1
0
mirror of https://github.com/postgres/postgres.git synced 2025-07-11 10:01:57 +03:00

Make krb_realm and krb_server_hostname be pg_hba options only, and remove

their GUCs.

In passing, noted that the pg_hba options for krb5 authentication weren't
listed at all - so add this.
This commit is contained in:
Magnus Hagander
2009-01-09 10:13:19 +00:00
parent 32e1265dd9
commit 1b4e729eaa
5 changed files with 72 additions and 112 deletions

View File

@ -8,7 +8,7 @@
*
*
* IDENTIFICATION
* $PostgreSQL: pgsql/src/backend/libpq/auth.c,v 1.177 2009/01/07 13:09:21 mha Exp $
* $PostgreSQL: pgsql/src/backend/libpq/auth.c,v 1.178 2009/01/09 10:13:18 mha Exp $
*
*-------------------------------------------------------------------------
*/
@ -129,8 +129,6 @@ static int CheckCertAuth(Port *port);
char *pg_krb_server_keyfile;
char *pg_krb_srvnam;
bool pg_krb_caseins_users;
char *pg_krb_server_hostname = NULL;
char *pg_krb_realm = NULL;
/*----------------------------------------------------------------
@ -645,10 +643,7 @@ pg_krb5_init(Port *port)
* If no hostname was specified, pg_krb_server_hostname is already NULL.
* If it's set to blank, force it to NULL.
*/
if (port->hba->krb_server_hostname)
khostname = port->hba->krb_server_hostname;
else
khostname = pg_krb_server_hostname;
khostname = port->hba->krb_server_hostname;
if (khostname && khostname[0] == '\0')
khostname = NULL;
@ -694,7 +689,6 @@ pg_krb5_recvauth(Port *port)
krb5_ticket *ticket;
char *kusername;
char *cp;
char *realmmatch;
if (get_role_line(port->user_name) == NULL)
return STATUS_ERROR;
@ -740,11 +734,6 @@ pg_krb5_recvauth(Port *port)
return STATUS_ERROR;
}
if (port->hba->krb_realm)
realmmatch = port->hba->krb_realm;
else
realmmatch = pg_krb_realm;
cp = strchr(kusername, '@');
if (cp)
{
@ -757,19 +746,19 @@ pg_krb5_recvauth(Port *port)
*cp = '\0';
cp++;
if (realmmatch != NULL && strlen(realmmatch))
if (port->hba->krb_realm != NULL && strlen(port->hba->krb_realm))
{
/* Match realm against configured */
if (pg_krb_caseins_users)
ret = pg_strcasecmp(realmmatch, cp);
ret = pg_strcasecmp(port->hba->krb_realm, cp);
else
ret = strcmp(realmmatch, cp);
ret = strcmp(port->hba->krb_realm, cp);
if (ret)
{
elog(DEBUG2,
"krb5 realm (%s) and configured realm (%s) don't match",
cp, realmmatch);
cp, port->hba->krb_realm);
krb5_free_ticket(pg_krb5_context, ticket);
krb5_auth_con_free(pg_krb5_context, auth_context);
@ -777,7 +766,7 @@ pg_krb5_recvauth(Port *port)
}
}
}
else if (realmmatch && strlen(realmmatch))
else if (port->hba->krb_realm&& strlen(port->hba->krb_realm))
{
elog(DEBUG2,
"krb5 did not return realm but realm matching was requested");
@ -874,7 +863,6 @@ pg_GSS_recvauth(Port *port)
int ret;
StringInfoData buf;
gss_buffer_desc gbuf;
char *realmmatch;
/*
* GSS auth is not supported for protocol versions before 3, because it
@ -1034,11 +1022,6 @@ pg_GSS_recvauth(Port *port)
gettext_noop("retrieving GSS user name failed"),
maj_stat, min_stat);
if (port->hba->krb_realm)
realmmatch = port->hba->krb_realm;
else
realmmatch = pg_krb_realm;
/*
* Split the username at the realm separator
*/
@ -1055,28 +1038,28 @@ pg_GSS_recvauth(Port *port)
*cp = '\0';
cp++;
if (realmmatch != NULL && strlen(realmmatch))
if (port->hba->krb_realm != NULL && strlen(port->hba->krb_realm))
{
/*
* Match the realm part of the name first
*/
if (pg_krb_caseins_users)
ret = pg_strcasecmp(realmmatch, cp);
ret = pg_strcasecmp(port->hba->krb_realm, cp);
else
ret = strcmp(realmmatch, cp);
ret = strcmp(port->hba->krb_realm, cp);
if (ret)
{
/* GSS realm does not match */
elog(DEBUG2,
"GSSAPI realm (%s) and configured realm (%s) don't match",
cp, realmmatch);
cp, port->hba->krb_realm);
gss_release_buffer(&lmin_s, &gbuf);
return STATUS_ERROR;
}
}
}
else if (realmmatch && strlen(realmmatch))
else if (port->hba->krb_realm && strlen(port->hba->krb_realm))
{
elog(DEBUG2,
"GSSAPI did not return realm but realm matching was requested");
@ -1140,7 +1123,6 @@ pg_SSPI_recvauth(Port *port)
SID_NAME_USE accountnameuse;
HMODULE secur32;
QUERY_SECURITY_CONTEXT_TOKEN_FN _QuerySecurityContextToken;
char *realmmatch;
/*
* SSPI auth is not supported for protocol versions before 3, because it
@ -1353,18 +1335,13 @@ pg_SSPI_recvauth(Port *port)
* Compare realm/domain if requested. In SSPI, always compare case
* insensitive.
*/
if (port->hba->krb_realm)
realmmatch = port->hba->krb_realm;
else
realmmatch = pg_krb_realm;
if (realmmatch && strlen(realmmatch))
if (port->hba->krb_realm && strlen(port->hba->krb_realm))
{
if (pg_strcasecmp(realmmatch, domainname))
if (pg_strcasecmp(port->hba->krb_realm, domainname))
{
elog(DEBUG2,
"SSPI domain (%s) and configured domain (%s) don't match",
domainname, realmmatch);
domainname, port->hba->krb_realm);
return STATUS_ERROR;
}