mirror of
https://github.com/postgres/postgres.git
synced 2025-07-02 09:02:37 +03:00
GSSAPI encryption support
On both the frontend and backend, prepare for GSSAPI encryption support by moving common code for error handling into a separate file. Fix a TODO for handling multiple status messages in the process. Eliminate the OIDs, which have not been needed for some time. Add frontend and backend encryption support functions. Keep the context initiation for authentication-only separate on both the frontend and backend in order to avoid concerns about changing the requested flags to include encryption support. In postmaster, pull GSSAPI authorization checking into a shared function. Also share the initiator name between the encryption and non-encryption codepaths. For HBA, add "hostgssenc" and "hostnogssenc" entries that behave similarly to their SSL counterparts. "hostgssenc" requires either "gss", "trust", or "reject" for its authentication. Similarly, add a "gssencmode" parameter to libpq. Supported values are "disable", "require", and "prefer". Notably, negotiation will only be attempted if credentials can be acquired. Move credential acquisition into its own function to support this behavior. Add a simple pg_stat_gssapi view similar to pg_stat_ssl, for monitoring if GSSAPI authentication was used, what principal was used, and if encryption is being used on the connection. Finally, add documentation for everything new, and update existing documentation on connection security. Thanks to Michael Paquier for the Windows fixes. Author: Robbie Harwood, with changes to the read/write functions by me. Reviewed in various forms and at different times by: Michael Paquier, Andres Freund, David Steele. Discussion: https://www.postgresql.org/message-id/flat/jlg1tgq1ktm.fsf@thriss.redhat.com
This commit is contained in:
Stephen Frost
@ -160,6 +160,7 @@ static void print_with_linenumbers(FILE *output, char *lines,
|
||||
static void minimal_error_message(PGresult *res);
|
||||
|
||||
static void printSSLInfo(void);
|
||||
static void printGSSInfo(void);
|
||||
static bool printPsetInfo(const char *param, struct printQueryOpt *popt);
|
||||
static char *pset_value_string(const char *param, struct printQueryOpt *popt);
|
||||
|
||||
@ -621,6 +622,7 @@ exec_command_conninfo(PsqlScanState scan_state, bool active_branch)
|
||||
db, PQuser(pset.db), host, PQport(pset.db));
|
||||
}
|
||||
printSSLInfo();
|
||||
printGSSInfo();
|
||||
}
|
||||
}
|
||||
|
||||
@ -3184,6 +3186,7 @@ connection_warnings(bool in_startup)
|
||||
checkWin32Codepage();
|
||||
#endif
|
||||
printSSLInfo();
|
||||
printGSSInfo();
|
||||
}
|
||||
}
|
||||
|
||||
@ -3216,6 +3219,20 @@ printSSLInfo(void)
|
||||
(compression && strcmp(compression, "off") != 0) ? _("on") : _("off"));
|
||||
}
|
||||
|
||||
/*
|
||||
* printGSSInfo
|
||||
*
|
||||
* Prints information about the current GSSAPI connection, if GSSAPI encryption is in use
|
||||
*/
|
||||
static void
|
||||
printGSSInfo(void)
|
||||
{
|
||||
if (!PQgssEncInUse(pset.db))
|
||||
return; /* no GSSAPI encryption in use */
|
||||
|
||||
printf(_("GSSAPI Encrypted connection\n"));
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
* checkWin32Codepage
|
||||
|
||||
Reference in New Issue
Block a user