diff options
author | Magnus Hagander | 2014-03-16 14:18:52 +0000 |
---|---|---|
committer | Magnus Hagander | 2014-03-16 14:22:45 +0000 |
commit | 0294023a6b1c5df7683707a77238ab634d4ea8c1 (patch) | |
tree | fc0f99b36e9577c1ba7aa873246d46b4a58a1b47 | |
parent | e3c9f23250fc445568b2aefab8bcdc25371cff5b (diff) |
Cleanups from the remove-native-krb5 patch
krb_srvname is actually not available anymore as a parameter server-side, since
with gssapi we accept all principals in our keytab. It's still used in libpq for
client side specification.
In passing remove declaration of krb_server_hostname, where all the functionality
was already removed.
Noted by Stephen Frost, though a different solution than his suggestion
-rw-r--r-- | doc/src/sgml/client-auth.sgml | 15 | ||||
-rw-r--r-- | doc/src/sgml/config.sgml | 14 | ||||
-rw-r--r-- | src/backend/libpq/auth.c | 1 | ||||
-rw-r--r-- | src/backend/utils/misc/guc.c | 13 | ||||
-rw-r--r-- | src/backend/utils/misc/postgresql.conf.sample | 3 | ||||
-rw-r--r-- | src/include/libpq/auth.h | 2 | ||||
-rw-r--r-- | src/include/libpq/hba.h | 1 |
7 files changed, 9 insertions, 40 deletions
diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml index 9b26d01061..bf71ea6b88 100644 --- a/doc/src/sgml/client-auth.sgml +++ b/doc/src/sgml/client-auth.sgml @@ -923,17 +923,15 @@ omicron bryanh guest1 <productname>Kerberos</productname>, it uses a standard principal in the format <literal><replaceable>servicename</>/<replaceable>hostname</>@<replaceable>realm</></literal>. - <replaceable>servicename</> can be set on the server side using the - <xref linkend="guc-krb-srvname"> configuration parameter, and on the - client side using the <literal>krbsrvname</> connection parameter. (See + The PostgreSQL server will accept any principal that is included in the keytab used by + the server, but care needs to be taken to specify the correct principal details when + making the connection from the client using the <literal>krbsrvname</> connection parameter. (See also <xref linkend="libpq-paramkeywords">.) The installation default can be changed from the default <literal>postgres</literal> at build time using <literal>./configure --with-krb-srvnam=</><replaceable>whatever</>. In most environments, - this parameter never needs to be changed. However, it is necessary - when supporting multiple <productname>PostgreSQL</> installations - on the same host. - Some Kerberos implementations might also require a different service name, + this parameter never needs to be changed. + Some Kerberos implementations might require a different service name, such as Microsoft Active Directory which requires the service name to be in upper case (<literal>POSTGRES</literal>). </para> @@ -964,6 +962,9 @@ omicron bryanh guest1 parameter. The default is <filename>/usr/local/pgsql/etc/krb5.keytab</> (or whatever directory was specified as <varname>sysconfdir</> at build time). + For security reasons, it is recommended to use a separate keytab + just for the <productname>PostgreSQL</productname> server rather + than opening up permissions on the system keytab file. </para> <para> The keytab file is generated by the Kerberos software; see the diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml index 2811f1148c..4eff91ebdc 100644 --- a/doc/src/sgml/config.sgml +++ b/doc/src/sgml/config.sgml @@ -1033,20 +1033,6 @@ include 'filename' </listitem> </varlistentry> - <varlistentry id="guc-krb-srvname" xreflabel="krb_srvname"> - <term><varname>krb_srvname</varname> (<type>string</type>)</term> - <indexterm> - <primary><varname>krb_srvname</> configuration parameter</primary> - </indexterm> - <listitem> - <para> - Sets the Kerberos service name. See <xref linkend="gssapi-auth"> - for details. This parameter can only be set in the - <filename>postgresql.conf</> file or on the server command line. - </para> - </listitem> - </varlistentry> - <varlistentry id="guc-krb-caseins-users" xreflabel="krb_caseins_users"> <term><varname>krb_caseins_users</varname> (<type>boolean</type>)</term> <indexterm> diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c index f03aa7edc2..2a46f7b913 100644 --- a/src/backend/libpq/auth.c +++ b/src/backend/libpq/auth.c @@ -129,7 +129,6 @@ static int CheckCertAuth(Port *port); *---------------------------------------------------------------- */ char *pg_krb_server_keyfile; -char *pg_krb_srvnam; bool pg_krb_caseins_users; diff --git a/src/backend/utils/misc/guc.c b/src/backend/utils/misc/guc.c index c76edb48a9..7d7d1dc263 100644 --- a/src/backend/utils/misc/guc.c +++ b/src/backend/utils/misc/guc.c @@ -85,9 +85,6 @@ #ifndef PG_KRB_SRVTAB #define PG_KRB_SRVTAB "" #endif -#ifndef PG_KRB_SRVNAM -#define PG_KRB_SRVNAM "" -#endif #define CONFIG_FILENAME "postgresql.conf" #define HBA_FILENAME "pg_hba.conf" @@ -2803,16 +2800,6 @@ static struct config_string ConfigureNamesString[] = }, { - {"krb_srvname", PGC_SIGHUP, CONN_AUTH_SECURITY, - gettext_noop("Sets the name of the Kerberos service."), - NULL - }, - &pg_krb_srvnam, - PG_KRB_SRVNAM, - NULL, NULL, NULL - }, - - { {"bonjour_name", PGC_POSTMASTER, CONN_AUTH_SETTINGS, gettext_noop("Sets the Bonjour service name."), NULL diff --git a/src/backend/utils/misc/postgresql.conf.sample b/src/backend/utils/misc/postgresql.conf.sample index 3629a52c9f..70e5a5111e 100644 --- a/src/backend/utils/misc/postgresql.conf.sample +++ b/src/backend/utils/misc/postgresql.conf.sample @@ -91,9 +91,8 @@ #password_encryption = on #db_user_namespace = off -# Kerberos and GSSAPI +# GSSAPI using Kerberos #krb_server_keyfile = '' -#krb_srvname = 'postgres' # (Kerberos only) #krb_caseins_users = off # - TCP Keepalives - diff --git a/src/include/libpq/auth.h b/src/include/libpq/auth.h index 5ae8114e8b..ace647a7ff 100644 --- a/src/include/libpq/auth.h +++ b/src/include/libpq/auth.h @@ -17,9 +17,7 @@ #include "libpq/libpq-be.h" extern char *pg_krb_server_keyfile; -extern char *pg_krb_srvnam; extern bool pg_krb_caseins_users; -extern char *pg_krb_server_hostname; extern char *pg_krb_realm; extern void ClientAuthentication(Port *port); diff --git a/src/include/libpq/hba.h b/src/include/libpq/hba.h index 5a103aed19..68a953aa62 100644 --- a/src/include/libpq/hba.h +++ b/src/include/libpq/hba.h @@ -75,7 +75,6 @@ typedef struct HbaLine char *ldapprefix; char *ldapsuffix; bool clientcert; - char *krb_server_hostname; char *krb_realm; bool include_realm; char *radiusserver; |