database/postgres
1
0
Fork 0
mirror of https://github.com/postgres/postgres.git synced 2025-11-03 09:13:20 +03:00
Code Activity

From: Dan McGuirk <mcguirk@indirect.com>

Browse Source 
Subject: [HACKERS] password authentication

This patch adds support for plaintext password authentication.  To use
it, you add a line like

host         all         0.0.0.0       0.0.0.0           password  pg_pwd.conf


to your pg_hba.conf, where 'pg_pwd.conf' is the name of a file containing
the usernames and password hashes in the format of the first two fields
of a Unix /etc/passwd file.  (Of course, you can use a specific database
name or IP instead.)

Then, to connect with a password through libpq, you use the PQconnectdb()
function, specifying the "password=" tag in the connect string and also
adding the tag "authtype=password".

I also added a command-line switch '-u' to psql that tells it to prompt
for a username and password and use password authentication.
This commit is contained in:
Marc G. Fournier
1997-03-12 21:23:16 +00:00
parent 5dde558ce6
commit 3a7c93e7f3
13 changed files with 345 additions and 85 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
src/backend/libpq/Makefile
View File

@@ -4,7 +4,7 @@
# Makefile for libpq subsystem (backend half of libpq interface)
#
# IDENTIFICATION
# $Header: /cvsroot/pgsql/src/backend/libpq/Makefile,v 1.4 1996/11/14 10:23:51 bryanh Exp $
# $Header: /cvsroot/pgsql/src/backend/libpq/Makefile,v 1.5 1997/03/12 21:17:45 scrappy Exp $
#
#-------------------------------------------------------------------------
@@ -24,7 +24,8 @@ LDADD+= $(KRBLIBS)
endif
OBJS = be-dumpdata.o be-fsstubs.o be-pqexec.o \
auth.o hba.o pqcomm.o portal.o util.o portalbuf.o pqpacket.o pqsignal.o
auth.o hba.o pqcomm.o portal.o util.o portalbuf.o pqpacket.o pqsignal.o \
password.o
all: SUBSYS.o

47
src/backend/libpq/auth.c
View File

@@ -7,7 +7,7 @@
*
*
* IDENTIFICATION
* $Header: /cvsroot/pgsql/src/backend/libpq/auth.c,v 1.8 1996/11/16 08:09:15 bryanh Exp $
* $Header: /cvsroot/pgsql/src/backend/libpq/auth.c,v 1.9 1997/03/12 21:17:48 scrappy Exp $
*
*-------------------------------------------------------------------------
*/
@@ -70,6 +70,7 @@
#include <libpq/libpq.h>
#include <libpq/libpq-be.h>
#include <libpq/hba.h>
#include <libpq/password.h>
/*----------------------------------------------------------------
* common definitions for generic fe/be routines
@@ -113,10 +114,11 @@ static struct authsvc authsvcs[] = {
{ "krb4", STARTUP_KRB4_MSG, 1 },
{ "krb5", STARTUP_KRB5_MSG, 1 },
#if defined(KRB5)
{ "kerberos", STARTUP_KRB5_MSG, 1 }
{ "kerberos", STARTUP_KRB5_MSG, 1 },
#else
{ "kerberos", STARTUP_KRB4_MSG, 1 }
{ "kerberos", STARTUP_KRB4_MSG, 1 },
#endif
{ "password", STARTUP_PASSWORD_MSG, 1 }
};
static n_authsvcs = sizeof(authsvcs) / sizeof(struct authsvc);
@@ -403,6 +405,26 @@ return(STATUS_ERROR);
}
#endif /* KRB5 */
static int
pg_password_recvauth(Port *port, char *database, char *DataDir)
{
PacketBuf buf;
char *user, *password;
if(PacketReceive(port, &buf, BLOCKING) != STATUS_OK) {
sprintf(PQerrormsg,
"pg_password_recvauth: failed to receive authentication packet.\n");
fputs(PQerrormsg, stderr);
pqdebug("%s", PQerrormsg);
return STATUS_ERROR;
}
user = buf.data;
password = buf.data + strlen(user) + 1;
return verify_password(user, password, port, database, DataDir);
}
/*
* be_recvauth -- server demux routine for incoming authentication information
*/
@@ -418,8 +440,8 @@ be_recvauth(MsgType msgtype_arg, Port *port, char *username, StartupInfo* sp)
*/
if (msgtype_arg == STARTUP_MSG && useHostBasedAuth)
msgtype = STARTUP_HBA_MSG;
else
msgtype = STARTUP_UNAUTH_MSG;
else
msgtype = msgtype_arg;
if (!username) {
(void) sprintf(PQerrormsg,
@@ -490,6 +512,21 @@ be_recvauth(MsgType msgtype_arg, Port *port, char *username, StartupInfo* sp)
return(STATUS_ERROR);
}
break;
case STARTUP_PASSWORD_MSG:
if(!be_getauthsvc(msgtype)) {
sprintf(PQerrormsg,
"be_recvauth: "
"plaintext password authentication disallowed\n");
fputs(PQerrormsg, stderr);
pqdebug("%s", PQerrormsg);
return(STATUS_ERROR);
}
if(pg_password_recvauth(port, sp->database, DataDir) != STATUS_OK) {
/* pg_password_recvauth or lower-level routines have already set */
/* the error message */
return(STATUS_ERROR);
}
break;
default:
(void) sprintf(PQerrormsg,
"be_recvauth: unrecognized message type: %d\n",

100
src/backend/libpq/hba.c
View File

@@ -7,7 +7,7 @@
*
*
* IDENTIFICATION
* $Header: /cvsroot/pgsql/src/backend/libpq/hba.c,v 1.15 1997/01/14 01:56:44 momjian Exp $
* $Header: /cvsroot/pgsql/src/backend/libpq/hba.c,v 1.16 1997/03/12 21:17:53 scrappy Exp $
*
*-------------------------------------------------------------------------
*/
@@ -30,31 +30,6 @@
#include <port/inet_aton.h> /* For inet_aton() */
#define CONF_FILE "pg_hba.conf"
/* Name of the config file */
#define MAP_FILE "pg_ident.conf"
/* Name of the usermap file */
#define OLD_CONF_FILE "pg_hba"
/* Name of the config file in prior releases of Postgres. */
#define MAX_LINES 255
/* Maximum number of config lines that can apply to one database */
#define MAX_TOKEN 80
/* Maximum size of one token in the configuration file */
#define USERMAP_NAME_SIZE 16 /* Max size of a usermap name */
#define IDENT_PORT 113
/* Standard TCP port number for Ident service. Assigned by IANA */
#define IDENT_USERNAME_MAX 512
/* Max size of username ident server can return */
enum Userauth {Trust, Ident};
/* Some standard C libraries, including GNU, have an isblank() function.
Others, including Solaris, do not. So we have our own.
*/
@@ -108,7 +83,7 @@ read_through_eol(FILE *file) {
static void
read_hba_entry2(FILE *file, enum Userauth *userauth_p, char usermap_name[],
bool *error_p) {
bool *error_p, bool *matches_p, bool find_password_entries) {
/*--------------------------------------------------------------------------
Read from file FILE the rest of a host record, after the mask field,
and return the interpretation of it as *userauth_p, usermap_name, and
@@ -120,34 +95,47 @@ read_hba_entry2(FILE *file, enum Userauth *userauth_p, char usermap_name[],
/* Get authentication type token. */
next_token(file, buf, sizeof(buf));
userauth_valid = false;
if (buf[0] == '\0') {
*error_p = true;
read_through_eol(file);
} else {
if (strcmp(buf, "trust") == 0) {
userauth_valid = true;
userauth_valid = true;
if(strcmp(buf, "trust") == 0) {
*userauth_p = Trust;
} else if (strcmp(buf, "ident") == 0) {
userauth_valid = true;
} else if(strcmp(buf, "ident") == 0) {
*userauth_p = Ident;
} else userauth_valid = false;
} else if(strcmp(buf, "password") == 0) {
*userauth_p = Password;
} else {
userauth_valid = false;
}
if((find_password_entries && strcmp(buf, "password") == 0) ||
(!find_password_entries && strcmp(buf, "password") != 0)) {
*matches_p = true;
} else {
*matches_p = false;
}
}
if(!userauth_valid || !*matches_p || *error_p) {
if (!userauth_valid) {
*error_p = true;
read_through_eol(file);
}
read_through_eol(file);
} else {
/* Get the map name token, if any */
next_token(file, buf, sizeof(buf));
if (buf[0] == '\0') {
*error_p = false;
usermap_name[0] = '\0';
} else {
/* Get the map name token, if any */
strncpy(usermap_name, buf, USERMAP_NAME_SIZE);
next_token(file, buf, sizeof(buf));
if (buf[0] == '\0') {
*error_p = false;
usermap_name[0] = '\0';
} else {
strncpy(usermap_name, buf, USERMAP_NAME_SIZE);
next_token(file, buf, sizeof(buf));
if (buf[0] != '\0') {
*error_p = true;
read_through_eol(file);
} else *error_p = false;
}
if (buf[0] != '\0') {
*error_p = true;
read_through_eol(file);
} else *error_p = false;
}
}
}
@@ -158,7 +146,8 @@ static void
process_hba_record(FILE *file,
const struct in_addr ip_addr, const char database[],
bool *matches_p, bool *error_p,
enum Userauth *userauth_p, char usermap_name[] ) {
enum Userauth *userauth_p, char usermap_name[],
bool find_password_entries) {
/*---------------------------------------------------------------------------
Process the non-comment record in the config file that is next on the file.
See if it applies to a connection to a host with IP address "ip_addr"
@@ -221,8 +210,7 @@ process_hba_record(FILE *file,
the rest of the info from it.
*/
read_hba_entry2(file, userauth_p, usermap_name,
error_p);
*matches_p = true;
error_p, matches_p, find_password_entries);
if (*error_p) {
sprintf(PQerrormsg,
"process_hba_record: invalid syntax in "
@@ -249,7 +237,7 @@ static void
process_open_config_file(FILE *file,
const struct in_addr ip_addr, const char database[],
bool *host_ok_p, enum Userauth *userauth_p,
char usermap_name[] ) {
char usermap_name[], bool find_password_entries) {
/*---------------------------------------------------------------------------
This function does the same thing as find_hba_entry, only with
the config file already open on stream descriptor "file".
@@ -274,7 +262,8 @@ process_open_config_file(FILE *file,
if (c == '#') read_through_eol(file);
else {
process_hba_record(file, ip_addr, database,
&found_entry, &error, userauth_p, usermap_name);
&found_entry, &error, userauth_p, usermap_name,
find_password_entries);
}
}
}
@@ -286,11 +275,11 @@ process_open_config_file(FILE *file,
static void
void
find_hba_entry(const char DataDir[], const struct in_addr ip_addr,
const char database[],
bool *host_ok_p, enum Userauth *userauth_p,
char usermap_name[] ) {
char usermap_name[], bool find_password_entries) {
/*--------------------------------------------------------------------------
Read the config file and find an entry that allows connection from
host "ip_addr" to database "database". If not found, return
@@ -360,7 +349,7 @@ find_hba_entry(const char DataDir[], const struct in_addr ip_addr,
pqdebug("%s", PQerrormsg);
} else {
process_open_config_file(file, ip_addr, database, host_ok_p, userauth_p,
usermap_name);
usermap_name, find_password_entries);
fclose(file);
}
free(conf_file);
@@ -731,7 +720,8 @@ hba_recvauth(const Port *port, const char database[], const char user[],
find_hba_entry(DataDir, port->raddr.sin_addr, database,
&host_ok, &userauth, usermap_name);
&host_ok, &userauth, usermap_name,
false /* don't find password entries of type 'password' */);
if (!host_ok) retvalue = STATUS_ERROR;
else {

28
src/backend/libpq/pqcomm.c
View File

@@ -7,7 +7,7 @@
*
*
* IDENTIFICATION
* $Header: /cvsroot/pgsql/src/backend/libpq/pqcomm.c,v 1.11 1997/02/14 04:15:29 momjian Exp $
* $Header: /cvsroot/pgsql/src/backend/libpq/pqcomm.c,v 1.12 1997/03/12 21:17:58 scrappy Exp $
*
*-------------------------------------------------------------------------
*/
@@ -703,3 +703,29 @@ StreamOpen(char *hostName, short portName, Port *port)
return(STATUS_OK);
}
static char *authentication_type_name[] = {
0, 0, 0, 0, 0, 0, 0,
"the default authentication type",
0, 0,
"Kerberos v4",
"Kerberos v5",
"host-based authentication",
"unauthenication",
"plaintext password authentication"
};
char *name_of_authentication_type(int type)
{
char *result = 0;
if(type >= 1 && type <= LAST_AUTHENTICATION_TYPE) {
result = authentication_type_name[type];
}
if(result == 0) {
result = "<unknown authentication type>";
}
return result;
}