Add GUC krb_server_hostname so the server hostname can be specified as

part of service principal. If not set, any service principal matching an entry in the keytab can be used. NEW KERBEROS MATCHING BEHAVIOR FOR 8.1. Todd Kover

Add GUC krb_server_hostname so the server hostname can be specified as
part of service principal. If not set, any service principal matching an entry in the keytab can be used. NEW KERBEROS MATCHING BEHAVIOR FOR 8.1. Todd Kover
954f6bcf · Bruce Momjian · dac94e34 · 954f6bcf · 954f6bcf · 954f6bcf
Commit 954f6bcf authored Jun 14, 2005 by Bruce Momjian
5 changed files
--- a/doc/src/sgml/runtime.sgml
+++ b/doc/src/sgml/runtime.sgml
 <!--
-$PostgreSQL: pgsql/doc/src/sgml/runtime.sgml,v 1.325 2005/06/13 02:40:06 neilc Exp $
+$PostgreSQL: pgsql/doc/src/sgml/runtime.sgml,v 1.326 2005/06/14 17:43:12 momjian Exp $
 -->
 <chapter Id="runtime">
@@ -969,24 +969,44 @@ SET ENABLE_SEQSCAN TO OFF;
      <listitem>
       <para>
        Sets the Kerberos service name. See <xref linkend="kerberos-auth">
-        for details. This parameter can only be set at server start.
+        for details.  This parameter can only be set at server start.
       </para>
      </listitem>
     </varlistentry>
-	 <varlistentry id="guc-krb-caseins-users" xreflabel="krb_caseins_users">
+     <varlistentry id="guc-krb-caseins-users" xreflabel="krb_caseins_users">
-	  <term><varname>krb_caseins_users</varname> (<type>boolean</type>)</term>
+      <term><varname>krb_caseins_users</varname> (<type>boolean</type>)</term>
-	  <indexterm>
+      <indexterm>
-	   <primary><varname>krb_caseins_users</varname> configuration parameter</primary>
+       <primary><varname>krb_caseins_users</varname> configuration parameter</primary>
      </indexterm>
-	  <listitem>
+      <listitem>
-	   <para>
+       <para>
-	    Sets if Kerberos usernames should be treated case-insensitive.
+        Sets if Kerberos usernames should be treated case-insensitive.
-		The default is off (case sensitive). This parameter can only be
+        The default is off (case sensitive). This parameter can only be
-		set at server start.
+        set at server start.
       </para>
-	  </listitem>
+      </listitem>
-	 </varlistentry>
+     </varlistentry>
+     <varlistentry id="guc-krb-server-hostname" xreflabel="krb_server_hostname">
+      <term><varname>krb_server_hostname</varname> (<type>string</type>)</term>
+      <indexterm>
+       <primary><varname>krb_server_hostname</> configuration parameter</primary>
+      </indexterm>
+      <listitem>
+       <para>
+        Sets the hostname part of the service principal.
+        This, combined with <varname>krb_srvname</>, is used to generate
+        the complete service principal, i.e.
+        <varname>krb_server_hostname</><literal>/</><varname>krb_server_hostname</><literal>@</>REALM.
+       </para>
+       <para>
+        If not set, the default is to allow any service principal matching an entry
+        in the keytab.  See <xref linkend="kerberos-auth"> for details.
+        This parameter can only be set at server start.
+       </para>
+      </listitem>
+     </varlistentry>
     <varlistentry id="guc-db-user-namespace" xreflabel="db_user_namespace">
      <term><varname>db_user_namespace</varname> (<type>boolean</type>)</term>

--- a/src/backend/libpq/auth.c
+++ b/src/backend/libpq/auth.c
@@ -8,7 +8,7 @@
 *
 *
 * IDENTIFICATION
- *	  $PostgreSQL: pgsql/src/backend/libpq/auth.c,v 1.124 2005/06/04 20:42:42 momjian Exp $
+ *	  $PostgreSQL: pgsql/src/backend/libpq/auth.c,v 1.125 2005/06/14 17:43:13 momjian Exp $
 *
 *-------------------------------------------------------------------------
 */
@@ -43,6 +43,7 @@ static int	recv_and_check_password_packet(Port *port);
 char	   *pg_krb_server_keyfile;
 char       *pg_krb_srvnam;
 bool		pg_krb_caseins_users;
+char	   *pg_krb_server_hostname = NULL;
 #ifdef USE_PAM
 #ifdef HAVE_PAM_PAM_APPL_H
@@ -221,20 +222,25 @@ pg_krb5_init(void)
 		return STATUS_ERROR;
 	}
-	retval = krb5_sname_to_principal(pg_krb5_context, NULL, pg_krb_srvnam,
+	if (pg_krb_server_hostname)
-									 KRB5_NT_SRV_HST, &pg_krb5_server);
-	if (retval)
 	{
-		ereport(LOG,
+		retval = krb5_sname_to_principal(pg_krb5_context, 
-		 (errmsg("Kerberos sname_to_principal(\"%s\") returned error %d",
+					pg_krb_server_hostname, pg_krb_srvnam,
-				 pg_krb_srvnam, retval)));
+			 		KRB5_NT_SRV_HST, &pg_krb5_server);
-		com_err("postgres", retval,
+	 	if (retval)
-				"while getting server principal for service \"%s\"",
+		{
-				pg_krb_srvnam);
+			ereport(LOG,
-		krb5_kt_close(pg_krb5_context, pg_krb5_keytab);
+		 	(errmsg("Kerberos sname_to_principal(\"%s\") returned error %d",
-		krb5_free_context(pg_krb5_context);
+				 	pg_krb_srvnam, retval)));
-		return STATUS_ERROR;
+			com_err("postgres", retval,
-	}
+					"while getting server principal for service \"%s\"",
+					pg_krb_srvnam);
+			krb5_kt_close(pg_krb5_context, pg_krb5_keytab);
+			krb5_free_context(pg_krb5_context);
+			return STATUS_ERROR;
+		}
+	} else
+		pg_krb5_server = NULL;
 	pg_krb5_initialised = 1;
 	return STATUS_OK;

--- a/src/backend/utils/misc/guc.c
+++ b/src/backend/utils/misc/guc.c
@@ -10,7 +10,7 @@
 * Written by Peter Eisentraut <peter_e@gmx.net>.
 *
 * IDENTIFICATION
- *	  $PostgreSQL: pgsql/src/backend/utils/misc/guc.c,v 1.264 2005/06/04 20:42:42 momjian Exp $
+ *	  $PostgreSQL: pgsql/src/backend/utils/misc/guc.c,v 1.265 2005/06/14 17:43:13 momjian Exp $
 *
 *--------------------------------------------------------------------
 */
@@ -1593,6 +1593,15 @@ static struct config_string ConfigureNamesString[] =
 		PG_KRB_SRVNAM, NULL, NULL
 	},
+	{
+		{"krb_server_hostname", PGC_POSTMASTER, CONN_AUTH_SECURITY,
+			gettext_noop("Sets the hostname of the Kerberos server."),
+			NULL
+		},
+		&pg_krb_server_hostname,
+		NULL, NULL, NULL
+	},
 	{
 		{"bonjour_name", PGC_POSTMASTER, CONN_AUTH_SETTINGS,
 			gettext_noop("Sets the Bonjour broadcast service name."),

--- a/src/bin/psql/tab-complete.c
+++ b/src/bin/psql/tab-complete.c
@@ -3,7 +3,7 @@
 *
 * Copyright (c) 2000-2005, PostgreSQL Global Development Group
 *
- * $PostgreSQL: pgsql/src/bin/psql/tab-complete.c,v 1.130 2005/05/25 22:12:05 momjian Exp $
+ * $PostgreSQL: pgsql/src/bin/psql/tab-complete.c,v 1.131 2005/06/14 17:43:14 momjian Exp $
 */
 /*----------------------------------------------------------------------
@@ -559,7 +559,6 @@ psql_completion(char *text, int start, int end)
 		"geqo_selection_bias",
 		"geqo_threshold",
 		"join_collapse_limit",
-		"krb_server_keyfile",
 		"lc_messages",
 		"lc_monetary",
 		"lc_numeric",

--- a/src/include/libpq/auth.h
+++ b/src/include/libpq/auth.h
@@ -7,7 +7,7 @@
 * Portions Copyright (c) 1996-2005, PostgreSQL Global Development Group
 * Portions Copyright (c) 1994, Regents of the University of California
 *
- * $PostgreSQL: pgsql/src/include/libpq/auth.h,v 1.27 2005/06/04 20:42:42 momjian Exp $
+ * $PostgreSQL: pgsql/src/include/libpq/auth.h,v 1.28 2005/06/14 17:43:14 momjian Exp $
 *
 *-------------------------------------------------------------------------
 */
@@ -29,5 +29,6 @@ extern void ClientAuthentication(Port *port);
 extern char *pg_krb_server_keyfile;
 extern char *pg_krb_srvnam;
 extern bool pg_krb_caseins_users;
+extern char *pg_krb_server_hostname;
 #endif   /* AUTH_H */