mirror of
https://github.com/postgres/postgres.git
synced 2025-11-18 02:02:55 +03:00
Remove support for native krb5 authentication
krb5 has been deprecated since 8.3, and the recommended way to do Kerberos authentication is using the GSSAPI authentication method (which is still fully supported). libpq retains the ability to identify krb5 authentication, but only gives an error message about it being unsupported. Since all authentication is initiated from the backend, there is no need to keep it at all in the backend.
This commit is contained in:
Magnus Hagander
@@ -133,29 +133,6 @@ char *pg_krb_srvnam;
|
||||
bool pg_krb_caseins_users;
|
||||
|
||||
|
||||
/*----------------------------------------------------------------
|
||||
* MIT Kerberos authentication system - protocol version 5
|
||||
*----------------------------------------------------------------
|
||||
*/
|
||||
#ifdef KRB5
|
||||
static int pg_krb5_recvauth(Port *port);
|
||||
|
||||
#include <krb5.h>
|
||||
/* Some old versions of Kerberos do not include <com_err.h> in <krb5.h> */
|
||||
#if !defined(__COM_ERR_H) && !defined(__COM_ERR_H__)
|
||||
#include <com_err.h>
|
||||
#endif
|
||||
/*
|
||||
* Various krb5 state which is not connection specific, and a flag to
|
||||
* indicate whether we have initialised it yet.
|
||||
*/
|
||||
static int pg_krb5_initialised;
|
||||
static krb5_context pg_krb5_context;
|
||||
static krb5_keytab pg_krb5_keytab;
|
||||
static krb5_principal pg_krb5_server;
|
||||
#endif /* KRB5 */
|
||||
|
||||
|
||||
/*----------------------------------------------------------------
|
||||
* GSSAPI Authentication
|
||||
*----------------------------------------------------------------
|
||||
@@ -257,9 +234,6 @@ auth_failed(Port *port, int status)
|
||||
case uaImplicitReject:
|
||||
errstr = gettext_noop("authentication failed for user \"%s\": host rejected");
|
||||
break;
|
||||
case uaKrb5:
|
||||
errstr = gettext_noop("Kerberos 5 authentication failed for user \"%s\"");
|
||||
break;
|
||||
case uaTrust:
|
||||
errstr = gettext_noop("\"trust\" authentication failed for user \"%s\"");
|
||||
break;
|
||||
@@ -497,15 +471,6 @@ ClientAuthentication(Port *port)
|
||||
break;
|
||||
}
|
||||
|
||||
case uaKrb5:
|
||||
#ifdef KRB5
|
||||
sendAuthRequest(port, AUTH_REQ_KRB5);
|
||||
status = pg_krb5_recvauth(port);
|
||||
#else
|
||||
Assert(false);
|
||||
#endif
|
||||
break;
|
||||
|
||||
case uaGSS:
|
||||
#ifdef ENABLE_GSS
|
||||
sendAuthRequest(port, AUTH_REQ_GSS);
|
||||
@@ -735,188 +700,6 @@ recv_and_check_password_packet(Port *port)
|
||||
}
|
||||
|
||||
|
||||
/*----------------------------------------------------------------
|
||||
* MIT Kerberos authentication system - protocol version 5
|
||||
*----------------------------------------------------------------
|
||||
*/
|
||||
#ifdef KRB5
|
||||
|
||||
static int
|
||||
pg_krb5_init(Port *port)
|
||||
{
|
||||
krb5_error_code retval;
|
||||
char *khostname;
|
||||
|
||||
if (pg_krb5_initialised)
|
||||
return STATUS_OK;
|
||||
|
||||
retval = krb5_init_context(&pg_krb5_context);
|
||||
if (retval)
|
||||
{
|
||||
ereport(LOG,
|
||||
(errmsg("Kerberos initialization returned error %d",
|
||||
retval)));
|
||||
com_err("postgres", retval, "while initializing krb5");
|
||||
return STATUS_ERROR;
|
||||
}
|
||||
|
||||
retval = krb5_kt_resolve(pg_krb5_context, pg_krb_server_keyfile, &pg_krb5_keytab);
|
||||
if (retval)
|
||||
{
|
||||
ereport(LOG,
|
||||
(errmsg("Kerberos keytab resolving returned error %d",
|
||||
retval)));
|
||||
com_err("postgres", retval, "while resolving keytab file \"%s\"",
|
||||
pg_krb_server_keyfile);
|
||||
krb5_free_context(pg_krb5_context);
|
||||
return STATUS_ERROR;
|
||||
}
|
||||
|
||||
/*
|
||||
* If no hostname was specified, pg_krb_server_hostname is already NULL.
|
||||
* If it's set to blank, force it to NULL.
|
||||
*/
|
||||
khostname = port->hba->krb_server_hostname;
|
||||
if (khostname && khostname[0] == '\0')
|
||||
khostname = NULL;
|
||||
|
||||
retval = krb5_sname_to_principal(pg_krb5_context,
|
||||
khostname,
|
||||
pg_krb_srvnam,
|
||||
KRB5_NT_SRV_HST,
|
||||
&pg_krb5_server);
|
||||
if (retval)
|
||||
{
|
||||
ereport(LOG,
|
||||
(errmsg("Kerberos sname_to_principal(\"%s\", \"%s\") returned error %d",
|
||||
khostname ? khostname : "server hostname", pg_krb_srvnam, retval)));
|
||||
com_err("postgres", retval,
|
||||
"while getting server principal for server \"%s\" for service \"%s\"",
|
||||
khostname ? khostname : "server hostname", pg_krb_srvnam);
|
||||
krb5_kt_close(pg_krb5_context, pg_krb5_keytab);
|
||||
krb5_free_context(pg_krb5_context);
|
||||
return STATUS_ERROR;
|
||||
}
|
||||
|
||||
pg_krb5_initialised = 1;
|
||||
return STATUS_OK;
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
* pg_krb5_recvauth -- server routine to receive authentication information
|
||||
* from the client
|
||||
*
|
||||
* We still need to compare the username obtained from the client's setup
|
||||
* packet to the authenticated name.
|
||||
*
|
||||
* We have our own keytab file because postgres is unlikely to run as root,
|
||||
* and so cannot read the default keytab.
|
||||
*/
|
||||
static int
|
||||
pg_krb5_recvauth(Port *port)
|
||||
{
|
||||
krb5_error_code retval;
|
||||
int ret;
|
||||
krb5_auth_context auth_context = NULL;
|
||||
krb5_ticket *ticket;
|
||||
char *kusername;
|
||||
char *cp;
|
||||
|
||||
ret = pg_krb5_init(port);
|
||||
if (ret != STATUS_OK)
|
||||
return ret;
|
||||
|
||||
retval = krb5_recvauth(pg_krb5_context, &auth_context,
|
||||
(krb5_pointer) & port->sock, pg_krb_srvnam,
|
||||
pg_krb5_server, 0, pg_krb5_keytab, &ticket);
|
||||
if (retval)
|
||||
{
|
||||
ereport(LOG,
|
||||
(errmsg("Kerberos recvauth returned error %d",
|
||||
retval)));
|
||||
com_err("postgres", retval, "from krb5_recvauth");
|
||||
return STATUS_ERROR;
|
||||
}
|
||||
|
||||
/*
|
||||
* The "client" structure comes out of the ticket and is therefore
|
||||
* authenticated. Use it to check the username obtained from the
|
||||
* postmaster startup packet.
|
||||
*/
|
||||
#if defined(HAVE_KRB5_TICKET_ENC_PART2)
|
||||
retval = krb5_unparse_name(pg_krb5_context,
|
||||
ticket->enc_part2->client, &kusername);
|
||||
#elif defined(HAVE_KRB5_TICKET_CLIENT)
|
||||
retval = krb5_unparse_name(pg_krb5_context,
|
||||
ticket->client, &kusername);
|
||||
#else
|
||||
#error "bogus configuration"
|
||||
#endif
|
||||
if (retval)
|
||||
{
|
||||
ereport(LOG,
|
||||
(errmsg("Kerberos unparse_name returned error %d",
|
||||
retval)));
|
||||
com_err("postgres", retval, "while unparsing client name");
|
||||
krb5_free_ticket(pg_krb5_context, ticket);
|
||||
krb5_auth_con_free(pg_krb5_context, auth_context);
|
||||
return STATUS_ERROR;
|
||||
}
|
||||
|
||||
cp = strchr(kusername, '@');
|
||||
if (cp)
|
||||
{
|
||||
/*
|
||||
* If we are not going to include the realm in the username that is
|
||||
* passed to the ident map, destructively modify it here to remove the
|
||||
* realm. Then advance past the separator to check the realm.
|
||||
*/
|
||||
if (!port->hba->include_realm)
|
||||
*cp = '\0';
|
||||
cp++;
|
||||
|
||||
if (port->hba->krb_realm != NULL && strlen(port->hba->krb_realm))
|
||||
{
|
||||
/* Match realm against configured */
|
||||
if (pg_krb_caseins_users)
|
||||
ret = pg_strcasecmp(port->hba->krb_realm, cp);
|
||||
else
|
||||
ret = strcmp(port->hba->krb_realm, cp);
|
||||
|
||||
if (ret)
|
||||
{
|
||||
elog(DEBUG2,
|
||||
"krb5 realm (%s) and configured realm (%s) don't match",
|
||||
cp, port->hba->krb_realm);
|
||||
|
||||
krb5_free_ticket(pg_krb5_context, ticket);
|
||||
krb5_auth_con_free(pg_krb5_context, auth_context);
|
||||
return STATUS_ERROR;
|
||||
}
|
||||
}
|
||||
}
|
||||
else if (port->hba->krb_realm && strlen(port->hba->krb_realm))
|
||||
{
|
||||
elog(DEBUG2,
|
||||
"krb5 did not return realm but realm matching was requested");
|
||||
|
||||
krb5_free_ticket(pg_krb5_context, ticket);
|
||||
krb5_auth_con_free(pg_krb5_context, auth_context);
|
||||
return STATUS_ERROR;
|
||||
}
|
||||
|
||||
ret = check_usermap(port->hba->usermap, port->user_name, kusername,
|
||||
pg_krb_caseins_users);
|
||||
|
||||
krb5_free_ticket(pg_krb5_context, ticket);
|
||||
krb5_auth_con_free(pg_krb5_context, auth_context);
|
||||
free(kusername);
|
||||
|
||||
return ret;
|
||||
}
|
||||
#endif /* KRB5 */
|
||||
|
||||
|
||||
/*----------------------------------------------------------------
|
||||
* GSSAPI authentication system
|
||||
|
||||
@@ -1177,12 +1177,6 @@ parse_hba_line(List *line, int line_num, char *raw_line)
|
||||
parsedline->auth_method = uaPeer;
|
||||
else if (strcmp(token->string, "password") == 0)
|
||||
parsedline->auth_method = uaPassword;
|
||||
else if (strcmp(token->string, "krb5") == 0)
|
||||
#ifdef KRB5
|
||||
parsedline->auth_method = uaKrb5;
|
||||
#else
|
||||
unsupauth = "krb5";
|
||||
#endif
|
||||
else if (strcmp(token->string, "gss") == 0)
|
||||
#ifdef ENABLE_GSS
|
||||
parsedline->auth_method = uaGSS;
|
||||
@@ -1261,17 +1255,6 @@ parse_hba_line(List *line, int line_num, char *raw_line)
|
||||
parsedline->auth_method = uaPeer;
|
||||
|
||||
/* Invalid authentication combinations */
|
||||
if (parsedline->conntype == ctLocal &&
|
||||
parsedline->auth_method == uaKrb5)
|
||||
{
|
||||
ereport(LOG,
|
||||
(errcode(ERRCODE_CONFIG_FILE_ERROR),
|
||||
errmsg("krb5 authentication is not supported on local sockets"),
|
||||
errcontext("line %d of configuration file \"%s\"",
|
||||
line_num, HbaFileName)));
|
||||
return NULL;
|
||||
}
|
||||
|
||||
if (parsedline->conntype == ctLocal &&
|
||||
parsedline->auth_method == uaGSS)
|
||||
{
|
||||
@@ -1417,11 +1400,10 @@ parse_hba_auth_opt(char *name, char *val, HbaLine *hbaline, int line_num)
|
||||
{
|
||||
if (hbaline->auth_method != uaIdent &&
|
||||
hbaline->auth_method != uaPeer &&
|
||||
hbaline->auth_method != uaKrb5 &&
|
||||
hbaline->auth_method != uaGSS &&
|
||||
hbaline->auth_method != uaSSPI &&
|
||||
hbaline->auth_method != uaCert)
|
||||
INVALID_AUTH_OPTION("map", gettext_noop("ident, peer, krb5, gssapi, sspi, and cert"));
|
||||
INVALID_AUTH_OPTION("map", gettext_noop("ident, peer, gssapi, sspi, and cert"));
|
||||
hbaline->usermap = pstrdup(val);
|
||||
}
|
||||
else if (strcmp(name, "clientcert") == 0)
|
||||
@@ -1578,25 +1560,18 @@ parse_hba_auth_opt(char *name, char *val, HbaLine *hbaline, int line_num)
|
||||
REQUIRE_AUTH_OPTION(uaLDAP, "ldapsuffix", "ldap");
|
||||
hbaline->ldapsuffix = pstrdup(val);
|
||||
}
|
||||
else if (strcmp(name, "krb_server_hostname") == 0)
|
||||
{
|
||||
REQUIRE_AUTH_OPTION(uaKrb5, "krb_server_hostname", "krb5");
|
||||
hbaline->krb_server_hostname = pstrdup(val);
|
||||
}
|
||||
else if (strcmp(name, "krb_realm") == 0)
|
||||
{
|
||||
if (hbaline->auth_method != uaKrb5 &&
|
||||
hbaline->auth_method != uaGSS &&
|
||||
if (hbaline->auth_method != uaGSS &&
|
||||
hbaline->auth_method != uaSSPI)
|
||||
INVALID_AUTH_OPTION("krb_realm", gettext_noop("krb5, gssapi, and sspi"));
|
||||
INVALID_AUTH_OPTION("krb_realm", gettext_noop("gssapi and sspi"));
|
||||
hbaline->krb_realm = pstrdup(val);
|
||||
}
|
||||
else if (strcmp(name, "include_realm") == 0)
|
||||
{
|
||||
if (hbaline->auth_method != uaKrb5 &&
|
||||
hbaline->auth_method != uaGSS &&
|
||||
if (hbaline->auth_method != uaGSS &&
|
||||
hbaline->auth_method != uaSSPI)
|
||||
INVALID_AUTH_OPTION("include_realm", gettext_noop("krb5, gssapi, and sspi"));
|
||||
INVALID_AUTH_OPTION("include_realm", gettext_noop("gssapi and sspi"));
|
||||
if (strcmp(val, "1") == 0)
|
||||
hbaline->include_realm = true;
|
||||
else
|
||||
|
||||
@@ -43,7 +43,7 @@
|
||||
# directly connected to.
|
||||
#
|
||||
# METHOD can be "trust", "reject", "md5", "password", "gss", "sspi",
|
||||
# "krb5", "ident", "peer", "pam", "ldap", "radius" or "cert". Note that
|
||||
# "ident", "peer", "pam", "ldap", "radius" or "cert". Note that
|
||||
# "password" sends passwords in clear text; "md5" is preferred since
|
||||
# it sends encrypted passwords.
|
||||
#
|
||||
|
||||
@@ -76,9 +76,6 @@ static const char *auth_methods_host[] = {"trust", "reject", "md5", "password",
|
||||
#ifdef ENABLE_SSPI
|
||||
"sspi",
|
||||
#endif
|
||||
#ifdef KRB5
|
||||
"krb5",
|
||||
#endif
|
||||
#ifdef USE_PAM
|
||||
"pam", "pam ",
|
||||
#endif
|
||||
|
||||
@@ -20,7 +20,6 @@ typedef enum UserAuth
|
||||
{
|
||||
uaReject,
|
||||
uaImplicitReject,
|
||||
uaKrb5,
|
||||
uaTrust,
|
||||
uaIdent,
|
||||
uaPassword,
|
||||
|
||||
@@ -164,7 +164,7 @@ extern bool Db_user_namespace;
|
||||
|
||||
#define AUTH_REQ_OK 0 /* User is authenticated */
|
||||
#define AUTH_REQ_KRB4 1 /* Kerberos V4. Not supported any more. */
|
||||
#define AUTH_REQ_KRB5 2 /* Kerberos V5 */
|
||||
#define AUTH_REQ_KRB5 2 /* Kerberos V5. Not supported any more. */
|
||||
#define AUTH_REQ_PASSWORD 3 /* Password */
|
||||
#define AUTH_REQ_CRYPT 4 /* crypt password. Not supported any more. */
|
||||
#define AUTH_REQ_MD5 5 /* md5 password */
|
||||
|
||||
@@ -260,21 +260,6 @@
|
||||
/* Define to 1 if you have isinf(). */
|
||||
#undef HAVE_ISINF
|
||||
|
||||
/* Define to 1 if `e_data' is a member of `krb5_error'. */
|
||||
#undef HAVE_KRB5_ERROR_E_DATA
|
||||
|
||||
/* Define to 1 if `text.data' is a member of `krb5_error'. */
|
||||
#undef HAVE_KRB5_ERROR_TEXT_DATA
|
||||
|
||||
/* Define to 1 if you have krb5_free_unparsed_name. */
|
||||
#undef HAVE_KRB5_FREE_UNPARSED_NAME
|
||||
|
||||
/* Define to 1 if `client' is a member of `krb5_ticket'. */
|
||||
#undef HAVE_KRB5_TICKET_CLIENT
|
||||
|
||||
/* Define to 1 if `enc_part2' is a member of `krb5_ticket'. */
|
||||
#undef HAVE_KRB5_TICKET_ENC_PART2
|
||||
|
||||
/* Define to 1 if you have the <langinfo.h> header file. */
|
||||
#undef HAVE_LANGINFO_H
|
||||
|
||||
@@ -656,9 +641,6 @@
|
||||
/* Define to the appropriate snprintf format for 64-bit ints. */
|
||||
#undef INT64_FORMAT
|
||||
|
||||
/* Define to build with Kerberos 5 support. (--with-krb5) */
|
||||
#undef KRB5
|
||||
|
||||
/* Define to 1 if `locale_t' requires <xlocale.h>. */
|
||||
#undef LOCALE_T_IN_XLOCALE
|
||||
|
||||
|
||||
@@ -193,18 +193,6 @@
|
||||
/* Define to 1 if you have isinf(). */
|
||||
#define HAVE_ISINF 1
|
||||
|
||||
/* Define to 1 if `e_data' is member of `krb5_error'. */
|
||||
/* #undef HAVE_KRB5_ERROR_E_DATA */
|
||||
|
||||
/* Define to 1 if `text.data' is member of `krb5_error'. */
|
||||
/* #undef HAVE_KRB5_ERROR_TEXT_DATA */
|
||||
|
||||
/* Define to 1 if `client' is member of `krb5_ticket'. */
|
||||
/* #undef HAVE_KRB5_TICKET_CLIENT */
|
||||
|
||||
/* Define to 1 if `enc_part2' is member of `krb5_ticket'. */
|
||||
/* #undef HAVE_KRB5_TICKET_ENC_PART2 */
|
||||
|
||||
/* Define to 1 if you have the <langinfo.h> header file. */
|
||||
/* #undef HAVE_LANGINFO_H */
|
||||
|
||||
@@ -541,9 +529,6 @@
|
||||
/* Define to the appropriate snprintf format for 64-bit ints, if any. */
|
||||
#define INT64_FORMAT "%lld"
|
||||
|
||||
/* Define to build with Kerberos 5 support. (--with-krb5) */
|
||||
/* #undef KRB5 */
|
||||
|
||||
/* Define to 1 if `locale_t' requires <xlocale.h>. */
|
||||
/* #undef LOCALE_T_IN_XLOCALE */
|
||||
|
||||
|
||||
@@ -43,258 +43,6 @@
|
||||
#include "libpq/md5.h"
|
||||
|
||||
|
||||
#ifdef KRB5
|
||||
/*
|
||||
* MIT Kerberos authentication system - protocol version 5
|
||||
*/
|
||||
|
||||
#include <krb5.h>
|
||||
/* Some old versions of Kerberos do not include <com_err.h> in <krb5.h> */
|
||||
#if !defined(__COM_ERR_H) && !defined(__COM_ERR_H__)
|
||||
#include <com_err.h>
|
||||
#endif
|
||||
|
||||
/*
|
||||
* Heimdal doesn't have a free function for unparsed names. Just pass it to
|
||||
* standard free() which should work in these cases.
|
||||
*/
|
||||
#ifndef HAVE_KRB5_FREE_UNPARSED_NAME
|
||||
static void
|
||||
krb5_free_unparsed_name(krb5_context context, char *val)
|
||||
{
|
||||
free(val);
|
||||
}
|
||||
#endif
|
||||
|
||||
/*
|
||||
* pg_an_to_ln -- return the local name corresponding to an authentication
|
||||
* name
|
||||
*
|
||||
* XXX Assumes that the first aname component is the user name. This is NOT
|
||||
* necessarily so, since an aname can actually be something out of your
|
||||
* worst X.400 nightmare, like
|
||||
* ORGANIZATION=U. C. Berkeley/NAME=Paul M. Aoki@CS.BERKELEY.EDU
|
||||
* Note that the MIT an_to_ln code does the same thing if you don't
|
||||
* provide an aname mapping database...it may be a better idea to use
|
||||
* krb5_an_to_ln, except that it punts if multiple components are found,
|
||||
* and we can't afford to punt.
|
||||
*
|
||||
* For WIN32, convert username to lowercase because the Win32 kerberos library
|
||||
* generates tickets with the username as the user entered it instead of as
|
||||
* it is entered in the directory.
|
||||
*/
|
||||
static char *
|
||||
pg_an_to_ln(char *aname)
|
||||
{
|
||||
char *p;
|
||||
|
||||
if ((p = strchr(aname, '/')) || (p = strchr(aname, '@')))
|
||||
*p = '\0';
|
||||
#ifdef WIN32
|
||||
for (p = aname; *p; p++)
|
||||
*p = pg_tolower((unsigned char) *p);
|
||||
#endif
|
||||
|
||||
return aname;
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
* Various krb5 state which is not connection specific, and a flag to
|
||||
* indicate whether we have initialised it yet.
|
||||
*/
|
||||
/*
|
||||
static int pg_krb5_initialised;
|
||||
static krb5_context pg_krb5_context;
|
||||
static krb5_ccache pg_krb5_ccache;
|
||||
static krb5_principal pg_krb5_client;
|
||||
static char *pg_krb5_name;
|
||||
*/
|
||||
|
||||
struct krb5_info
|
||||
{
|
||||
int pg_krb5_initialised;
|
||||
krb5_context pg_krb5_context;
|
||||
krb5_ccache pg_krb5_ccache;
|
||||
krb5_principal pg_krb5_client;
|
||||
char *pg_krb5_name;
|
||||
};
|
||||
|
||||
|
||||
static int
|
||||
pg_krb5_init(PQExpBuffer errorMessage, struct krb5_info * info)
|
||||
{
|
||||
krb5_error_code retval;
|
||||
|
||||
if (info->pg_krb5_initialised)
|
||||
return STATUS_OK;
|
||||
|
||||
retval = krb5_init_context(&(info->pg_krb5_context));
|
||||
if (retval)
|
||||
{
|
||||
printfPQExpBuffer(errorMessage,
|
||||
"pg_krb5_init: krb5_init_context: %s\n",
|
||||
error_message(retval));
|
||||
return STATUS_ERROR;
|
||||
}
|
||||
|
||||
retval = krb5_cc_default(info->pg_krb5_context, &(info->pg_krb5_ccache));
|
||||
if (retval)
|
||||
{
|
||||
printfPQExpBuffer(errorMessage,
|
||||
"pg_krb5_init: krb5_cc_default: %s\n",
|
||||
error_message(retval));
|
||||
krb5_free_context(info->pg_krb5_context);
|
||||
return STATUS_ERROR;
|
||||
}
|
||||
|
||||
retval = krb5_cc_get_principal(info->pg_krb5_context, info->pg_krb5_ccache,
|
||||
&(info->pg_krb5_client));
|
||||
if (retval)
|
||||
{
|
||||
printfPQExpBuffer(errorMessage,
|
||||
"pg_krb5_init: krb5_cc_get_principal: %s\n",
|
||||
error_message(retval));
|
||||
krb5_cc_close(info->pg_krb5_context, info->pg_krb5_ccache);
|
||||
krb5_free_context(info->pg_krb5_context);
|
||||
return STATUS_ERROR;
|
||||
}
|
||||
|
||||
retval = krb5_unparse_name(info->pg_krb5_context, info->pg_krb5_client, &(info->pg_krb5_name));
|
||||
if (retval)
|
||||
{
|
||||
printfPQExpBuffer(errorMessage,
|
||||
"pg_krb5_init: krb5_unparse_name: %s\n",
|
||||
error_message(retval));
|
||||
krb5_free_principal(info->pg_krb5_context, info->pg_krb5_client);
|
||||
krb5_cc_close(info->pg_krb5_context, info->pg_krb5_ccache);
|
||||
krb5_free_context(info->pg_krb5_context);
|
||||
return STATUS_ERROR;
|
||||
}
|
||||
|
||||
info->pg_krb5_name = pg_an_to_ln(info->pg_krb5_name);
|
||||
|
||||
info->pg_krb5_initialised = 1;
|
||||
return STATUS_OK;
|
||||
}
|
||||
|
||||
static void
|
||||
pg_krb5_destroy(struct krb5_info * info)
|
||||
{
|
||||
krb5_free_principal(info->pg_krb5_context, info->pg_krb5_client);
|
||||
krb5_cc_close(info->pg_krb5_context, info->pg_krb5_ccache);
|
||||
krb5_free_unparsed_name(info->pg_krb5_context, info->pg_krb5_name);
|
||||
krb5_free_context(info->pg_krb5_context);
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
* pg_krb5_sendauth -- client routine to send authentication information to
|
||||
* the server
|
||||
*/
|
||||
static int
|
||||
pg_krb5_sendauth(PGconn *conn)
|
||||
{
|
||||
krb5_error_code retval;
|
||||
int ret;
|
||||
krb5_principal server;
|
||||
krb5_auth_context auth_context = NULL;
|
||||
krb5_error *err_ret = NULL;
|
||||
struct krb5_info info;
|
||||
|
||||
info.pg_krb5_initialised = 0;
|
||||
|
||||
if (!(conn->pghost && conn->pghost[0] != '\0'))
|
||||
{
|
||||
printfPQExpBuffer(&conn->errorMessage,
|
||||
libpq_gettext("host name must be specified\n"));
|
||||
return STATUS_ERROR;
|
||||
}
|
||||
|
||||
ret = pg_krb5_init(&conn->errorMessage, &info);
|
||||
if (ret != STATUS_OK)
|
||||
return ret;
|
||||
|
||||
retval = krb5_sname_to_principal(info.pg_krb5_context, conn->pghost,
|
||||
conn->krbsrvname,
|
||||
KRB5_NT_SRV_HST, &server);
|
||||
if (retval)
|
||||
{
|
||||
printfPQExpBuffer(&conn->errorMessage,
|
||||
"pg_krb5_sendauth: krb5_sname_to_principal: %s\n",
|
||||
error_message(retval));
|
||||
pg_krb5_destroy(&info);
|
||||
return STATUS_ERROR;
|
||||
}
|
||||
|
||||
/*
|
||||
* libpq uses a non-blocking socket. But kerberos needs a blocking socket,
|
||||
* and we have to block somehow to do mutual authentication anyway. So we
|
||||
* temporarily make it blocking.
|
||||
*/
|
||||
if (!pg_set_block(conn->sock))
|
||||
{
|
||||
char sebuf[256];
|
||||
|
||||
printfPQExpBuffer(&conn->errorMessage,
|
||||
libpq_gettext("could not set socket to blocking mode: %s\n"), pqStrerror(errno, sebuf, sizeof(sebuf)));
|
||||
krb5_free_principal(info.pg_krb5_context, server);
|
||||
pg_krb5_destroy(&info);
|
||||
return STATUS_ERROR;
|
||||
}
|
||||
|
||||
retval = krb5_sendauth(info.pg_krb5_context, &auth_context,
|
||||
(krb5_pointer) & conn->sock, (char *) conn->krbsrvname,
|
||||
info.pg_krb5_client, server,
|
||||
AP_OPTS_MUTUAL_REQUIRED,
|
||||
NULL, 0, /* no creds, use ccache instead */
|
||||
info.pg_krb5_ccache, &err_ret, NULL, NULL);
|
||||
if (retval)
|
||||
{
|
||||
if (retval == KRB5_SENDAUTH_REJECTED && err_ret)
|
||||
{
|
||||
#if defined(HAVE_KRB5_ERROR_TEXT_DATA)
|
||||
printfPQExpBuffer(&conn->errorMessage,
|
||||
libpq_gettext("Kerberos 5 authentication rejected: %*s\n"),
|
||||
(int) err_ret->text.length, err_ret->text.data);
|
||||
#elif defined(HAVE_KRB5_ERROR_E_DATA)
|
||||
printfPQExpBuffer(&conn->errorMessage,
|
||||
libpq_gettext("Kerberos 5 authentication rejected: %*s\n"),
|
||||
(int) err_ret->e_data->length,
|
||||
(const char *) err_ret->e_data->data);
|
||||
#else
|
||||
#error "bogus configuration"
|
||||
#endif
|
||||
}
|
||||
else
|
||||
{
|
||||
printfPQExpBuffer(&conn->errorMessage,
|
||||
"krb5_sendauth: %s\n", error_message(retval));
|
||||
}
|
||||
|
||||
if (err_ret)
|
||||
krb5_free_error(info.pg_krb5_context, err_ret);
|
||||
|
||||
ret = STATUS_ERROR;
|
||||
}
|
||||
|
||||
krb5_free_principal(info.pg_krb5_context, server);
|
||||
|
||||
if (!pg_set_noblock(conn->sock))
|
||||
{
|
||||
char sebuf[256];
|
||||
|
||||
printfPQExpBuffer(&conn->errorMessage,
|
||||
libpq_gettext("could not restore nonblocking mode on socket: %s\n"),
|
||||
pqStrerror(errno, sebuf, sizeof(sebuf)));
|
||||
ret = STATUS_ERROR;
|
||||
}
|
||||
pg_krb5_destroy(&info);
|
||||
|
||||
return ret;
|
||||
}
|
||||
#endif /* KRB5 */
|
||||
|
||||
#ifdef ENABLE_GSS
|
||||
/*
|
||||
* GSSAPI authentication system.
|
||||
@@ -816,21 +564,9 @@ pg_fe_sendauth(AuthRequest areq, PGconn *conn)
|
||||
return STATUS_ERROR;
|
||||
|
||||
case AUTH_REQ_KRB5:
|
||||
#ifdef KRB5
|
||||
pglock_thread();
|
||||
if (pg_krb5_sendauth(conn) != STATUS_OK)
|
||||
{
|
||||
/* Error message already filled in */
|
||||
pgunlock_thread();
|
||||
return STATUS_ERROR;
|
||||
}
|
||||
pgunlock_thread();
|
||||
break;
|
||||
#else
|
||||
printfPQExpBuffer(&conn->errorMessage,
|
||||
libpq_gettext("Kerberos 5 authentication not supported\n"));
|
||||
return STATUS_ERROR;
|
||||
#endif
|
||||
|
||||
#if defined(ENABLE_GSS) || defined(ENABLE_SSPI)
|
||||
case AUTH_REQ_GSS:
|
||||
|
||||
@@ -278,7 +278,7 @@ static const internalPQconninfoOption PQconninfoOptions[] = {
|
||||
"Require-Peer", "", 10,
|
||||
offsetof(struct pg_conn, requirepeer)},
|
||||
|
||||
#if defined(KRB5) || defined(ENABLE_GSS) || defined(ENABLE_SSPI)
|
||||
#if defined(ENABLE_GSS) || defined(ENABLE_SSPI)
|
||||
/* Kerberos and GSSAPI authentication support specifying the service name */
|
||||
{"krbsrvname", "PGKRBSRVNAME", PG_KRB_SRVNAM, NULL,
|
||||
"Kerberos-service-name", "", 20,
|
||||
@@ -2823,7 +2823,7 @@ freePGconn(PGconn *conn)
|
||||
free(conn->sslcompression);
|
||||
if (conn->requirepeer)
|
||||
free(conn->requirepeer);
|
||||
#if defined(KRB5) || defined(ENABLE_GSS) || defined(ENABLE_SSPI)
|
||||
#if defined(ENABLE_GSS) || defined(ENABLE_SSPI)
|
||||
if (conn->krbsrvname)
|
||||
free(conn->krbsrvname);
|
||||
#endif
|
||||
|
||||
@@ -331,7 +331,7 @@ struct pg_conn
|
||||
char *sslcrl; /* certificate revocation list filename */
|
||||
char *requirepeer; /* required peer credentials for local sockets */
|
||||
|
||||
#if defined(KRB5) || defined(ENABLE_GSS) || defined(ENABLE_SSPI)
|
||||
#if defined(ENABLE_GSS) || defined(ENABLE_SSPI)
|
||||
char *krbsrvname; /* Kerberos service name */
|
||||
#endif
|
||||
|
||||
|
||||
@@ -221,10 +221,6 @@ s{PG_VERSION_STR "[^"]+"}{__STRINGIFY(x) #x\n#define __STRINGIFY2(z) __STRINGIFY
|
||||
}
|
||||
if ($self->{options}->{krb5})
|
||||
{
|
||||
print O "#define KRB5 1\n";
|
||||
print O "#define HAVE_KRB5_ERROR_TEXT_DATA 1\n";
|
||||
print O "#define HAVE_KRB5_TICKET_ENC_PART2 1\n";
|
||||
print O "#define HAVE_KRB5_FREE_UNPARSED_NAME 1\n";
|
||||
print O "#define ENABLE_GSS 1\n";
|
||||
}
|
||||
if (my $port = $self->{options}->{"--with-pgport"})
|
||||
@@ -625,7 +621,7 @@ sub GetFakeConfigure
|
||||
$cfg .= ' --with-ossp-uuid' if ($self->{options}->{uuid});
|
||||
$cfg .= ' --with-libxml' if ($self->{options}->{xml});
|
||||
$cfg .= ' --with-libxslt' if ($self->{options}->{xslt});
|
||||
$cfg .= ' --with-krb5' if ($self->{options}->{krb5});
|
||||
$cfg .= ' --with-gssapi' if ($self->{options}->{krb5});
|
||||
$cfg .= ' --with-tcl' if ($self->{options}->{tcl});
|
||||
$cfg .= ' --with-perl' if ($self->{options}->{perl});
|
||||
$cfg .= ' --with-python' if ($self->{options}->{python});
|
||||
|
||||
@@ -15,7 +15,6 @@ our $config = {
|
||||
tcl => undef, # --with-tls=<path>
|
||||
perl => undef, # --with-perl
|
||||
python => undef, # --with-python=<path>
|
||||
krb5 => undef, # --with-krb5=<path>
|
||||
openssl => undef, # --with-ssl=<path>
|
||||
uuid => undef, # --with-ossp-uuid
|
||||
xml => undef, # --with-libxml=<path>
|
||||
|
||||
Reference in New Issue
Block a user