From 12eaac7775c0e4f2a0402175bb8ac541ccce52ff Mon Sep 17 00:00:00 2001
From: Magnus Hagander <magnus@hagander.net>
Date: Mon, 8 Mar 2010 09:57:35 +0000
Subject: [PATCH] Disallow gssapi authentication on local connections, since it
 requires a hostname to function.

Noted by Zdenek Kotala
---
 src/backend/libpq/hba.c | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/src/backend/libpq/hba.c b/src/backend/libpq/hba.c
index 13fece4af46..faafdf7b61b 100644
--- a/src/backend/libpq/hba.c
+++ b/src/backend/libpq/hba.c
@@ -10,7 +10,7 @@
  *
  *
  * IDENTIFICATION
- *	  $PostgreSQL: pgsql/src/backend/libpq/hba.c,v 1.188.2.3 2010/03/06 00:45:55 tgl Exp $
+ *	  $PostgreSQL: pgsql/src/backend/libpq/hba.c,v 1.188.2.4 2010/03/08 09:57:35 mha Exp $
  *
  *-------------------------------------------------------------------------
  */
@@ -922,6 +922,22 @@ parse_hba_line(List *line, int line_num, HbaLine *parsedline)
 		return false;
 	}
 
+	if (parsedline->conntype == ctLocal &&
+		parsedline->auth_method == uaGSS)
+	{
+		ereport(LOG,
+				(errcode(ERRCODE_CONFIG_FILE_ERROR),
+			 errmsg("gssapi authentication is not supported on local sockets"),
+				 errcontext("line %d of configuration file \"%s\"",
+							line_num, HbaFileName)));
+		return false;
+	}
+	/*
+	 * SSPI authentication can never be enabled on ctLocal connections, because
+	 * it's only supported on Windows, where ctLocal isn't supported.
+	 */
+
+
 	if (parsedline->conntype != ctHostSSL &&
 		parsedline->auth_method == uaCert)
 	{