Fix Kerberos authentication in wake of virtual-hosts changes --- need

tglsfdc · tglsfdc · commit 18d0ca2d1bf4 · 2005-10-08T19:32:58.000Z
to call krb5_sname_to_principal() always.  Also, use krb_srvname rather
than the hardwired string 'postgres' as the appl_version string in the
krb5_sendauth/recvauth calls, to avoid breaking compatibility with PG
8.0.  Magnus Hagander
diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c
@@ -8,7 +8,7 @@
  *
  *
  * IDENTIFICATION
- *	  $PostgreSQL: pgsql/src/backend/libpq/auth.c,v 1.127 2005/07/25 04:52:31 tgl Exp $
+ *	  $PostgreSQL: pgsql/src/backend/libpq/auth.c,v 1.128 2005/10/08 19:32:57 tgl Exp $
  *
  *-------------------------------------------------------------------------
  */
@@ -119,6 +119,7 @@ static int
 pg_krb5_init(void)
 {
 	krb5_error_code retval;
+	char *khostname;
 
 	if (pg_krb5_initialised)
 		return STATUS_OK;
@@ -145,25 +146,31 @@ pg_krb5_init(void)
 		return STATUS_ERROR;
 	}
 
-	if (pg_krb_server_hostname)
+	/*
+	 * If no hostname was specified, pg_krb_server_hostname is already
+	 * NULL. If it's set to blank, force it to NULL.
+	 */
+	khostname = pg_krb_server_hostname;
+	if (khostname && khostname[0] == '\0')
+		khostname = NULL;
+
+	retval = krb5_sname_to_principal(pg_krb5_context,
+									 khostname,
+									 pg_krb_srvnam,
+									 KRB5_NT_SRV_HST,
+									 &pg_krb5_server);
+	if (retval)
 	{
-		retval = krb5_sname_to_principal(pg_krb5_context, 
-					pg_krb_server_hostname, pg_krb_srvnam,
-			 		KRB5_NT_SRV_HST, &pg_krb5_server);
-	 	if (retval)
-		{
-			ereport(LOG,
-		 	(errmsg("Kerberos sname_to_principal(\"%s\") returned error %d",
-				 	pg_krb_srvnam, retval)));
-			com_err("postgres", retval,
-					"while getting server principal for service \"%s\"",
-					pg_krb_srvnam);
-			krb5_kt_close(pg_krb5_context, pg_krb5_keytab);
-			krb5_free_context(pg_krb5_context);
-			return STATUS_ERROR;
-		}
-	} else
-		pg_krb5_server = NULL;
+		ereport(LOG,
+				(errmsg("Kerberos sname_to_principal(\"%s\") returned error %d",
+						pg_krb_srvnam, retval)));
+		com_err("postgres", retval,
+				"while getting server principal for service \"%s\"",
+				pg_krb_srvnam);
+		krb5_kt_close(pg_krb5_context, pg_krb5_keytab);
+		krb5_free_context(pg_krb5_context);
+		return STATUS_ERROR;
+	}
 
 	pg_krb5_initialised = 1;
 	return STATUS_OK;
@@ -194,7 +201,7 @@ pg_krb5_recvauth(Port *port)
 		return ret;
 
 	retval = krb5_recvauth(pg_krb5_context, &auth_context,
-						   (krb5_pointer) & port->sock, "postgres",
+						   (krb5_pointer) & port->sock, pg_krb_srvnam,
 						   pg_krb5_server, 0, pg_krb5_keytab, &ticket);
 	if (retval)
 	{
diff --git a/src/backend/utils/misc/postgresql.conf.sample b/src/backend/utils/misc/postgresql.conf.sample
@@ -70,7 +70,7 @@
 # Kerberos
 #krb_server_keyfile = ''
 #krb_srvname = 'postgres'
-#krb_server_hostname = '(any)'		# if not set, matches any keytab entry
+#krb_server_hostname = ''		# empty string matches any keytab entry
 #krb_caseins_users = off
 
 # - TCP Keepalives -
diff --git a/src/interfaces/libpq/fe-auth.c b/src/interfaces/libpq/fe-auth.c
@@ -10,7 +10,7 @@
  * exceed INITIAL_EXPBUFFER_SIZE (currently 256 bytes).
  *
  * IDENTIFICATION
- *	  $PostgreSQL: pgsql/src/interfaces/libpq/fe-auth.c,v 1.103 2005/06/30 01:59:20 neilc Exp $
+ *	  $PostgreSQL: pgsql/src/interfaces/libpq/fe-auth.c,v 1.104 2005/10/08 19:32:58 tgl Exp $
  *
  *-------------------------------------------------------------------------
  */
@@ -280,7 +280,7 @@ pg_krb5_sendauth(char *PQerrormsg, int sock, const char *hostname, const char *s
 	}
 
 	retval = krb5_sendauth(pg_krb5_context, &auth_context,
-						   (krb5_pointer) & sock, "postgres",
+						   (krb5_pointer) & sock, (char *) servicename,
 						   pg_krb5_client, server,
 						   AP_OPTS_MUTUAL_REQUIRED,
 						   NULL, 0,		/* no creds, use ccache instead */

Original file line number	Diff line number	Diff line change
`@@ -10,7 +10,7 @@`
`10`	`10`	`* exceed INITIAL_EXPBUFFER_SIZE (currently 256 bytes).`
`11`	`11`	`*`
`12`	`12`	`* IDENTIFICATION`
`13`		`- * $PostgreSQL: pgsql/src/interfaces/libpq/fe-auth.c,v 1.103 2005/06/30 01:59:20 neilc Exp $`
	`13`	`+ * $PostgreSQL: pgsql/src/interfaces/libpq/fe-auth.c,v 1.104 2005/10/08 19:32:58 tgl Exp $`
`14`	`14`	`*`
`15`	`15`	`*-------------------------------------------------------------------------`
`16`	`16`	`*/`
`@@ -280,7 +280,7 @@ pg_krb5_sendauth(char PQerrormsg, int sock, const char hostname, const char *s`
`280`	`280`	`}`
`281`	`281`
`282`	`282`	`retval = krb5_sendauth(pg_krb5_context, &auth_context,`
`283`		`- (krb5_pointer) & sock, "postgres",`
	`283`	`+ (krb5_pointer) & sock, (char *) servicename,`
`284`	`284`	`pg_krb5_client, server,`
`285`	`285`	`AP_OPTS_MUTUAL_REQUIRED,`
`286`	`286`	`NULL, 0, /* no creds, use ccache instead */`