Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commite2a4195

Browse files
committed
Raise the maximum authentication token (Kerberos ticket) size in GSSAPI
and SSPI athentication methods. While the old 2000 byte limit was more thanenough for Unix Kerberos implementations, tickets issued by Windows DomainControllers can be much larger.Ian Turner
1 parent207b4da commite2a4195

File tree

1 file changed

+18
-3
lines changed

1 file changed

+18
-3
lines changed

‎src/backend/libpq/auth.c‎

Lines changed: 18 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,7 @@
88
*
99
*
1010
* IDENTIFICATION
11-
* $PostgreSQL: pgsql/src/backend/libpq/auth.c,v 1.184 2009/08/29 19:26:51 tgl Exp $
11+
* $PostgreSQL: pgsql/src/backend/libpq/auth.c,v 1.185 2009/10/14 07:27:13 heikki Exp $
1212
*
1313
*-------------------------------------------------------------------------
1414
*/
@@ -183,6 +183,21 @@ static intpg_SSPI_recvauth(Port *port);
183183
#endif
184184

185185

186+
/*
187+
* Maximum size of GSS and SSPI authentication tokens.
188+
*
189+
* Kerberos tickets are usually quite small, but the TGTs issued by Windows
190+
* domain controllers include an authorization field known as the Privilege
191+
* Attribute Certificate (PAC), which contains the user's Windows permissions
192+
* (group memberships etc.). The PAC is copied into all tickets obtained on
193+
* the basis of this TGT (even those issued by Unix realms which the Windows
194+
* realm trusts), and can be several kB in size. The maximum token size
195+
* accepted by Windows systems is determined by the MaxAuthToken Windows
196+
* registry setting. Microsoft recommends that it is not set higher than
197+
* 65535 bytes, so that seems like a reasonable limit for us as well.
198+
*/
199+
#defineMAX_AUTH_TOKEN_LENGTH65535
200+
186201

187202
/*----------------------------------------------------------------
188203
* Global authentication functions
@@ -948,7 +963,7 @@ pg_GSS_recvauth(Port *port)
948963

949964
/* Get the actual GSS token */
950965
initStringInfo(&buf);
951-
if (pq_getmessage(&buf,2000))
966+
if (pq_getmessage(&buf,MAX_AUTH_TOKEN_LENGTH))
952967
{
953968
/* EOF - pq_getmessage already logged error */
954969
pfree(buf.data);
@@ -1186,7 +1201,7 @@ pg_SSPI_recvauth(Port *port)
11861201

11871202
/* Get the actual SSPI token */
11881203
initStringInfo(&buf);
1189-
if (pq_getmessage(&buf,2000))
1204+
if (pq_getmessage(&buf,MAX_AUTH_TOKEN_LENGTH))
11901205
{
11911206
/* EOF - pq_getmessage already logged error */
11921207
pfree(buf.data);

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp