diff options
| author | Stephen Frost | 2015-05-08 23:39:42 +0000 |
|---|---|---|
| committer | Stephen Frost | 2015-05-08 23:39:42 +0000 |
| commit | 9a0884176fdfa51551d6a3b26fa0e1b216c3e4c2 (patch) | |
| tree | 03c926d57b1be6a572fcfd0961da777476350d75 /src | |
| parent | f91feba8776eb66008cdb73b3a8c0c7c08cc54d9 (diff) | |
Change default for include_realm to 1
The default behavior for GSS and SSPI authentication methods has long
been to strip the realm off of the principal, however, this is not a
secure approach in multi-realm environments and the use-case for the
parameter at all has been superseded by the regex-based mapping support
available in pg_ident.conf.
Change the default for include_realm to be '1', meaning that we do
NOT remove the realm from the principal by default. Any installations
which depend on the existing behavior will need to update their
configurations (ideally by leaving include_realm set to 1 and adding a
mapping in pg_ident.conf, but alternatively by explicitly setting
include_realm=0 prior to upgrading). Note that the mapping capability
exists in all currently supported versions of PostgreSQL and so this
change can be done today. Barring that, existing users can update their
configurations today to explicitly set include_realm=0 to ensure that
the prior behavior is maintained when they upgrade.
This needs to be noted in the release notes.
Per discussion with Magnus and Peter.
Diffstat (limited to 'src')
| -rw-r--r-- | src/backend/libpq/hba.c | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/src/backend/libpq/hba.c b/src/backend/libpq/hba.c index a0f53960361..c23938580b9 100644 --- a/src/backend/libpq/hba.c +++ b/src/backend/libpq/hba.c @@ -1376,6 +1376,19 @@ parse_hba_auth_opt(char *name, char *val, HbaLine *hbaline, int line_num) hbaline->ldapscope = LDAP_SCOPE_SUBTREE; #endif + /* + * For GSS and SSPI, set the default value of include_realm to true. + * Having include_realm set to false is dangerous in multi-realm + * situations and is generally considered bad practice. We keep the + * capability around for backwards compatibility, but we might want to + * remove it at some point in the future. Users who still need to strip + * the realm off would be better served by using an appropriate regex in + * a pg_ident.conf mapping. + */ + if (hbaline->auth_method == uaGSS || + hbaline->auth_method == uaSSPI) + hbaline->include_realm = true; + if (strcmp(name, "map") == 0) { if (hbaline->auth_method != uaIdent && |