diff options
| author | Tom Lane <tgl@sss.pgh.pa.us> | 2020-12-30 11:38:42 -0500 |
|---|---|---|
| committer | Tom Lane <tgl@sss.pgh.pa.us> | 2020-12-30 11:38:42 -0500 |
| commit | 861e967176e99da9122bb19bc2312c2ecdf6673c (patch) | |
| tree | 8290faaa98facb2fe87cfd4dad916bb19ac62a2d /doc/src | |
| parent | 239213684d01a64f82dfa6263cccc8bf68aeddd3 (diff) | |
| download | postgresql-861e967176e99da9122bb19bc2312c2ecdf6673c.tar.gz postgresql-861e967176e99da9122bb19bc2312c2ecdf6673c.zip | |
Fix up usage of krb_server_keyfile GUC parameter.
secure_open_gssapi() installed the krb_server_keyfile setting as
KRB5_KTNAME unconditionally, so long as it's not empty. However,
pg_GSS_recvauth() only installed it if KRB5_KTNAME wasn't set already,
leading to a troubling inconsistency: in theory, clients could see
different sets of server principal names depending on whether they
use GSSAPI encryption. Always using krb_server_keyfile seems like
the right thing, so make both places do that. Also fix up
secure_open_gssapi()'s lack of a check for setenv() failure ---
it's unlikely, surely, but security-critical actions are no place
to be sloppy.
Also improve the associated documentation.
This patch does nothing about secure_open_gssapi()'s use of setenv(),
and indeed causes pg_GSS_recvauth() to use it too. That's nominally
against project portability rules, but since this code is only built
with --with-gssapi, I do not feel a need to do something about this
in the back branches. A fix will be forthcoming for HEAD though.
Back-patch to v12 where GSSAPI encryption was introduced. The
dubious behavior in pg_GSS_recvauth() goes back further, but it
didn't have anything to be inconsistent with, so let it be.
Discussion: https://postgr.es/m/2187460.1609263156@sss.pgh.pa.us
Diffstat (limited to 'doc/src')
| -rw-r--r-- | doc/src/sgml/client-auth.sgml | 6 | ||||
| -rw-r--r-- | doc/src/sgml/config.sgml | 12 |
2 files changed, 10 insertions, 8 deletions
diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml index 92f474e8e6b..ccd748d264a 100644 --- a/doc/src/sgml/client-auth.sgml +++ b/doc/src/sgml/client-auth.sgml @@ -1262,11 +1262,7 @@ omicron bryanh guest1 <para> The location of the server's keytab file is specified by the <xref - linkend="guc-krb-server-keyfile"/> configuration - parameter. The default is - <filename>FILE:/usr/local/pgsql/etc/krb5.keytab</filename> - (where the directory part is whatever was specified - as <varname>sysconfdir</varname> at build time). + linkend="guc-krb-server-keyfile"/> configuration parameter. For security reasons, it is recommended to use a separate keytab just for the <productname>PostgreSQL</productname> server rather than allowing the server to read the system keytab file. diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml index 8d72951dd09..97610de287d 100644 --- a/doc/src/sgml/config.sgml +++ b/doc/src/sgml/config.sgml @@ -1035,10 +1035,16 @@ include_dir 'conf.d' </term> <listitem> <para> - Sets the location of the Kerberos server key file. See - <xref linkend="gssapi-auth"/> - for details. This parameter can only be set in the + Sets the location of the server's Kerberos key file. The default is + <filename>FILE:/usr/local/pgsql/etc/krb5.keytab</filename> + (where the directory part is whatever was specified + as <varname>sysconfdir</varname> at build time; use + <literal>pg_config --sysconfdir</literal> to determine that). + If this parameter is set to an empty string, it is ignored and a + system-dependent default is used. + This parameter can only be set in the <filename>postgresql.conf</filename> file or on the server command line. + See <xref linkend="gssapi-auth"/> for more information. </para> </listitem> </varlistentry> |