Fix Kerberos authentication in wake of virtual-hosts changes --- need

to call krb5_sname_to_principal() always.  Also, use krb_srvname rather
than the hardwired string 'postgres' as the appl_version string in the
krb5_sendauth/recvauth calls, to avoid breaking compatibility with PG
8.0.  Magnus Hagander

diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c
index affe3c6a68820d255c62faf64b6dfcd3a0349324..403285438fc811016c8748fa906effa3270be632 100644 (file)
--- a/src/backend/libpq/auth.c
+++ b/src/backend/libpq/auth.c
@@ -8,7 +8,7 @@
  *
  *
  * IDENTIFICATION
- *       $PostgreSQL: pgsql/src/backend/libpq/auth.c,v 1.127 2005/07/25 04:52:31 tgl Exp $
+ *       $PostgreSQL: pgsql/src/backend/libpq/auth.c,v 1.128 2005/10/08 19:32:57 tgl Exp $
  *
  *-------------------------------------------------------------------------
  */
@@ -119,6 +119,7 @@ static int
 pg_krb5_init(void)
 {
        krb5_error_code retval;
+       char *khostname;
 
        if (pg_krb5_initialised)
                return STATUS_OK;
@@ -145,25 +146,31 @@ pg_krb5_init(void)
                return STATUS_ERROR;
        }
 
-       if (pg_krb_server_hostname)
+       /*
+        * If no hostname was specified, pg_krb_server_hostname is already
+        * NULL. If it's set to blank, force it to NULL.
+        */
+       khostname = pg_krb_server_hostname;
+       if (khostname && khostname[0] == '\0')
+               khostname = NULL;
+
+       retval = krb5_sname_to_principal(pg_krb5_context,
+                                                                        khostname,
+                                                                        pg_krb_srvnam,
+                                                                        KRB5_NT_SRV_HST,
+                                                                        &pg_krb5_server);
+       if (retval)
        {
-               retval = krb5_sname_to_principal(pg_krb5_context, 
-                                       pg_krb_server_hostname, pg_krb_srvnam,
-                                       KRB5_NT_SRV_HST, &pg_krb5_server);
-               if (retval)
-               {
-                       ereport(LOG,
-                       (errmsg("Kerberos sname_to_principal(\"%s\") returned error %d",
-                                       pg_krb_srvnam, retval)));
-                       com_err("postgres", retval,
-                                       "while getting server principal for service \"%s\"",
-                                       pg_krb_srvnam);
-                       krb5_kt_close(pg_krb5_context, pg_krb5_keytab);
-                       krb5_free_context(pg_krb5_context);
-                       return STATUS_ERROR;
-               }
-       } else
-               pg_krb5_server = NULL;
+               ereport(LOG,
+                               (errmsg("Kerberos sname_to_principal(\"%s\") returned error %d",
+                                               pg_krb_srvnam, retval)));
+               com_err("postgres", retval,
+                               "while getting server principal for service \"%s\"",
+                               pg_krb_srvnam);
+               krb5_kt_close(pg_krb5_context, pg_krb5_keytab);
+               krb5_free_context(pg_krb5_context);
+               return STATUS_ERROR;
+       }
 
        pg_krb5_initialised = 1;
        return STATUS_OK;
@@ -194,7 +201,7 @@ pg_krb5_recvauth(Port *port)
                return ret;
 
        retval = krb5_recvauth(pg_krb5_context, &auth_context,
-                                                  (krb5_pointer) & port->sock, "postgres",
+                                                  (krb5_pointer) & port->sock, pg_krb_srvnam,
                                                   pg_krb5_server, 0, pg_krb5_keytab, &ticket);
        if (retval)
        {

diff --git a/src/backend/utils/misc/postgresql.conf.sample b/src/backend/utils/misc/postgresql.conf.sample
index e004039013c341fed5a271d3966c347e94a354c9..af042740ad84248eebb0350e8fd3db5505b42701 100644 (file)
--- a/src/backend/utils/misc/postgresql.conf.sample
+++ b/src/backend/utils/misc/postgresql.conf.sample
@@ -70,7 +70,7 @@
 # Kerberos
 #krb_server_keyfile = ''
 #krb_srvname = 'postgres'
-#krb_server_hostname = '(any)'         # if not set, matches any keytab entry
+#krb_server_hostname = ''              # empty string matches any keytab entry
 #krb_caseins_users = off
 
 # - TCP Keepalives -

diff --git a/src/interfaces/libpq/fe-auth.c b/src/interfaces/libpq/fe-auth.c
index c79e38a9363d7fb7f3713e2d4d55b305e3bba57d..4075aad61451425f1952edb386ba405da56571fe 100644 (file)
--- a/src/interfaces/libpq/fe-auth.c
+++ b/src/interfaces/libpq/fe-auth.c
@@ -10,7 +10,7 @@
  * exceed INITIAL_EXPBUFFER_SIZE (currently 256 bytes).
  *
  * IDENTIFICATION
- *       $PostgreSQL: pgsql/src/interfaces/libpq/fe-auth.c,v 1.103 2005/06/30 01:59:20 neilc Exp $
+ *       $PostgreSQL: pgsql/src/interfaces/libpq/fe-auth.c,v 1.104 2005/10/08 19:32:58 tgl Exp $
  *
  *-------------------------------------------------------------------------
  */
@@ -280,7 +280,7 @@ pg_krb5_sendauth(char *PQerrormsg, int sock, const char *hostname, const char *s
        }
 
        retval = krb5_sendauth(pg_krb5_context, &auth_context,
-                                                  (krb5_pointer) & sock, "postgres",
+                                                  (krb5_pointer) & sock, (char *) servicename,
                                                   pg_krb5_client, server,
                                                   AP_OPTS_MUTUAL_REQUIRED,
                                                   NULL, 0,             /* no creds, use ccache instead */