mirror of
https://github.com/postgres/postgres.git
synced 2025-07-11 10:01:57 +03:00
Make krb_realm and krb_server_hostname be pg_hba options only, and remove
their GUCs. In passing, noted that the pg_hba options for krb5 authentication weren't listed at all - so add this.
This commit is contained in:
Magnus Hagander
@ -8,7 +8,7 @@
|
||||
*
|
||||
*
|
||||
* IDENTIFICATION
|
||||
* $PostgreSQL: pgsql/src/backend/libpq/auth.c,v 1.177 2009/01/07 13:09:21 mha Exp $
|
||||
* $PostgreSQL: pgsql/src/backend/libpq/auth.c,v 1.178 2009/01/09 10:13:18 mha Exp $
|
||||
*
|
||||
*-------------------------------------------------------------------------
|
||||
*/
|
||||
@ -129,8 +129,6 @@ static int CheckCertAuth(Port *port);
|
||||
char *pg_krb_server_keyfile;
|
||||
char *pg_krb_srvnam;
|
||||
bool pg_krb_caseins_users;
|
||||
char *pg_krb_server_hostname = NULL;
|
||||
char *pg_krb_realm = NULL;
|
||||
|
||||
|
||||
/*----------------------------------------------------------------
|
||||
@ -645,10 +643,7 @@ pg_krb5_init(Port *port)
|
||||
* If no hostname was specified, pg_krb_server_hostname is already NULL.
|
||||
* If it's set to blank, force it to NULL.
|
||||
*/
|
||||
if (port->hba->krb_server_hostname)
|
||||
khostname = port->hba->krb_server_hostname;
|
||||
else
|
||||
khostname = pg_krb_server_hostname;
|
||||
khostname = port->hba->krb_server_hostname;
|
||||
if (khostname && khostname[0] == '\0')
|
||||
khostname = NULL;
|
||||
|
||||
@ -694,7 +689,6 @@ pg_krb5_recvauth(Port *port)
|
||||
krb5_ticket *ticket;
|
||||
char *kusername;
|
||||
char *cp;
|
||||
char *realmmatch;
|
||||
|
||||
if (get_role_line(port->user_name) == NULL)
|
||||
return STATUS_ERROR;
|
||||
@ -740,11 +734,6 @@ pg_krb5_recvauth(Port *port)
|
||||
return STATUS_ERROR;
|
||||
}
|
||||
|
||||
if (port->hba->krb_realm)
|
||||
realmmatch = port->hba->krb_realm;
|
||||
else
|
||||
realmmatch = pg_krb_realm;
|
||||
|
||||
cp = strchr(kusername, '@');
|
||||
if (cp)
|
||||
{
|
||||
@ -757,19 +746,19 @@ pg_krb5_recvauth(Port *port)
|
||||
*cp = '\0';
|
||||
cp++;
|
||||
|
||||
if (realmmatch != NULL && strlen(realmmatch))
|
||||
if (port->hba->krb_realm != NULL && strlen(port->hba->krb_realm))
|
||||
{
|
||||
/* Match realm against configured */
|
||||
if (pg_krb_caseins_users)
|
||||
ret = pg_strcasecmp(realmmatch, cp);
|
||||
ret = pg_strcasecmp(port->hba->krb_realm, cp);
|
||||
else
|
||||
ret = strcmp(realmmatch, cp);
|
||||
ret = strcmp(port->hba->krb_realm, cp);
|
||||
|
||||
if (ret)
|
||||
{
|
||||
elog(DEBUG2,
|
||||
"krb5 realm (%s) and configured realm (%s) don't match",
|
||||
cp, realmmatch);
|
||||
cp, port->hba->krb_realm);
|
||||
|
||||
krb5_free_ticket(pg_krb5_context, ticket);
|
||||
krb5_auth_con_free(pg_krb5_context, auth_context);
|
||||
@ -777,7 +766,7 @@ pg_krb5_recvauth(Port *port)
|
||||
}
|
||||
}
|
||||
}
|
||||
else if (realmmatch && strlen(realmmatch))
|
||||
else if (port->hba->krb_realm&& strlen(port->hba->krb_realm))
|
||||
{
|
||||
elog(DEBUG2,
|
||||
"krb5 did not return realm but realm matching was requested");
|
||||
@ -874,7 +863,6 @@ pg_GSS_recvauth(Port *port)
|
||||
int ret;
|
||||
StringInfoData buf;
|
||||
gss_buffer_desc gbuf;
|
||||
char *realmmatch;
|
||||
|
||||
/*
|
||||
* GSS auth is not supported for protocol versions before 3, because it
|
||||
@ -1034,11 +1022,6 @@ pg_GSS_recvauth(Port *port)
|
||||
gettext_noop("retrieving GSS user name failed"),
|
||||
maj_stat, min_stat);
|
||||
|
||||
if (port->hba->krb_realm)
|
||||
realmmatch = port->hba->krb_realm;
|
||||
else
|
||||
realmmatch = pg_krb_realm;
|
||||
|
||||
/*
|
||||
* Split the username at the realm separator
|
||||
*/
|
||||
@ -1055,28 +1038,28 @@ pg_GSS_recvauth(Port *port)
|
||||
*cp = '\0';
|
||||
cp++;
|
||||
|
||||
if (realmmatch != NULL && strlen(realmmatch))
|
||||
if (port->hba->krb_realm != NULL && strlen(port->hba->krb_realm))
|
||||
{
|
||||
/*
|
||||
* Match the realm part of the name first
|
||||
*/
|
||||
if (pg_krb_caseins_users)
|
||||
ret = pg_strcasecmp(realmmatch, cp);
|
||||
ret = pg_strcasecmp(port->hba->krb_realm, cp);
|
||||
else
|
||||
ret = strcmp(realmmatch, cp);
|
||||
ret = strcmp(port->hba->krb_realm, cp);
|
||||
|
||||
if (ret)
|
||||
{
|
||||
/* GSS realm does not match */
|
||||
elog(DEBUG2,
|
||||
"GSSAPI realm (%s) and configured realm (%s) don't match",
|
||||
cp, realmmatch);
|
||||
cp, port->hba->krb_realm);
|
||||
gss_release_buffer(&lmin_s, &gbuf);
|
||||
return STATUS_ERROR;
|
||||
}
|
||||
}
|
||||
}
|
||||
else if (realmmatch && strlen(realmmatch))
|
||||
else if (port->hba->krb_realm && strlen(port->hba->krb_realm))
|
||||
{
|
||||
elog(DEBUG2,
|
||||
"GSSAPI did not return realm but realm matching was requested");
|
||||
@ -1140,7 +1123,6 @@ pg_SSPI_recvauth(Port *port)
|
||||
SID_NAME_USE accountnameuse;
|
||||
HMODULE secur32;
|
||||
QUERY_SECURITY_CONTEXT_TOKEN_FN _QuerySecurityContextToken;
|
||||
char *realmmatch;
|
||||
|
||||
/*
|
||||
* SSPI auth is not supported for protocol versions before 3, because it
|
||||
@ -1353,18 +1335,13 @@ pg_SSPI_recvauth(Port *port)
|
||||
* Compare realm/domain if requested. In SSPI, always compare case
|
||||
* insensitive.
|
||||
*/
|
||||
if (port->hba->krb_realm)
|
||||
realmmatch = port->hba->krb_realm;
|
||||
else
|
||||
realmmatch = pg_krb_realm;
|
||||
|
||||
if (realmmatch && strlen(realmmatch))
|
||||
if (port->hba->krb_realm && strlen(port->hba->krb_realm))
|
||||
{
|
||||
if (pg_strcasecmp(realmmatch, domainname))
|
||||
if (pg_strcasecmp(port->hba->krb_realm, domainname))
|
||||
{
|
||||
elog(DEBUG2,
|
||||
"SSPI domain (%s) and configured domain (%s) don't match",
|
||||
domainname, realmmatch);
|
||||
domainname, port->hba->krb_realm);
|
||||
|
||||
return STATUS_ERROR;
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user