2009/10/13 Heikki Linnakangas <heikki.linnakan...@enterprisedb.com>:
> Turner, Ian wrote:
>> While trying to connect our PostgreSQL database to our Kerberos realm, we
>> encountered the obscure message "Invalid message length". Tracking this
>> down, we discovered that it was emitted by src/backend/libpq/pqcomm.c in
>> response to a rather large Kerberos message. The root cause is as follows,
>> and a patch is below.
>>
>> The code in src/backend/libpq/auth.c contains a hard-coded limit on the size
>> of GSS messages, and in particular on the message containing the client's
>> Kerberos ticket for the postgres server. The limit was 2,000 bytes, which is
>> normally adequate for tickets based on TGTs issued by Unix KDCs. However,
>> TGTs issued by Windows domain controllers contain an authorization field
>> known as the PAC (privilege attribute certificate), which contains the
>> user's Windows permissions (group memberships etc.). The PAC is copied into
>> all tickets obtained on the basis of this TGT (even those issued by Unix
>> realms which the Windows realm trusts), and can be several K in size. Thus,
>> GSS authentication was failing with a "invalid message length" error. We
>> simply upped the limit to 32k, which ought to be sufficient.
>>
>> The patch is quite brief:
>>
>> --- postgresql-8.4-8.4.1/src/backend/libpq/auth.c 2009-06-25
>> 12:30:08.000000000 +0100
>> +++ postgresql-8.4-8.4.1-fixed/src/backend/libpq/auth.c 2009-09-15
>> 20:27:01.000000000 +0100
>> @@ -166,6 +166,8 @@
>> #endif
>>
>> static int pg_GSS_recvauth(Port *port);
>> +
>> +#define GSS_MAX_TOKEN_LENGTH (32767)
>> #endif /* ENABLE_GSS */
>>
>>
>> @@ -937,7 +939,7 @@
>>
>> /* Get the actual GSS token */
>> initStringInfo(&buf);
>> - if (pq_getmessage(&buf, 2000))
>> + if (pq_getmessage(&buf, GSS_MAX_TOKEN_LENGTH))
>> {
>> /* EOF - pq_getmessage already logged error */
>> pfree(buf.data);
>>
>>
>> Please let me know if anything additional is required in order to get this
>> fix into the next release.
>
> The corresponding limit in pg_SSPI_recvauth() probably needs to be
> raised too..
Probably, but ont entirely certainly. Given how SSPI works.
But for consistency that would certainly be a good idea :-)
> pq_getmessage() doesn't necessarily need a limit, we could accept
> arbitrarily long tokens. Although I guess we want to avoid simple
> denial-of-service attacks exhausting backend memory.
Yeah.
FWIW, the default max token size on Win2k is ~8Kb. In some service
pack and then in Win2003, it was increased to 12Kb. But it is possible
to increase that by a registry key on the domain controller - and I
read somewhere that Win2008 actually will increase this size
dynamically.
Actually, I found a note that said it's recommended to never increase
it about 65535 - so perhaps we should put our limit at that instead od
32767?
--
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/
--
Sent via pgsql-bugs mailing list (pgsql-bugs@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-bugs
