Re: BUG #5559: Full SSL verification fails when hostaddr provided

Поиск
Список
Период
Сортировка
От Stephen Frost
Тема Re: BUG #5559: Full SSL verification fails when hostaddr provided
Дата
Msg-id 20100714214403.GQ21875@tamriel.snowman.net
обсуждение исходный текст
Ответ на Re: BUG #5559: Full SSL verification fails when hostaddr provided  (Tom Lane <tgl@sss.pgh.pa.us>)
Ответы Re: BUG #5559: Full SSL verification fails when hostaddr provided  (Tom Lane <tgl@sss.pgh.pa.us>)
Список pgsql-bugs
* Tom Lane (tgl@sss.pgh.pa.us) wrote:
> Stephen Frost <sfrost@snowman.net> writes:
> >      krb5_sname_to_principal() will use the passed hostname for the sec=
ond
> >      component.  If type is KRB5_NT_SRV_HST this name will be looked up=
 with
> >      gethostbyname().  If hostname is NULL, the local hostname will be =
used.
>=20
> > If we were passing in NULL before when hostaddr was set and host wasn't,
> > then we were probably ending up with Kerberos trying to use the local
> > hostname, which almost certainly wasn't right.
>=20
> Ah.  I agree that that would be unexpected behavior.
>=20
> > I expect that the
> > correct answer here would be to do whatever the actual connection logic
> > does- if it connects using host, then use host, if it connects using
> > hostaddr, then use hostaddr.
>=20
> Uh, no, because hostaddr is (required to be) a numeric IP.  The odds of
> it being useful in this context seem negligible.

Err, no, it'll work just fine- gethostbyname() will take the dotted-quad
numeric IP and return the hostname and Kerberos will use that to generate
the principal.  Maybe I'm missing something, but hostaddr being an IP is
just like if you passed in host with an IP, which I believe is what psql
does when called like so:

beren:/home/sfrost> psql -h 172.18.148.12 -d gis
Welcome to psql 8.3.7, the PostgreSQL interactive terminal.

and that certainly works just fine.

beren:/home/sfrost> klist
[...]
07/14/10 17:37:50  07/14/10 17:58:25  postgres/beren.tsf.noblis.org@TSF.NOB=
LIS.ORG

> At this point I'm satisfied that what the code is doing is right.  We
> can't authenticate against Kerberos without knowing the server host
> name, because we can't form a correct principal name.  Whether use of
> hostaddr would avoid an rDNS lookup inside the library is not relevant.

I don't believe anything is going to avoid an rDNS lookup except bombing
out before invoking krb5_sname_to_principal().  Perhaps that's what's
intended, to avoid any DNS lookup, but I don't believe it's because it
wouldn't *work* to give krb5_sname_to_principal() an IP address=20
(provided rDNS is, in fact, functional in your environment).

    Thanks,

        Stephen

В списке pgsql-bugs по дате отправления:

Предыдущее
От: Tom Lane
Дата:
Сообщение: Re: BUG #5559: Full SSL verification fails when hostaddr provided
Следующее
От: Stephen Frost
Дата:
Сообщение: Re: BUG #5559: Full SSL verification fails when hostaddr provided