krb_server_hostname is already
+	 * NULL. If it's set to blank, force it to NULL.
+	 */
+	khostname = pg_krb_server_hostname;
+	if (khostname && khostname[0] == '\0')
+		khostname = NULL;
+
+	retval = krb5_sname_to_principal(pg_krb5_context,
+									 khostname,
+									 pg_krb_srvnam,
+									 KRB5_NT_SRV_HST,
+									 &pg_krb5_server);
+	if (retval)
 	{
-		retval = krb5_sname_to_principal(pg_krb5_context, 
-					pg_krb_server_hostname, pg_krb_srvnam,
-			 		KRB5_NT_SRV_HST, &pg_krb5_server);
-	 	if (retval)
-		{
-			ereport(LOG,
-		 	(errmsg("Kerberos sname_to_principal(\"%s\") returned error %d",
-				 	pg_krb_srvnam, retval)));
-			com_err("postgres", retval,
-					"while getting server principal for service \"%s\"",
-					pg_krb_srvnam);
-			krb5_kt_close(pg_krb5_context, pg_krb5_keytab);
-			krb5_free_context(pg_krb5_context);
-			return STATUS_ERROR;
-		}
-	} else
-		pg_krb5_server = NULL;
+		ereport(LOG,
+				(errmsg("Kerberos sname_to_principal(\"%s\") returned error %d",
+						pg_krb_srvnam, retval)));
+		com_err("postgres", retval,
+				"while getting server principal for service \"%s\"",
+				pg_krb_srvnam);
+		krb5_kt_close(pg_krb5_context, pg_krb5_keytab);
+		krb5_free_context(pg_krb5_context);
+		return STATUS_ERROR;
+	}

 	pg_krb5_initialised = 1;
 	return STATUS_OK;
@ -194,7 +201,7 @@ pg_krb5_recvauth(Port *port)
 		return ret;

 	retval = krb5_recvauth(pg_krb5_context, &auth_context,
-						   (krb5_pointer) & port->sock, "postgres",
+						   (krb5_pointer) & port->sock, pg_krb_srvnam,
 						   pg_krb5_server, 0, pg_krb5_keytab, &ticket);
 	if (retval)
 	{
--- a/src/backend/utils/misc/postgresql.conf.sample
+++ b/src/backend/utils/misc/postgresql.conf.sample
@ -70,7 +70,7 @@
 # Kerberos
 #krb_server_keyfile = ''
 #krb_srvname = 'postgres'
-#krb_server_hostname = '(any)'		# if not set, matches any keytab entry
+#krb_server_hostname = ''		# empty string matches any keytab entry
 #krb_caseins_users = off

 # - TCP Keepalives -
--- a/src/interfaces/libpq/fe-auth.c
+++ b/src/interfaces/libpq/fe-auth.c
@ -10,7 +10,7 @@
 * exceed INITIAL_EXPBUFFER_SIZE (currently 256 bytes).
 *
 * IDENTIFICATION
- *	  $PostgreSQL: pgsql/src/interfaces/libpq/fe-auth.c,v 1.103 2005/06/30 01:59:20 neilc Exp $
+ *	  $PostgreSQL: pgsql/src/interfaces/libpq/fe-auth.c,v 1.104 2005/10/08 19:32:58 tgl Exp $
 *
 *-------------------------------------------------------------------------
 */
@ -280,7 +280,7 @@ pg_krb5_sendauth(char *PQerrormsg, int sock, const char *hostname, const char *s
 	}

 	retval = krb5_sendauth(pg_krb5_context, &auth_context,
-						   (krb5_pointer) & sock, "postgres",
+						   (krb5_pointer) & sock, (char *) servicename,
 						   pg_krb5_client, server,
 						   AP_OPTS_MUTUAL_REQUIRED,
 						   NULL, 0,		/* no creds, use ccache instead */