Re: Problem with ssl and psql in Postgresql 13
Stephen Frost <sfrost@snowman.net>
From: Stephen Frost <sfrost@snowman.net>
To: Tom Lane <tgl@sss.pgh.pa.us>
Cc: Gustavsson Mikael <mikael.gustavsson@smhi.se>, Magnus Hagander <magnus@hagander.net>, Kyotaro Horiguchi <horikyota.ntt@gmail.com>, "pgsql-general@postgresql.org" <pgsql-general@postgresql.org>, Svensson Peter <peter.svensson@smhi.se>
Date: 2020-12-30T15:00:40Z
Lists: pgsql-general
Greetings, First, thanks a lot for working on all of this and improving things! * Tom Lane (tgl@sss.pgh.pa.us) wrote: > I've got one last complaint about the backend GSS code: we are doing > things randomly differently in the two places that install > krb_server_keyfile as the active KRB5_KTNAME value. secure_open_gssapi() > sets KRB5_KTNAME unconditionally (and doesn't bother to check for error, > either, not a good thing in a security-critical operation). But the older > code in pg_GSS_recvauth() is written to not override KRB5_KTNAME if it's > already set. This of-course-totally-undocumented behavior seems like a > fairly bad idea to me: as things stand, the client-side choice of whether > to initiate GSS encryption or not could result in two different server > keytabs being used. I agree that we should be consistent and that always setting the environment variable if krb_server_keyfile has been set is the right approach. > I think we'd be best off to always override KRB5_KTNAME if we have a > nonempty krb_server_keyfile setting, so the attached proposed patch > makes both functions do it the same way. (I did not make an effort > to remove the dependency on setenv, given the nearby thread to > standardize on that.) +1. > I'm not sure whether there's any documentation change that needs to > be made. The docs don't suggest that you're allowed to set > krb_server_keyfile to an empty string in the first place, so maybe > we needn't explain what happens if you do. Perhaps saying something about 'system default' or 'taken from the environment' might make sense. That said, the system default almost always ends up not being usable since it'll be owned by root and we won't run as root. Perhaps there are some who prefer to set it via the environment variable, though I don't think I've ever seen that myself. I didn't look too closely at the patch itself but on a once-over it seemed fine to me. Thanks, Stephen
Commits
-
Fix up usage of krb_server_keyfile GUC parameter.
- 861e967176e9 13.2 landed
- 860fe27ee1e2 14.0 landed
- 3ca19490b4f8 12.6 landed
-
Improve log messages related to pg_hba.conf not matching a connection.
- d05e14d786ac 13.2 landed
- 7ed616f818f0 12.6 landed
- 3995c424984e 14.0 landed
-
Fix assorted issues in backend's GSSAPI encryption support.
- c1c88bf03e1e 13.2 landed
- 622ae4621ece 14.0 landed
- 4cfdd8a47a9e 12.6 landed
-
Fix bugs in libpq's GSSAPI encryption support.
- ff6ce9a3a691 14.0 landed
- b3a5bf719cf7 12.6 landed
- 06b844c2b8d3 13.2 landed