Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Skip to content

Commit 0294023

Browse files
committed
Cleanups from the remove-native-krb5 patch
krb_srvname is actually not available anymore as a parameter server-side, since with gssapi we accept all principals in our keytab. It's still used in libpq for client side specification. In passing remove declaration of krb_server_hostname, where all the functionality was already removed. Noted by Stephen Frost, though a different solution than his suggestion
1 parent e3c9f23 commit 0294023

File tree

7 files changed

+9
-40
lines changed

7 files changed

+9
-40
lines changed

doc/src/sgml/client-auth.sgml

+8-7
Original file line numberDiff line numberDiff line change
@@ -923,17 +923,15 @@ omicron bryanh guest1
923923
<productname>Kerberos</productname>, it uses a standard principal
924924
in the format
925925
<literal><replaceable>servicename</>/<replaceable>hostname</>@<replaceable>realm</></literal>.
926-
<replaceable>servicename</> can be set on the server side using the
927-
<xref linkend="guc-krb-srvname"> configuration parameter, and on the
928-
client side using the <literal>krbsrvname</> connection parameter. (See
926+
The PostgreSQL server will accept any principal that is included in the keytab used by
927+
the server, but care needs to be taken to specify the correct principal details when
928+
making the connection from the client using the <literal>krbsrvname</> connection parameter. (See
929929
also <xref linkend="libpq-paramkeywords">.) The installation default can be
930930
changed from the default <literal>postgres</literal> at build time using
931931
<literal>./configure --with-krb-srvnam=</><replaceable>whatever</>.
932932
In most environments,
933-
this parameter never needs to be changed. However, it is necessary
934-
when supporting multiple <productname>PostgreSQL</> installations
935-
on the same host.
936-
Some Kerberos implementations might also require a different service name,
933+
this parameter never needs to be changed.
934+
Some Kerberos implementations might require a different service name,
937935
such as Microsoft Active Directory which requires the service name
938936
to be in upper case (<literal>POSTGRES</literal>).
939937
</para>
@@ -964,6 +962,9 @@ omicron bryanh guest1
964962
parameter. The default is
965963
<filename>/usr/local/pgsql/etc/krb5.keytab</> (or whatever
966964
directory was specified as <varname>sysconfdir</> at build time).
965+
For security reasons, it is recommended to use a separate keytab
966+
just for the <productname>PostgreSQL</productname> server rather
967+
than opening up permissions on the system keytab file.
967968
</para>
968969
<para>
969970
The keytab file is generated by the Kerberos software; see the

doc/src/sgml/config.sgml

-14
Original file line numberDiff line numberDiff line change
@@ -1033,20 +1033,6 @@ include 'filename'
10331033
</listitem>
10341034
</varlistentry>
10351035

1036-
<varlistentry id="guc-krb-srvname" xreflabel="krb_srvname">
1037-
<term><varname>krb_srvname</varname> (<type>string</type>)</term>
1038-
<indexterm>
1039-
<primary><varname>krb_srvname</> configuration parameter</primary>
1040-
</indexterm>
1041-
<listitem>
1042-
<para>
1043-
Sets the Kerberos service name. See <xref linkend="gssapi-auth">
1044-
for details. This parameter can only be set in the
1045-
<filename>postgresql.conf</> file or on the server command line.
1046-
</para>
1047-
</listitem>
1048-
</varlistentry>
1049-
10501036
<varlistentry id="guc-krb-caseins-users" xreflabel="krb_caseins_users">
10511037
<term><varname>krb_caseins_users</varname> (<type>boolean</type>)</term>
10521038
<indexterm>

src/backend/libpq/auth.c

-1
Original file line numberDiff line numberDiff line change
@@ -129,7 +129,6 @@ static int CheckCertAuth(Port *port);
129129
*----------------------------------------------------------------
130130
*/
131131
char *pg_krb_server_keyfile;
132-
char *pg_krb_srvnam;
133132
bool pg_krb_caseins_users;
134133

135134

src/backend/utils/misc/guc.c

-13
Original file line numberDiff line numberDiff line change
@@ -85,9 +85,6 @@
8585
#ifndef PG_KRB_SRVTAB
8686
#define PG_KRB_SRVTAB ""
8787
#endif
88-
#ifndef PG_KRB_SRVNAM
89-
#define PG_KRB_SRVNAM ""
90-
#endif
9188

9289
#define CONFIG_FILENAME "postgresql.conf"
9390
#define HBA_FILENAME "pg_hba.conf"
@@ -2802,16 +2799,6 @@ static struct config_string ConfigureNamesString[] =
28022799
NULL, NULL, NULL
28032800
},
28042801

2805-
{
2806-
{"krb_srvname", PGC_SIGHUP, CONN_AUTH_SECURITY,
2807-
gettext_noop("Sets the name of the Kerberos service."),
2808-
NULL
2809-
},
2810-
&pg_krb_srvnam,
2811-
PG_KRB_SRVNAM,
2812-
NULL, NULL, NULL
2813-
},
2814-
28152802
{
28162803
{"bonjour_name", PGC_POSTMASTER, CONN_AUTH_SETTINGS,
28172804
gettext_noop("Sets the Bonjour service name."),

src/backend/utils/misc/postgresql.conf.sample

+1-2
Original file line numberDiff line numberDiff line change
@@ -91,9 +91,8 @@
9191
#password_encryption = on
9292
#db_user_namespace = off
9393

94-
# Kerberos and GSSAPI
94+
# GSSAPI using Kerberos
9595
#krb_server_keyfile = ''
96-
#krb_srvname = 'postgres' # (Kerberos only)
9796
#krb_caseins_users = off
9897

9998
# - TCP Keepalives -

src/include/libpq/auth.h

-2
Original file line numberDiff line numberDiff line change
@@ -17,9 +17,7 @@
1717
#include "libpq/libpq-be.h"
1818

1919
extern char *pg_krb_server_keyfile;
20-
extern char *pg_krb_srvnam;
2120
extern bool pg_krb_caseins_users;
22-
extern char *pg_krb_server_hostname;
2321
extern char *pg_krb_realm;
2422

2523
extern void ClientAuthentication(Port *port);

src/include/libpq/hba.h

-1
Original file line numberDiff line numberDiff line change
@@ -75,7 +75,6 @@ typedef struct HbaLine
7575
char *ldapprefix;
7676
char *ldapsuffix;
7777
bool clientcert;
78-
char *krb_server_hostname;
7978
char *krb_realm;
8079
bool include_realm;
8180
char *radiusserver;

0 commit comments

Comments
 (0)