Hi!
I recently got a Debian bug report [1] that says:
"It is not always possible to use krb5 authentication to a server
that is listening on multiple interfaces other than to the 'primary'
interface.
More specifically: src/backend/libpq/auth.c pg_krb5_init() fills in
the pg_krb5_server principal with a call to krb5_sname_to_principal
with NULL as the second argument (the hostname argument). This
invokes the hostname canonicalisation behaviour in the kerberos
library which has insufficient information to be able to return the
correct answer in all cases."
The bug report describes this a little deeper with a detailled
example. The reporter also proposes a patch, which I copied below for
your convenience. It looks pretty sane and is relatively unintrusive.
However, since I don't know much about Kerberos, I'd like to hear
another opinion.
Since this is by no way Debian specific, would you be interested to
fix this upstream as well?
Thanks for considering and have a nice day!
Martin
--------------- snip -------------------
--- postgresql-7.4.7-old/src/backend/libpq/auth.c 2003-12-20 18:25:02.00000=
0000 +0000
+++ postgresql-7.4.7/src/backend/libpq/auth.c 2005-07-25 19:55:26.000000000=
+0100
@@ -216,8 +216,18 @@
return STATUS_ERROR;
}
=20
- retval =3D krb5_sname_to_principal(pg_krb5_context, NULL, PG_KRB_SRVNAM,
+ if( VirtualHost && VirtualHost[0] )
+ {
+ char *host=3DVirtualHost;
+ while(*host=3D=3D' ') host++; /* skip leading spaces (cf postmaster.c) */
+ retval =3D krb5_sname_to_principal(pg_krb5_context, host, PG_KRB_SRVNAM,
+ KRB5_NT_SRV_HST, &pg_krb5_server);
+ }
+ else
+ {
+ retval =3D krb5_sname_to_principal(pg_krb5_context, NULL, PG_KRB_SRVNAM,
KRB5_NT_SRV_HST, &pg_krb5_server);
+ }
if (retval)
{
ereport(LOG,
--------------- snip -------------------
[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=3D320049
--=20
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntu.com
Debian Developer http://www.debian.org
In a world without walls and fences, who needs Windows and Gates?