Add GUC krb_server_hostname so the server hostname can be specified as

part of service principal. If not set, any service principal matching an entry in the keytab can be used. NEW KERBEROS MATCHING BEHAVIOR FOR 8.1. Todd Kover
2025-09-02 04:21:28 +03:00 · 2005-06-14 17:43:14 +00:00
parent dac94e3495
commit 954f6bcffe
5 changed files with 66 additions and 31 deletions
--- a/src/backend/libpq/auth.c
+++ b/src/backend/libpq/auth.c
@@ -8,7 +8,7 @@
 *
 *
 * IDENTIFICATION
- *	  $PostgreSQL: pgsql/src/backend/libpq/auth.c,v 1.124 2005/06/04 20:42:42 momjian Exp $
+ *	  $PostgreSQL: pgsql/src/backend/libpq/auth.c,v 1.125 2005/06/14 17:43:13 momjian Exp $
 *
 *-------------------------------------------------------------------------
 */
@@ -43,6 +43,7 @@ static int	recv_and_check_password_packet(Port *port);
 char	   *pg_krb_server_keyfile;
 char       *pg_krb_srvnam;
 bool		pg_krb_caseins_users;
+char	   *pg_krb_server_hostname = NULL;

 #ifdef USE_PAM
 #ifdef HAVE_PAM_PAM_APPL_H
@@ -221,20 +222,25 @@ pg_krb5_init(void)
 		return STATUS_ERROR;
 	}

-	retval = krb5_sname_to_principal(pg_krb5_context, NULL, pg_krb_srvnam,
-									 KRB5_NT_SRV_HST, &pg_krb5_server);
-	if (retval)
+	if (pg_krb_server_hostname)
 	{
-		ereport(LOG,
-		 (errmsg("Kerberos sname_to_principal(\"%s\") returned error %d",
-				 pg_krb_srvnam, retval)));
-		com_err("postgres", retval,
-				"while getting server principal for service \"%s\"",
-				pg_krb_srvnam);
-		krb5_kt_close(pg_krb5_context, pg_krb5_keytab);
-		krb5_free_context(pg_krb5_context);
-		return STATUS_ERROR;
-	}
+		retval = krb5_sname_to_principal(pg_krb5_context, 
+					pg_krb_server_hostname, pg_krb_srvnam,
+			 		KRB5_NT_SRV_HST, &pg_krb5_server);
+	 	if (retval)
+		{
+			ereport(LOG,
+		 	(errmsg("Kerberos sname_to_principal(\"%s\") returned error %d",
+				 	pg_krb_srvnam, retval)));
+			com_err("postgres", retval,
+					"while getting server principal for service \"%s\"",
+					pg_krb_srvnam);
+			krb5_kt_close(pg_krb5_context, pg_krb5_keytab);
+			krb5_free_context(pg_krb5_context);
+			return STATUS_ERROR;
+		}
+	} else
+		pg_krb5_server = NULL;

 	pg_krb5_initialised = 1;
 	return STATUS_OK;
--- a/src/backend/utils/misc/guc.c
+++ b/src/backend/utils/misc/guc.c
@@ -10,7 +10,7 @@
 * Written by Peter Eisentraut <peter_e@gmx.net>.
 *
 * IDENTIFICATION
- *	  $PostgreSQL: pgsql/src/backend/utils/misc/guc.c,v 1.264 2005/06/04 20:42:42 momjian Exp $
+ *	  $PostgreSQL: pgsql/src/backend/utils/misc/guc.c,v 1.265 2005/06/14 17:43:13 momjian Exp $
 *
 *--------------------------------------------------------------------
 */
@@ -1593,6 +1593,15 @@ static struct config_string ConfigureNamesString[] =
 		PG_KRB_SRVNAM, NULL, NULL
 	},

+	{
+		{"krb_server_hostname", PGC_POSTMASTER, CONN_AUTH_SECURITY,
+			gettext_noop("Sets the hostname of the Kerberos server."),
+			NULL
+		},
+		&pg_krb_server_hostname,
+		NULL, NULL, NULL
+	},
+
 	{
 		{"bonjour_name", PGC_POSTMASTER, CONN_AUTH_SETTINGS,
 			gettext_noop("Sets the Bonjour broadcast service name."),
--- a/src/bin/psql/tab-complete.c
+++ b/src/bin/psql/tab-complete.c
@@ -3,7 +3,7 @@
 *
 * Copyright (c) 2000-2005, PostgreSQL Global Development Group
 *
- * $PostgreSQL: pgsql/src/bin/psql/tab-complete.c,v 1.130 2005/05/25 22:12:05 momjian Exp $
+ * $PostgreSQL: pgsql/src/bin/psql/tab-complete.c,v 1.131 2005/06/14 17:43:14 momjian Exp $
 */

 /*----------------------------------------------------------------------
@@ -559,7 +559,6 @@ psql_completion(char *text, int start, int end)
 		"geqo_selection_bias",
 		"geqo_threshold",
 		"join_collapse_limit",
-		"krb_server_keyfile",
 		"lc_messages",
 		"lc_monetary",
 		"lc_numeric",
--- a/src/include/libpq/auth.h
+++ b/src/include/libpq/auth.h
@@ -7,7 +7,7 @@
 * Portions Copyright (c) 1996-2005, PostgreSQL Global Development Group
 * Portions Copyright (c) 1994, Regents of the University of California
 *
- * $PostgreSQL: pgsql/src/include/libpq/auth.h,v 1.27 2005/06/04 20:42:42 momjian Exp $
+ * $PostgreSQL: pgsql/src/include/libpq/auth.h,v 1.28 2005/06/14 17:43:14 momjian Exp $
 *
 *-------------------------------------------------------------------------
 */
@@ -29,5 +29,6 @@ extern void ClientAuthentication(Port *port);
 extern char *pg_krb_server_keyfile;
 extern char *pg_krb_srvnam;
 extern bool pg_krb_caseins_users;
+extern char *pg_krb_server_hostname;

 #endif   /* AUTH_H */