Package: postgresql
Severity: important
It is not always possible to use krb5 authentication to a server that is
listening on multiple interfaces other than to the 'primary' interface.
More specifically: src/backend/libpq/auth.c pg_krb5_init() fills in the
pg_krb5_server principal with a call to krb5_sname_to_principal with NULL
as the second argument (the hostname argument). This invokes the hostname
canonicalisation behaviour in the kerberos library which has insufficient
information to be able to return the correct answer in all cases.
zero-credibility:~# host zero-credibility.oucs.ox.ac.uk
zero-credibility.oucs.ox.ac.uk has address 163.1.2.14
zero-credibility:~# host pgsql-dev.oucs.ox.ac.uk
pgsql-dev.oucs.ox.ac.uk has address 163.1.2.37
zero-credibility:~# netstat -nie # check interfaces are up
Kernel Interface table
eth0 Link encap:Ethernet HWaddr 00:E0:81:63:D6:08
inet addr:163.1.2.14 Bcast:163.1.2.255 Mask:255.255.255.0
inet6 addr: fe80::2e0:81ff:fe63:d608/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:4603401 errors:0 dropped:0 overruns:0 frame:0
TX packets:197179 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:342050931 (326.2 MiB) TX bytes:26094767 (24.8 MiB)
Base address:0xa000 Memory:f4020000-f4040000
eth0:37 Link encap:Ethernet HWaddr 00:E0:81:63:D6:08
inet addr:163.1.2.37 Bcast:163.1.255.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Base address:0xa000 Memory:f4020000-f4040000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:222060 errors:0 dropped:0 overruns:0 frame:0
TX packets:222060 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:94776903 (90.3 MiB) TX bytes:94776903 (90.3 MiB)
zero-credibility:~# netstat -natp | grep 5432 # check postmaster is listening
tcp 0 0 0.0.0.:5432 0.0.0.0:* LISTEN
25267/postmaster
zero-credibility:~# klist -k /etc/postgresql/krb5.keytab # confirm keytab
contents
Keytab name: FILE:/etc/postgresql/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
3 postgres/[EMAIL PROTECTED]
3 postgres/[EMAIL PROTECTED]
[...flip to client...]
[EMAIL PROTECTED] psql -h pgsql-dev.oucs.ox.ac.uk template1 # try to connect
psql: Kerberos 5 authentication failed
[EMAIL PROTECTED] klist # confirm we got a service ticket
Ticket cache: FILE:/tmp/krb5cc_1000_rnx4Z0
Default principal: [EMAIL PROTECTED]
Valid starting Expires Service principal
07/26/05 09:48:01 07/26/05 19:48:01 krbtgt/[EMAIL PROTECTED]
07/26/05 13:26:33 07/26/05 19:48:01 postgres/[EMAIL PROTECTED]
[...back to server...]
zero-credibility:~# tail /var/log/postgresql/postgres.log
[...]
Jul 26 13:35:23 zero-credibility postgres[25963]: [1-1] LOG: connection
received: host=129.67.100.155 port=33718
Jul 26 13:35:23 zero-credibility postgres[25963]: [2-1] LOG: Kerberos recvauth
returned error -1765328240
Jul 26 13:35:23 zero-credibility postgres[25963]: [3-1] FATAL: Kerberos5
authentication failed for user "pod"
zero-credibility:~# grep -e -1765328240 /usr/include/krb5.h # what is that err?
#define KRB5KRB_AP_WRONG_PRINC (-1765328240L)
I append a patch that 'fixes' behaviour for the limited case where a
virtual_host is specified in /etc/postgresql/postgresql.conf. I'm not
sure it is possible to fix the INADDR_ANY case without changes to
krb5_recvauth() which is, of course, not your concern.
[...apply patch, run patched server...]
zero-credibility:~# grep -e virtual_host /etc/postgresql/postgresql.conf
virtual_host = '163.1.2.37'
[...try again on client...]
[EMAIL PROTECTED] psql -h pgsql-dev.oucs.ox.ac.uk template1
Welcome to psql 7.4.7, the PostgreSQL interactive terminal.
Type: \copyright for distribution terms
\h for help with SQL commands
\? for help on internal slash commands
\g or terminate with semicolon to execute query
\q to quit
SSL connection (cipher: DHE-RSA-AES256-SHA, bits: 256)
template1=> \q
--------------------
--- postgresql-7.4.7-old/src/backend/libpq/auth.c 2003-12-20
18:25:02.000000000 +0000
+++ postgresql-7.4.7/src/backend/libpq/auth.c 2005-07-25 19:55:26.000000000
+0100
@@ -216,8 +216,18 @@
return STATUS_ERROR;
}
- retval = krb5_sname_to_principal(pg_krb5_context, NULL, PG_KRB_SRVNAM,
+ if( VirtualHost && VirtualHost[0] )
+ {
+ char *host=VirtualHost;
+ while(*host==' ') host++; /* skip leading spaces (cf
postmaster.c) */
+ retval = krb5_sname_to_principal(pg_krb5_context, host,
PG_KRB_SRVNAM,
+
KRB5_NT_SRV_HST, &pg_krb5_server);
+ }
+ else
+ {
+ retval = krb5_sname_to_principal(pg_krb5_context, NULL,
PG_KRB_SRVNAM,
KRB5_NT_SRV_HST, &pg_krb5_server);
+ }
if (retval)
{
ereport(LOG,
-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.4.18-1-686
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
