diff options
| author | Stephen Frost <sfrost@snowman.net> | 2023-04-08 07:21:35 -0400 |
|---|---|---|
| committer | Stephen Frost <sfrost@snowman.net> | 2023-04-08 07:21:35 -0400 |
| commit | 3d03b24c350ab060bb223623bdff38835bd7afd0 (patch) | |
| tree | 26137687e4b234c47de0140295baaed9928cc968 /src/interfaces/libpq/fe-secure-gssapi.c | |
| parent | db4f21e4a34b1d5a3f7123e28e77f575d1a971ea (diff) | |
| download | postgresql-3d03b24c350ab060bb223623bdff38835bd7afd0.tar.gz postgresql-3d03b24c350ab060bb223623bdff38835bd7afd0.zip | |
Revert "Add support for Kerberos credential delegation"
This reverts commit 3d4fa227bce4294ce1cc214b4a9d3b7caa3f0454.
Per discussion and buildfarm, this depends on APIs that seem to not
be available on at least one platform (NetBSD). Should be certainly
possible to rework to be optional on that platform if necessary but bit
late for that at this point.
Discussion: https://postgr.es/m/3286097.1680922218@sss.pgh.pa.us
Diffstat (limited to 'src/interfaces/libpq/fe-secure-gssapi.c')
| -rw-r--r-- | src/interfaces/libpq/fe-secure-gssapi.c | 23 |
1 files changed, 2 insertions, 21 deletions
diff --git a/src/interfaces/libpq/fe-secure-gssapi.c b/src/interfaces/libpq/fe-secure-gssapi.c index bf87ae3fd1a..038e847b7e9 100644 --- a/src/interfaces/libpq/fe-secure-gssapi.c +++ b/src/interfaces/libpq/fe-secure-gssapi.c @@ -477,8 +477,7 @@ pqsecure_open_gss(PGconn *conn) { ssize_t ret; OM_uint32 major, - minor, - gss_flags = GSS_REQUIRED_FLAGS; + minor; uint32 netlen; PostgresPollingStatusType result; gss_buffer_desc input = GSS_C_EMPTY_BUFFER, @@ -622,30 +621,13 @@ pqsecure_open_gss(PGconn *conn) if (ret != STATUS_OK) return PGRES_POLLING_FAILED; - if (conn->gssdeleg && pg_strcasecmp(conn->gssdeleg, "enable") == 0) - { - /* Acquire credentials if possbile */ - if (conn->gcred == GSS_C_NO_CREDENTIAL) - (void) pg_GSS_have_cred_cache(&conn->gcred); - - /* - * We have credentials and gssdeleg is enabled, so request credential - * delegation. This may or may not actually result in credentials - * being delegated- it depends on if the forwardable flag has been set - * in the credential and if the server is configured to accept - * delegated credentials. - */ - if (conn->gcred != GSS_C_NO_CREDENTIAL) - gss_flags |= GSS_C_DELEG_FLAG; - } - /* * Call GSS init context, either with an empty input, or with a complete * packet from the server. */ major = gss_init_sec_context(&minor, conn->gcred, &conn->gctx, conn->gtarg_nam, GSS_C_NO_OID, - gss_flags, 0, 0, &input, NULL, + GSS_REQUIRED_FLAGS, 0, 0, &input, NULL, &output, NULL, NULL); /* GSS Init Sec Context uses the whole packet, so clear it */ @@ -665,7 +647,6 @@ pqsecure_open_gss(PGconn *conn) * to do GSS wrapping/unwrapping. */ conn->gssenc = true; - conn->gssapi_used = true; /* Clean up */ gss_release_cred(&minor, &conn->gcred); |