Expand secondary password file feature, so that you can use these

files to restrict the set of users that can connect to a database
but can still use the pg_shadow password. (You just leave off the
password field in the secondary file.)

src/backend/libpq/auth.c

@@ -8,7 +8,7 @@
  *
  *
  * IDENTIFICATION
- *	  $Header: /cvsroot/pgsql/src/backend/libpq/auth.c,v 1.47 2000/05/27 04:13:05 momjian Exp $
+ *	  $Header: /cvsroot/pgsql/src/backend/libpq/auth.c,v 1.48 2000/07/04 16:31:53 petere Exp $
  *
  *-------------------------------------------------------------------------
  */
@@ -52,9 +52,6 @@ static void auth_failed(Port *port);
 
 
 #ifdef KRB4
-/* This has to be ifdef'd out because krb.h does exist.  This needs
-   to be fixed.
-*/
 /*----------------------------------------------------------------
  * MIT Kerberos authentication system - protocol version 4
  *----------------------------------------------------------------
@@ -141,9 +138,6 @@ pg_krb4_recvauth(Port *port)
 
 
 #ifdef KRB5
-/* This needs to be ifdef'd out because krb5.h doesn't exist.  This needs
-   to be fixed.
-*/
 /*----------------------------------------------------------------
  * MIT Kerberos authentication system - protocol version 5
  *----------------------------------------------------------------
@@ -692,16 +686,14 @@ readPasswordPacket(void *arg, PacketLen len, void *pkt)
 
 
 /*
- * Use the local flat password file if clear passwords are used and the file is
- * specified.  Otherwise use the password in the pg_shadow table, encrypted or
- * not.
+ * Handle `password' and `crypt' records. If an auth argument was
+ * specified, use the respective file. Else use pg_shadow passwords.
  */
-
 static int
 checkPassword(Port *port, char *user, char *password)
 {
-	if (port->auth_method == uaPassword && port->auth_arg[0] != '\0')
-		return verify_password(port->auth_arg, user, password);
+	if (port->auth_arg[0] != '\0')
+		return verify_password(port, user, password);
 
 	return crypt_verify(port, user, password);
 }

src/backend/libpq/crypt.c

@@ -9,7 +9,7 @@
  * Dec 17, 1997 - Todd A. Brandys
  *	Orignal Version Completed.
  *
- * $Id: crypt.c,v 1.26 2000/07/03 20:48:30 petere Exp $
+ * $Id: crypt.c,v 1.27 2000/07/04 16:31:53 petere Exp $
  *
  *-------------------------------------------------------------------------
  */
@@ -249,7 +249,7 @@ crypt_getloginfo(const char *user, char **passwd, char **valuntil)
 /*-------------------------------------------------------------------------*/
 
 int
-crypt_verify(Port *port, const char *user, const char *pgpass)
+crypt_verify(const Port *port, const char *user, const char *pgpass)
 {
 
 	char	   *passwd,

src/backend/libpq/password.c

@@ -2,7 +2,7 @@
  * Portions Copyright (c) 1996-2000, PostgreSQL, Inc
  * Portions Copyright (c) 1994, Regents of the University of California
  *
- * $Id: password.c,v 1.29 2000/06/02 15:57:21 momjian Exp $
+ * $Id: password.c,v 1.30 2000/07/04 16:31:53 petere Exp $
  *
  */
 
@@ -15,18 +15,19 @@
 
 #include "libpq/libpq.h"
 #include "libpq/password.h"
+#include "libpq/crypt.h"
 #include "miscadmin.h"
 
 int
-verify_password(char *auth_arg, char *user, char *password)
+verify_password(const Port *port, const char *user, const char *password)
 {
 	char	   *pw_file_fullname;
 	FILE	   *pw_file;
 
-	pw_file_fullname = (char *) palloc(strlen(DataDir) + strlen(auth_arg) + 2);
+	pw_file_fullname = (char *) palloc(strlen(DataDir) + strlen(port->auth_arg) + 2);
 	strcpy(pw_file_fullname, DataDir);
 	strcat(pw_file_fullname, "/");
-	strcat(pw_file_fullname, auth_arg);
+	strcat(pw_file_fullname, port->auth_arg);
 
 	pw_file = AllocateFile(pw_file_fullname, PG_BINARY_R);
 	if (!pw_file)
@@ -52,23 +53,32 @@ verify_password(char *auth_arg, char *user, char *password)
 				   *test_pw;
 
 		fgets(pw_file_line, sizeof(pw_file_line), pw_file);
+		/* kill the newline */
+		if (pw_file_line[strlen(pw_file_line) - 1] == '\n')
+			pw_file_line[strlen(pw_file_line) - 1] = '\0';
+
 		p = pw_file_line;
 
 		test_user = strtok(p, ":");
 		test_pw = strtok(NULL, ":");
-		if (!test_user || !test_pw ||
-			test_user[0] == '\0' || test_pw[0] == '\0')
+		if (!test_user || test_user[0] == '\0')
 			continue;
 
-		/* kill the newline */
-		if (test_pw[strlen(test_pw) - 1] == '\n')
-			test_pw[strlen(test_pw) - 1] = '\0';
-
 		if (strcmp(user, test_user) == 0)
 		{
 			/* we're outta here one way or the other, so close file */
 			FreeFile(pw_file);
 
+			/*
+			 * If the password is empty of "+" then we use the regular
+			 * pg_shadow passwords. If we use crypt then we have to
+			 * use pg_shadow passwords no matter what.
+			 */
+			if (port->auth_method == uaCrypt
+				|| test_pw == NULL || test_pw[0] == '\0'
+				|| strcmp(test_pw, "+")==0)
+				return crypt_verify(port, user, password);
+
 			if (strcmp(crypt(password, test_pw), test_pw) == 0)
 			{
 				/* it matched. */

src/bin/pg_passwd/pg_passwd.c

@@ -105,13 +105,9 @@ try_again:
 
 		/* get user name */
 		p = line;
-		if ((q = strchr(p, ':')) == NULL)
-		{
-			fprintf(stderr, "%s: line %d: illegal format.\n",
-					filename, npwds + 1);
-			exit(1);
-		}
-		*(q++) = '\0';
+		if ((q = strchr(p, ':')) != NULL)
+			*q = '\0';
+
 		if (strlen(p) == 0)
 		{
 			fprintf(stderr, "%s: line %d: null user name.\n",
@@ -131,23 +127,23 @@ try_again:
 		}
 
 		/* get password field */
-		p = q;
-		q = strchr(p, ':');
-
-		/*
-		 * --- don't care ----- if ((q = strchr(p, ':')) == NULL) {
-		 * fprintf(stderr, "%s: line %d: illegal format.\n", filename,
-		 * npwds + 1); exit(1); }
-		 */
-
-		if (q != NULL)
-			*(q++) = '\0';
-		if (strlen(p) != 13)
+		if (q)
 		{
-			fprintf(stderr, "WARNING: %s: line %d: illegal password length.\n",
-					filename, npwds + 1);
+			p = q + 1;
+			q = strchr(p, ':');
+
+			if (q != NULL)
+				*(q++) = '\0';
+
+			if (strlen(p) != 13 && strcmp(p, "+")!=0)
+			{
+				fprintf(stderr, "WARNING: %s: line %d: invalid password length.\n",
+						filename, npwds + 1);
+			}
+			pwds[npwds].pwd = strdup(p);
 		}
-		pwds[npwds].pwd = strdup(p);
+		else
+			pwds[npwds].pwd = NULL;
 
 		/* rest of the line is treated as is */
 		if (q == NULL)
@@ -193,9 +189,12 @@ link_again:
 	/* write file */
 	for (i = 0; i < npwds; ++i)
 	{
-		fprintf(fp, "%s:%s%s%s\n", pwds[i].uname, pwds[i].pwd,
-				pwds[i].rest ? ":" : "",
-				pwds[i].rest ? pwds[i].rest : "");
+		fprintf(fp, "%s", pwds[i].uname);
+		if (pwds[i].pwd)
+			fprintf(fp, ":%s", pwds[i].pwd);
+		if (pwds[i].rest)
+			fprintf(fp, ":%s", pwds[i].rest);
+		fprintf(fp, "\n");
 	}
 
 	fclose(fp);

src/include/libpq/crypt.h

@@ -26,6 +26,6 @@ extern char *crypt_getpwdreloadfilename(void);
 extern MsgType crypt_salt(const char *user);
 
 #endif
-extern int	crypt_verify(Port *port, const char *user, const char *pgpass);
+extern int	crypt_verify(const Port *port, const char *user, const char *pgpass);
 
 #endif

src/include/libpq/password.h

@@ -1,6 +1,6 @@
 #ifndef PASSWORD_H
 #define PASSWORD_H
 
-int			verify_password(char *auth_arg, char *user, char *password);
+int			verify_password(const Port *port, const char *user, const char *password);
 
 #endif