From 0294023a6b1c5df7683707a77238ab634d4ea8c1 Mon Sep 17 00:00:00 2001
From: Magnus Hagander <magnus@hagander.net>
Date: Sun, 16 Mar 2014 15:18:52 +0100
Subject: [PATCH] Cleanups from the remove-native-krb5 patch
krb_srvname is actually not available anymore as a parameter server-side, since
with gssapi we accept all principals in our keytab. It's still used in libpq for
client side specification.
In passing remove declaration of krb_server_hostname, where all the functionality
was already removed.
Noted by Stephen Frost, though a different solution than his suggestion
---
doc/src/sgml/client-auth.sgml | 15 ++++++++-------
doc/src/sgml/config.sgml | 14 --------------
src/backend/libpq/auth.c | 1 -
src/backend/utils/misc/guc.c | 13 -------------
src/backend/utils/misc/postgresql.conf.sample | 3 +--
src/include/libpq/auth.h | 2 --
src/include/libpq/hba.h | 1 -
7 files changed, 9 insertions(+), 40 deletions(-)
diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml
index 9b26d010616..bf71ea6b882 100644
--- a/doc/src/sgml/client-auth.sgml
+++ b/doc/src/sgml/client-auth.sgml
@@ -923,17 +923,15 @@ omicron bryanh guest1
<productname>Kerberos</productname>, it uses a standard principal
in the format
<literal><replaceable>servicename</>/<replaceable>hostname</>@<replaceable>realm</></literal>.
- <replaceable>servicename</> can be set on the server side using the
- <xref linkend="guc-krb-srvname"> configuration parameter, and on the
- client side using the <literal>krbsrvname</> connection parameter. (See
+ The PostgreSQL server will accept any principal that is included in the keytab used by
+ the server, but care needs to be taken to specify the correct principal details when
+ making the connection from the client using the <literal>krbsrvname</> connection parameter. (See
also <xref linkend="libpq-paramkeywords">.) The installation default can be
changed from the default <literal>postgres</literal> at build time using
<literal>./configure --with-krb-srvnam=</><replaceable>whatever</>.
In most environments,
- this parameter never needs to be changed. However, it is necessary
- when supporting multiple <productname>PostgreSQL</> installations
- on the same host.
- Some Kerberos implementations might also require a different service name,
+ this parameter never needs to be changed.
+ Some Kerberos implementations might require a different service name,
such as Microsoft Active Directory which requires the service name
to be in upper case (<literal>POSTGRES</literal>).
</para>
@@ -964,6 +962,9 @@ omicron bryanh guest1
parameter. The default is
<filename>/usr/local/pgsql/etc/krb5.keytab</> (or whatever
directory was specified as <varname>sysconfdir</> at build time).
+ For security reasons, it is recommended to use a separate keytab
+ just for the <productname>PostgreSQL</productname> server rather
+ than opening up permissions on the system keytab file.
</para>
<para>
The keytab file is generated by the Kerberos software; see the
diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml
index 2811f1148ca..4eff91ebdcd 100644
--- a/doc/src/sgml/config.sgml
+++ b/doc/src/sgml/config.sgml
@@ -1033,20 +1033,6 @@ include 'filename'
</listitem>
</varlistentry>
- <varlistentry id="guc-krb-srvname" xreflabel="krb_srvname">
- <term><varname>krb_srvname</varname> (<type>string</type>)</term>
- <indexterm>
- <primary><varname>krb_srvname</> configuration parameter</primary>
- </indexterm>
- <listitem>
- <para>
- Sets the Kerberos service name. See <xref linkend="gssapi-auth">
- for details. This parameter can only be set in the
- <filename>postgresql.conf</> file or on the server command line.
- </para>
- </listitem>
- </varlistentry>
-
<varlistentry id="guc-krb-caseins-users" xreflabel="krb_caseins_users">
<term><varname>krb_caseins_users</varname> (<type>boolean</type>)</term>
<indexterm>
diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c
index f03aa7edc22..2a46f7b9130 100644
--- a/src/backend/libpq/auth.c
+++ b/src/backend/libpq/auth.c
@@ -129,7 +129,6 @@ static int CheckCertAuth(Port *port);
*----------------------------------------------------------------
*/
char *pg_krb_server_keyfile;
-char *pg_krb_srvnam;
bool pg_krb_caseins_users;
diff --git a/src/backend/utils/misc/guc.c b/src/backend/utils/misc/guc.c
index c76edb48a9b..7d7d1dc263f 100644
--- a/src/backend/utils/misc/guc.c
+++ b/src/backend/utils/misc/guc.c
@@ -85,9 +85,6 @@
#ifndef PG_KRB_SRVTAB
#define PG_KRB_SRVTAB ""
#endif
-#ifndef PG_KRB_SRVNAM
-#define PG_KRB_SRVNAM ""
-#endif
#define CONFIG_FILENAME "postgresql.conf"
#define HBA_FILENAME "pg_hba.conf"
@@ -2802,16 +2799,6 @@ static struct config_string ConfigureNamesString[] =
NULL, NULL, NULL
},
- {
- {"krb_srvname", PGC_SIGHUP, CONN_AUTH_SECURITY,
- gettext_noop("Sets the name of the Kerberos service."),
- NULL
- },
- &pg_krb_srvnam,
- PG_KRB_SRVNAM,
- NULL, NULL, NULL
- },
-
{
{"bonjour_name", PGC_POSTMASTER, CONN_AUTH_SETTINGS,
gettext_noop("Sets the Bonjour service name."),
diff --git a/src/backend/utils/misc/postgresql.conf.sample b/src/backend/utils/misc/postgresql.conf.sample
index 3629a52c9fe..70e5a5111ec 100644
--- a/src/backend/utils/misc/postgresql.conf.sample
+++ b/src/backend/utils/misc/postgresql.conf.sample
@@ -91,9 +91,8 @@
#password_encryption = on
#db_user_namespace = off
-# Kerberos and GSSAPI
+# GSSAPI using Kerberos
#krb_server_keyfile = ''
-#krb_srvname = 'postgres' # (Kerberos only)
#krb_caseins_users = off
# - TCP Keepalives -
diff --git a/src/include/libpq/auth.h b/src/include/libpq/auth.h
index 5ae8114e8b9..ace647a7ff1 100644
--- a/src/include/libpq/auth.h
+++ b/src/include/libpq/auth.h
@@ -17,9 +17,7 @@
#include "libpq/libpq-be.h"
extern char *pg_krb_server_keyfile;
-extern char *pg_krb_srvnam;
extern bool pg_krb_caseins_users;
-extern char *pg_krb_server_hostname;
extern char *pg_krb_realm;
extern void ClientAuthentication(Port *port);
diff --git a/src/include/libpq/hba.h b/src/include/libpq/hba.h
index 5a103aed195..68a953aa628 100644
--- a/src/include/libpq/hba.h
+++ b/src/include/libpq/hba.h
@@ -75,7 +75,6 @@ typedef struct HbaLine
char *ldapprefix;
char *ldapsuffix;
bool clientcert;
- char *krb_server_hostname;
char *krb_realm;
bool include_realm;
char *radiusserver;
--
GitLab