0002-Explicitly-require-MIT-Kerberos-for-GSSAPI.patch
text/x-diff
Filename: 0002-Explicitly-require-MIT-Kerberos-for-GSSAPI.patch
Type: text/x-diff
Part: 1
Message:
Re: longfin missing gssapi_ext.h
Patch
Format: format-patch
Series: patch 0002
Subject: Explicitly require MIT Kerberos for GSSAPI
| File | + | − |
|---|---|---|
| configure | 27 | 0 |
| configure.ac | 2 | 0 |
| doc/src/sgml/client-auth.sgml | 1 | 1 |
| doc/src/sgml/installation.sgml | 11 | 10 |
| meson.build | 10 | 0 |
| src/backend/libpq/auth.c | 3 | 2 |
| src/backend/libpq/be-secure-gssapi.c | 3 | 2 |
From 6714687cde66334df8e194f22b299b8ab24d6801 Mon Sep 17 00:00:00 2001
From: Stephen Frost <sfrost@snowman.net>
Date: Wed, 12 Apr 2023 09:35:53 -0400
Subject: [PATCH 2/2] Explicitly require MIT Kerberos for GSSAPI
WHen building with GSSAPI support, explicitly require MIT Kerberos and
check for gssapi_ext.h in configure.ac and meson.build. Also add
documentation explicitly stating that we now require MIT Kerberos when
building with GSSAPI support.
Reveiwed by: Johnathan Katz
Discussion: https://postgr.es/m/abcc73d0-acf7-6896-e0dc-f5bc12a61bb1@postgresql.org
---
configure | 27 +++++++++++++++++++++++++++
configure.ac | 2 ++
doc/src/sgml/client-auth.sgml | 2 +-
doc/src/sgml/installation.sgml | 21 +++++++++++----------
meson.build | 10 ++++++++++
src/backend/libpq/auth.c | 5 +++--
src/backend/libpq/be-secure-gssapi.c | 5 +++--
7 files changed, 57 insertions(+), 15 deletions(-)
diff --git a/configure b/configure
index dbea7eaf5f..08bcf8f43a 100755
--- a/configure
+++ b/configure
@@ -14104,6 +14104,33 @@ done
fi
+done
+
+ for ac_header in gssapi/gssapi_ext.h
+do :
+ ac_fn_c_check_header_mongrel "$LINENO" "gssapi/gssapi_ext.h" "ac_cv_header_gssapi_gssapi_ext_h" "$ac_includes_default"
+if test "x$ac_cv_header_gssapi_gssapi_ext_h" = xyes; then :
+ cat >>confdefs.h <<_ACEOF
+#define HAVE_GSSAPI_GSSAPI_EXT_H 1
+_ACEOF
+
+else
+ for ac_header in gssapi_ext.h
+do :
+ ac_fn_c_check_header_mongrel "$LINENO" "gssapi_ext.h" "ac_cv_header_gssapi_ext_h" "$ac_includes_default"
+if test "x$ac_cv_header_gssapi_ext_h" = xyes; then :
+ cat >>confdefs.h <<_ACEOF
+#define HAVE_GSSAPI_EXT_H 1
+_ACEOF
+
+else
+ as_fn_error $? "gssapi_ext.h header file is required for GSSAPI" "$LINENO" 5
+fi
+
+done
+
+fi
+
done
fi
diff --git a/configure.ac b/configure.ac
index dda34304db..c53a9c788e 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1562,6 +1562,8 @@ fi
if test "$with_gssapi" = yes ; then
AC_CHECK_HEADERS(gssapi/gssapi.h, [],
[AC_CHECK_HEADERS(gssapi.h, [], [AC_MSG_ERROR([gssapi.h header file is required for GSSAPI])])])
+ AC_CHECK_HEADERS(gssapi/gssapi_ext.h, [],
+ [AC_CHECK_HEADERS(gssapi_ext.h, [], [AC_MSG_ERROR([gssapi_ext.h header file is required for GSSAPI])])])
fi
PGAC_PATH_PROGS(OPENSSL, openssl)
diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml
index dbba289600..204d09df67 100644
--- a/doc/src/sgml/client-auth.sgml
+++ b/doc/src/sgml/client-auth.sgml
@@ -1426,7 +1426,7 @@ omicron bryanh guest1
The keytab file is generated using the Kerberos software; see the
Kerberos documentation for details. The following example shows
doing this using the <application>kadmin</application> tool of
- MIT-compatible Kerberos 5 implementations:
+ MIT Kerberos:
<screen>
<prompt>kadmin% </prompt><userinput>addprinc -randkey postgres/server.my.domain.org</userinput>
<prompt>kadmin% </prompt><userinput>ktadd -k krb5.keytab postgres/server.my.domain.org</userinput>
diff --git a/doc/src/sgml/installation.sgml b/doc/src/sgml/installation.sgml
index f451204854..3d839d665a 100644
--- a/doc/src/sgml/installation.sgml
+++ b/doc/src/sgml/installation.sgml
@@ -252,9 +252,9 @@ documentation. See standalone-profile.xsl for details.
<listitem>
<para>
- You need <application>Kerberos</application>, <productname>OpenLDAP</productname>,
- and/or <application>PAM</application>, if you want to support authentication
- using those services.
+ You need <application>MIT Kerberos</application> (for GSSAPI),
+ <productname>OpenLDAP</productname>, and/or <application>PAM</application>,
+ if you want to support authentication using those services.
</para>
</listitem>
@@ -1048,9 +1048,9 @@ build-postgresql:
<term><option>--with-gssapi</option></term>
<listitem>
<para>
- Build with support for GSSAPI authentication. On many systems, the
- GSSAPI system (usually a part of the Kerberos installation) is not
- installed in a location
+ Build with support for GSSAPI authentication. MIT Kerberos is required
+ to be installed for GSSAPI. On many systems, the GSSAPI system (a part
+ of the MIT Kerberos installation) is not installed in a location
that is searched by default (e.g., <filename>/usr/include</filename>,
<filename>/usr/lib</filename>), so you must use the options
<option>--with-includes</option> and <option>--with-libraries</option> in
@@ -2497,10 +2497,11 @@ ninja install
<term><option>-Dgssapi={ auto | enabled | disabled }</option></term>
<listitem>
<para>
- Build with support for GSSAPI authentication. On many systems, the
- GSSAPI system (usually a part of the Kerberos installation) is not
- installed in a location that is searched by default (e.g.,
- <filename>/usr/include</filename>, <filename>/usr/lib</filename>). In
+ Build with support for GSSAPI authentication. MIT Kerberos is required
+ to be installed for GSSAPI. On many systems, the GSSAPI system (a part
+ of the MIT Kerberos installation) is not installed in a location
+ that is searched by default (e.g., <filename>/usr/include</filename>,
+ <filename>/usr/lib</filename>). In
those cases, PostgreSQL will query <command>pkg-config</command> to
detect the required compiler and linker options. Defaults to auto.
<filename>meson configure</filename> will check for the required
diff --git a/meson.build b/meson.build
index b69aaddb1f..3405cc07ee 100644
--- a/meson.build
+++ b/meson.build
@@ -623,6 +623,16 @@ if not gssapiopt.disabled()
have_gssapi = false
endif
+ if not have_gssapi
+ elif cc.check_header('gssapi/gssapi_ext.h', dependencies: gssapi, required: false,
+ args: test_c_args, include_directories: postgres_inc)
+ cdata.set('HAVE_GSSAPI_GSSAPI_EXT_H', 1)
+ elif cc.check_header('gssapi_ext.h', args: test_c_args, dependencies: gssapi, required: gssapiopt)
+ cdata.set('HAVE_GSSAPI_EXT_H', 1)
+ else
+ have_gssapi = false
+ endif
+
if not have_gssapi
elif cc.has_function('gss_init_sec_context', dependencies: gssapi,
args: test_c_args, include_directories: postgres_inc)
diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c
index 00ec9da284..a1a826e37f 100644
--- a/src/backend/libpq/auth.c
+++ b/src/backend/libpq/auth.c
@@ -922,8 +922,9 @@ pg_GSS_recvauth(Port *port)
gss_cred_id_t delegated_creds;
/*
- * Use the configured keytab, if there is one. Unfortunately, Heimdal
- * doesn't support the cred store extensions, so use the env var.
+ * Use the configured keytab, if there is one. As we now require MIT
+ * Kerberos, we might consider using the credential store extensions in
+ * the future instead of the environment variable.
*/
if (pg_krb_server_keyfile != NULL && pg_krb_server_keyfile[0] != '\0')
{
diff --git a/src/backend/libpq/be-secure-gssapi.c b/src/backend/libpq/be-secure-gssapi.c
index 73f8ce8554..6212f225fd 100644
--- a/src/backend/libpq/be-secure-gssapi.c
+++ b/src/backend/libpq/be-secure-gssapi.c
@@ -526,8 +526,9 @@ secure_open_gssapi(Port *port)
PqGSSRecvLength = PqGSSResultLength = PqGSSResultNext = 0;
/*
- * Use the configured keytab, if there is one. Unfortunately, Heimdal
- * doesn't support the cred store extensions, so use the env var.
+ * Use the configured keytab, if there is one. As we now require MIT
+ * Kerberos, we might consider using the credential store extensions in the
+ * future instead of the environment variable.
*/
if (pg_krb_server_keyfile != NULL && pg_krb_server_keyfile[0] != '\0')
{
--
2.34.1