diff options
| author | Magnus Hagander <magnus@hagander.net> | 2009-01-09 10:13:19 +0000 |
|---|---|---|
| committer | Magnus Hagander <magnus@hagander.net> | 2009-01-09 10:13:19 +0000 |
| commit | 1b4e729eaa97b6169e08abc70e84709cea2cd00a (patch) | |
| tree | 4daae665450a6f2f7b3fc618abf9042917391640 /src | |
| parent | 32e1265dd97e8321ad67418b781f3d0cf8a9282c (diff) | |
| download | postgresql-1b4e729eaa97b6169e08abc70e84709cea2cd00a.tar.gz postgresql-1b4e729eaa97b6169e08abc70e84709cea2cd00a.zip | |
Make krb_realm and krb_server_hostname be pg_hba options only, and remove
their GUCs.
In passing, noted that the pg_hba options for krb5 authentication weren't
listed at all - so add this.
Diffstat (limited to 'src')
| -rw-r--r-- | src/backend/libpq/auth.c | 53 | ||||
| -rw-r--r-- | src/backend/utils/misc/guc.c | 21 | ||||
| -rw-r--r-- | src/backend/utils/misc/postgresql.conf.sample | 3 |
3 files changed, 16 insertions, 61 deletions
diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c index 4b5773ab881..f0561a5b969 100644 --- a/src/backend/libpq/auth.c +++ b/src/backend/libpq/auth.c @@ -8,7 +8,7 @@ * * * IDENTIFICATION - * $PostgreSQL: pgsql/src/backend/libpq/auth.c,v 1.177 2009/01/07 13:09:21 mha Exp $ + * $PostgreSQL: pgsql/src/backend/libpq/auth.c,v 1.178 2009/01/09 10:13:18 mha Exp $ * *------------------------------------------------------------------------- */ @@ -129,8 +129,6 @@ static int CheckCertAuth(Port *port); char *pg_krb_server_keyfile; char *pg_krb_srvnam; bool pg_krb_caseins_users; -char *pg_krb_server_hostname = NULL; -char *pg_krb_realm = NULL; /*---------------------------------------------------------------- @@ -645,10 +643,7 @@ pg_krb5_init(Port *port) * If no hostname was specified, pg_krb_server_hostname is already NULL. * If it's set to blank, force it to NULL. */ - if (port->hba->krb_server_hostname) - khostname = port->hba->krb_server_hostname; - else - khostname = pg_krb_server_hostname; + khostname = port->hba->krb_server_hostname; if (khostname && khostname[0] == '\0') khostname = NULL; @@ -694,7 +689,6 @@ pg_krb5_recvauth(Port *port) krb5_ticket *ticket; char *kusername; char *cp; - char *realmmatch; if (get_role_line(port->user_name) == NULL) return STATUS_ERROR; @@ -740,11 +734,6 @@ pg_krb5_recvauth(Port *port) return STATUS_ERROR; } - if (port->hba->krb_realm) - realmmatch = port->hba->krb_realm; - else - realmmatch = pg_krb_realm; - cp = strchr(kusername, '@'); if (cp) { @@ -757,19 +746,19 @@ pg_krb5_recvauth(Port *port) *cp = '\0'; cp++; - if (realmmatch != NULL && strlen(realmmatch)) + if (port->hba->krb_realm != NULL && strlen(port->hba->krb_realm)) { /* Match realm against configured */ if (pg_krb_caseins_users) - ret = pg_strcasecmp(realmmatch, cp); + ret = pg_strcasecmp(port->hba->krb_realm, cp); else - ret = strcmp(realmmatch, cp); + ret = strcmp(port->hba->krb_realm, cp); if (ret) { elog(DEBUG2, "krb5 realm (%s) and configured realm (%s) don't match", - cp, realmmatch); + cp, port->hba->krb_realm); krb5_free_ticket(pg_krb5_context, ticket); krb5_auth_con_free(pg_krb5_context, auth_context); @@ -777,7 +766,7 @@ pg_krb5_recvauth(Port *port) } } } - else if (realmmatch && strlen(realmmatch)) + else if (port->hba->krb_realm&& strlen(port->hba->krb_realm)) { elog(DEBUG2, "krb5 did not return realm but realm matching was requested"); @@ -874,7 +863,6 @@ pg_GSS_recvauth(Port *port) int ret; StringInfoData buf; gss_buffer_desc gbuf; - char *realmmatch; /* * GSS auth is not supported for protocol versions before 3, because it @@ -1034,11 +1022,6 @@ pg_GSS_recvauth(Port *port) gettext_noop("retrieving GSS user name failed"), maj_stat, min_stat); - if (port->hba->krb_realm) - realmmatch = port->hba->krb_realm; - else - realmmatch = pg_krb_realm; - /* * Split the username at the realm separator */ @@ -1055,28 +1038,28 @@ pg_GSS_recvauth(Port *port) *cp = '\0'; cp++; - if (realmmatch != NULL && strlen(realmmatch)) + if (port->hba->krb_realm != NULL && strlen(port->hba->krb_realm)) { /* * Match the realm part of the name first */ if (pg_krb_caseins_users) - ret = pg_strcasecmp(realmmatch, cp); + ret = pg_strcasecmp(port->hba->krb_realm, cp); else - ret = strcmp(realmmatch, cp); + ret = strcmp(port->hba->krb_realm, cp); if (ret) { /* GSS realm does not match */ elog(DEBUG2, "GSSAPI realm (%s) and configured realm (%s) don't match", - cp, realmmatch); + cp, port->hba->krb_realm); gss_release_buffer(&lmin_s, &gbuf); return STATUS_ERROR; } } } - else if (realmmatch && strlen(realmmatch)) + else if (port->hba->krb_realm && strlen(port->hba->krb_realm)) { elog(DEBUG2, "GSSAPI did not return realm but realm matching was requested"); @@ -1140,7 +1123,6 @@ pg_SSPI_recvauth(Port *port) SID_NAME_USE accountnameuse; HMODULE secur32; QUERY_SECURITY_CONTEXT_TOKEN_FN _QuerySecurityContextToken; - char *realmmatch; /* * SSPI auth is not supported for protocol versions before 3, because it @@ -1353,18 +1335,13 @@ pg_SSPI_recvauth(Port *port) * Compare realm/domain if requested. In SSPI, always compare case * insensitive. */ - if (port->hba->krb_realm) - realmmatch = port->hba->krb_realm; - else - realmmatch = pg_krb_realm; - - if (realmmatch && strlen(realmmatch)) + if (port->hba->krb_realm && strlen(port->hba->krb_realm)) { - if (pg_strcasecmp(realmmatch, domainname)) + if (pg_strcasecmp(port->hba->krb_realm, domainname)) { elog(DEBUG2, "SSPI domain (%s) and configured domain (%s) don't match", - domainname, realmmatch); + domainname, port->hba->krb_realm); return STATUS_ERROR; } diff --git a/src/backend/utils/misc/guc.c b/src/backend/utils/misc/guc.c index 22cfbff6105..8d927ae1387 100644 --- a/src/backend/utils/misc/guc.c +++ b/src/backend/utils/misc/guc.c @@ -10,7 +10,7 @@ * Written by Peter Eisentraut <peter_e@gmx.net>. * * IDENTIFICATION - * $PostgreSQL: pgsql/src/backend/utils/misc/guc.c,v 1.491 2009/01/07 22:40:49 tgl Exp $ + * $PostgreSQL: pgsql/src/backend/utils/misc/guc.c,v 1.492 2009/01/09 10:13:18 mha Exp $ * *-------------------------------------------------------------------- */ @@ -2131,16 +2131,6 @@ static struct config_string ConfigureNamesString[] = }, { - {"krb_realm", PGC_SIGHUP, CONN_AUTH_SECURITY, - gettext_noop("Sets realm to match Kerberos and GSSAPI users against."), - NULL, - GUC_SUPERUSER_ONLY - }, - &pg_krb_realm, - NULL, NULL, NULL - }, - - { {"krb_server_keyfile", PGC_SIGHUP, CONN_AUTH_SECURITY, gettext_noop("Sets the location of the Kerberos server key file."), NULL, @@ -2160,15 +2150,6 @@ static struct config_string ConfigureNamesString[] = }, { - {"krb_server_hostname", PGC_SIGHUP, CONN_AUTH_SECURITY, - gettext_noop("Sets the hostname of the Kerberos server."), - NULL - }, - &pg_krb_server_hostname, - NULL, NULL, NULL - }, - - { {"bonjour_name", PGC_POSTMASTER, CONN_AUTH_SETTINGS, gettext_noop("Sets the Bonjour broadcast service name."), NULL diff --git a/src/backend/utils/misc/postgresql.conf.sample b/src/backend/utils/misc/postgresql.conf.sample index d53861511ae..ffa5055b768 100644 --- a/src/backend/utils/misc/postgresql.conf.sample +++ b/src/backend/utils/misc/postgresql.conf.sample @@ -81,10 +81,7 @@ # Kerberos and GSSAPI #krb_server_keyfile = '' #krb_srvname = 'postgres' # (Kerberos only) -#krb_server_hostname = '' # empty string matches any keytab entry - # (Kerberos only) #krb_caseins_users = off -#krb_realm = '' # - TCP Keepalives - # see "man 7 tcp" for details |