* Magnus Hagander (mag...@hagander.net) wrote: > On Wed, Nov 26, 2014 at 8:01 PM, Stephen Frost <sfr...@snowman.net> wrote: > > As such, I'd like to propose changing the default to be > > 'include_realm=1'. > > Per our previous discussions, but to make sure it's also on record for > others, +1 for this suggestion.
Patch attached which does this for master.
> > This would be done for 9.5 and we would need to note it in the release
> > notes, of course.
>
> I suggest we also backpatch some documentation suggesting that people
> manually change the include_realm parameter (perhaps also with a note
> saying that the default will change in 9.5).
I'll work on a patch for back-branches if everyone is alright with this
patch against master. Given my recent track record for changing
wording around, it seems prudent to get agreement on this first.
Thanks,
Stephen
From fe4d7a01f5d31fac565a8de2485cd9d113a9cbb4 Mon Sep 17 00:00:00 2001
From: Stephen Frost <sfr...@snowman.net>
Date: Fri, 5 Dec 2014 12:54:05 -0500
Subject: [PATCH] Change default for include_realm to zero
The default behavior for GSS and SSPI authentication methods has long
been to strip the realm off of the principal, however, this is not a
secure approach in multi-realm environments and the use-case for the
parameter at all has been superseded by the regex-based mapping support
available in pg_ident.conf.
Change the default for include_realm to be 'zero', meaning that we do
NOT remove the realm from the principal by default. Any installations
which depend on the existing behavior will need to update their
configurations (ideally by leaving include_realm on and adding a mapping
in pg_ident.conf). Note that the mapping capability exists in all
currently supported versions of PostgreSQL and so this change can be
done today. Barring that, existing users can update their
configurations today to explicitly set include_realm=0 to ensure that
the prior behavior is maintained when they upgrade.
This needs to be noted in the release notes.
Per discussion with Magnus and Peter.
---
doc/src/sgml/client-auth.sgml | 66 ++++++++++++++++++++++++++++---------------
src/backend/libpq/hba.c | 13 +++++++++
2 files changed, 57 insertions(+), 22 deletions(-)
diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml
index 7704f73..69517dd 100644
--- a/doc/src/sgml/client-auth.sgml
+++ b/doc/src/sgml/client-auth.sgml
@@ -943,15 +943,24 @@ omicron bryanh guest1
</para>
<para>
- Client principals must have their <productname>PostgreSQL</> database user
- name as their first component, for example
- <literal>pgusername@realm</>. Alternatively, you can use a user name
- mapping to map from the first component of the principal name to the
- database user name. By default, the realm of the client is
- not checked by <productname>PostgreSQL</>. If you have cross-realm
- authentication enabled and need to verify the realm, use the
- <literal>krb_realm</> parameter, or enable <literal>include_realm</>
- and use user name mapping to check the realm.
+ Client principals can be mapped to different <productname>PostgreSQL</>
+ database user names with <filename>pg_ident.conf</>. For example,
+ <literal>pgusername@realm</> could be mapped to just <literal>pgusername</>.
+ Alternatively, you can use the full <literal>username@realm</> principal as
+ the role name in <productname>PostgreSQL</> without any mapping.
+ </para>
+
+ <para>
+ <productname>PostgreSQL</> also supports a parameter to strip the realm from
+ the principal. This method is supported for backwards compatibility and is
+ strongly discouraged as it is then impossible to distinguish different users
+ with the same username but coming from different realms. To enable this,
+ set <literal>include_realm</> to zero. For simple single-realm
+ installations, <literal>include_realm</> combined with the
+ <literal>krb_realm</> parameter (which checks that the realm provided
+ matches exactly what is in the krb_realm parameter) would be a secure but
+ less capable option compared to specifying an explicit mapping in
+ <filename>pg_ident.conf</>.
</para>
<para>
@@ -993,10 +1002,13 @@ omicron bryanh guest1
<term><literal>include_realm</literal></term>
<listitem>
<para>
- If set to 1, the realm name from the authenticated user
- principal is included in the system user name that's passed through
- user name mapping (<xref linkend="auth-username-maps">). This is
- useful for handling users from multiple realms.
+ If set to 0, the realm name from the authenticated user principal is
+ stripped off before being passed through the user name mapping
+ (<xref linkend="auth-username-maps">). This is discouraged and is
+ primairly available for backwards compatibility as it is not secure
+ in multi-realm environments unless krb_realm is also used. Users
+ are recommended to leave include_realm set to the default (1) and to
+ provide an explicit mapping in <filename>pg_ident.conf</>.
</para>
</listitem>
</varlistentry>
@@ -1008,10 +1020,11 @@ omicron bryanh guest1
Allows for mapping between system and database user names. See
<xref linkend="auth-username-maps"> for details. For a Kerberos
principal <literal>username/hostba...@example.com</literal>, the
- user name used for mapping is <literal>username/hostbased</literal>
- if <literal>include_realm</literal> is disabled, and
- <literal>username/hostba...@example.com</literal> if
- <literal>include_realm</literal> is enabled.
+ user name used for mapping is
+ <literal>username/hostba...@example.com</literal>, unless
+ <literal>include_realm</literal> has been enabled, in which case
+ <literal>username/hostbased</literal> is what is seen as the
+ system username when mapping.
</para>
</listitem>
</varlistentry>
@@ -1066,10 +1079,13 @@ omicron bryanh guest1
<term><literal>include_realm</literal></term>
<listitem>
<para>
- If set to 1, the realm name from the authenticated user
- principal is included in the system user name that's passed through
- user name mapping (<xref linkend="auth-username-maps">). This is
- useful for handling users from multiple realms.
+ If set to 0, the realm name from the authenticated user principal is
+ stripped off before being passed through the user name mapping
+ (<xref linkend="auth-username-maps">). This is discouraged and is
+ primairly available for backwards compatibility as it is not secure
+ in multi-realm environments unless krb_realm is also used. Users
+ are recommended to leave include_realm set to the default (1) and to
+ provide an explicit mapping in <filename>pg_ident.conf</>.
</para>
</listitem>
</varlistentry>
@@ -1079,7 +1095,13 @@ omicron bryanh guest1
<listitem>
<para>
Allows for mapping between system and database user names. See
- <xref linkend="auth-username-maps"> for details.
+ <xref linkend="auth-username-maps"> for details. For a Kerberos
+ principal <literal>username/hostba...@example.com</literal>, the
+ user name used for mapping is
+ <literal>username/hostba...@example.com</literal>, unless
+ <literal>include_realm</literal> has been enabled, in which case
+ <literal>username/hostbased</literal> is what is seen as the
+ system username when mapping.
</para>
</listitem>
</varlistentry>
diff --git a/src/backend/libpq/hba.c b/src/backend/libpq/hba.c
index d43c8ff..1559ad2 100644
--- a/src/backend/libpq/hba.c
+++ b/src/backend/libpq/hba.c
@@ -1406,6 +1406,19 @@ parse_hba_auth_opt(char *name, char *val, HbaLine *hbaline, int line_num)
hbaline->ldapscope = LDAP_SCOPE_SUBTREE;
#endif
+ /*
+ * For GSS and SSPI, set the default value of include_realm to true.
+ * Having include_realm set to false is dangerous in multi-realm
+ * situations and is generally considered bad practice. We keep the
+ * capability around for backwards compatibility, but we might want to
+ * remove it at some point in the future. Users who still need to strip
+ * the realm off would be better served by using an appropriate regex in
+ * a pg_ident.conf mapping.
+ */
+ if (hbaline->auth_method == uaGSS ||
+ hbaline->auth_method == uaSSPI)
+ hbaline->include_realm = true;
+
if (strcmp(name, "map") == 0)
{
if (hbaline->auth_method != uaIdent &&
--
1.9.1
signature.asc
Description: Digital signature
