diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/backend/libpq/auth.c | 20 | ||||
-rw-r--r-- | src/backend/utils/misc/guc.c | 23 | ||||
-rw-r--r-- | src/backend/utils/misc/postgresql.conf.sample | 5 | ||||
-rw-r--r-- | src/include/libpq/auth.h | 4 | ||||
-rw-r--r-- | src/include/pg_config.h.in | 8 | ||||
-rw-r--r-- | src/interfaces/libpq/fe-auth.c | 26 | ||||
-rw-r--r-- | src/interfaces/libpq/fe-connect.c | 16 | ||||
-rw-r--r-- | src/interfaces/libpq/libpq-int.h | 5 |
8 files changed, 83 insertions, 24 deletions
diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c index b941ccd5030..7970f817561 100644 --- a/src/backend/libpq/auth.c +++ b/src/backend/libpq/auth.c @@ -8,7 +8,7 @@ * * * IDENTIFICATION - * $PostgreSQL: pgsql/src/backend/libpq/auth.c,v 1.123 2005/02/22 04:35:57 momjian Exp $ + * $PostgreSQL: pgsql/src/backend/libpq/auth.c,v 1.124 2005/06/04 20:42:42 momjian Exp $ * *------------------------------------------------------------------------- */ @@ -41,6 +41,8 @@ static char *recv_password_packet(Port *port); static int recv_and_check_password_packet(Port *port); char *pg_krb_server_keyfile; +char *pg_krb_srvnam; +bool pg_krb_caseins_users; #ifdef USE_PAM #ifdef HAVE_PAM_PAM_APPL_H @@ -99,7 +101,7 @@ pg_krb4_recvauth(Port *port) status = krb_recvauth(krbopts, port->sock, &clttkt, - PG_KRB_SRVNAM, + pg_krb_srvnam, instance, &port->raddr.in, &port->laddr.in, @@ -219,16 +221,16 @@ pg_krb5_init(void) return STATUS_ERROR; } - retval = krb5_sname_to_principal(pg_krb5_context, NULL, PG_KRB_SRVNAM, + retval = krb5_sname_to_principal(pg_krb5_context, NULL, pg_krb_srvnam, KRB5_NT_SRV_HST, &pg_krb5_server); if (retval) { ereport(LOG, (errmsg("Kerberos sname_to_principal(\"%s\") returned error %d", - PG_KRB_SRVNAM, retval))); + pg_krb_srvnam, retval))); com_err("postgres", retval, "while getting server principal for service \"%s\"", - PG_KRB_SRVNAM); + pg_krb_srvnam); krb5_kt_close(pg_krb5_context, pg_krb5_keytab); krb5_free_context(pg_krb5_context); return STATUS_ERROR; @@ -264,7 +266,7 @@ pg_krb5_recvauth(Port *port) return ret; retval = krb5_recvauth(pg_krb5_context, &auth_context, - (krb5_pointer) & port->sock, PG_KRB_SRVNAM, + (krb5_pointer) & port->sock, "postgres", pg_krb5_server, 0, pg_krb5_keytab, &ticket); if (retval) { @@ -303,7 +305,11 @@ pg_krb5_recvauth(Port *port) } kusername = pg_an_to_ln(kusername); - if (strncmp(port->user_name, kusername, SM_DATABASE_USER)) + if (pg_krb_caseins_users) + ret = strncasecmp(port->user_name, kusername, SM_DATABASE_USER); + else + ret = strncmp(port->user_name, kusername, SM_DATABASE_USER); + if (ret) { ereport(LOG, (errmsg("unexpected Kerberos user name received from client (received \"%s\", expected \"%s\")", diff --git a/src/backend/utils/misc/guc.c b/src/backend/utils/misc/guc.c index 7f89276b612..3d57509548f 100644 --- a/src/backend/utils/misc/guc.c +++ b/src/backend/utils/misc/guc.c @@ -10,7 +10,7 @@ * Written by Peter Eisentraut <peter_e@gmx.net>. * * IDENTIFICATION - * $PostgreSQL: pgsql/src/backend/utils/misc/guc.c,v 1.263 2005/05/27 18:33:30 momjian Exp $ + * $PostgreSQL: pgsql/src/backend/utils/misc/guc.c,v 1.264 2005/06/04 20:42:42 momjian Exp $ * *-------------------------------------------------------------------- */ @@ -63,6 +63,9 @@ #ifndef PG_KRB_SRVTAB #define PG_KRB_SRVTAB "" #endif +#ifndef PG_KRB_SRVNAM +#define PG_KRB_SRVNAM "" +#endif #define CONFIG_FILENAME "postgresql.conf" #define HBA_FILENAME "pg_hba.conf" @@ -860,6 +863,15 @@ static struct config_bool ConfigureNamesBool[] = #endif }, + { + {"krb_caseins_users", PGC_POSTMASTER, CONN_AUTH_SECURITY, + gettext_noop("Sets if Kerberos user names should be treated case insensitive."), + NULL + }, + &pg_krb_caseins_users, + false, NULL, NULL + }, + /* End-of-list marker */ { {NULL, 0, 0, NULL, NULL}, NULL, false, NULL, NULL @@ -1573,6 +1585,15 @@ static struct config_string ConfigureNamesString[] = }, { + {"krb_srvname", PGC_POSTMASTER, CONN_AUTH_SECURITY, + gettext_noop("Sets the name of the Kerberos service."), + NULL + }, + &pg_krb_srvnam, + PG_KRB_SRVNAM, NULL, NULL + }, + + { {"bonjour_name", PGC_POSTMASTER, CONN_AUTH_SETTINGS, gettext_noop("Sets the Bonjour broadcast service name."), NULL diff --git a/src/backend/utils/misc/postgresql.conf.sample b/src/backend/utils/misc/postgresql.conf.sample index 0e88d4c5ed0..d54ae5fcfda 100644 --- a/src/backend/utils/misc/postgresql.conf.sample +++ b/src/backend/utils/misc/postgresql.conf.sample @@ -64,8 +64,11 @@ #authentication_timeout = 60 # 1-600, in seconds #ssl = false #password_encryption = true -#krb_server_keyfile = '' #db_user_namespace = false +# Kerberos +#krb_server_keyfile = '' +#krb_caseins_users = false +#krb_srvname = 'postgres' #--------------------------------------------------------------------------- diff --git a/src/include/libpq/auth.h b/src/include/libpq/auth.h index 3aef036078f..b8fd25eb64f 100644 --- a/src/include/libpq/auth.h +++ b/src/include/libpq/auth.h @@ -7,7 +7,7 @@ * Portions Copyright (c) 1996-2005, PostgreSQL Global Development Group * Portions Copyright (c) 1994, Regents of the University of California * - * $PostgreSQL: pgsql/src/include/libpq/auth.h,v 1.26 2004/12/31 22:03:32 pgsql Exp $ + * $PostgreSQL: pgsql/src/include/libpq/auth.h,v 1.27 2005/06/04 20:42:42 momjian Exp $ * *------------------------------------------------------------------------- */ @@ -27,5 +27,7 @@ extern void ClientAuthentication(Port *port); #define PG_KRB5_VERSION "PGVER5.1" extern char *pg_krb_server_keyfile; +extern char *pg_krb_srvnam; +extern bool pg_krb_caseins_users; #endif /* AUTH_H */ diff --git a/src/include/pg_config.h.in b/src/include/pg_config.h.in index 51a13907bb0..da29557e927 100644 --- a/src/include/pg_config.h.in +++ b/src/include/pg_config.h.in @@ -602,7 +602,7 @@ /* Define to the version of this package. */ #undef PACKAGE_VERSION -/* Define to the name of the PostgreSQL service principal in Kerberos. +/* Define to the name of the default PostgreSQL service principal in Kerberos. (--with-krb-srvnam=NAME) */ #undef PG_KRB_SRVNAM @@ -635,6 +635,9 @@ /* Define to 1 to build with assertion checks. (--enable-cassert) */ #undef USE_ASSERT_CHECKING +/* Define to 1 to build with Bonjour support. (--with-bonjour) */ +#undef USE_BONJOUR + /* Define to 1 if you want 64-bit integer timestamp and interval support. (--enable-integer-datetimes) */ #undef USE_INTEGER_DATETIMES @@ -645,9 +648,6 @@ /* Define to 1 to build with PAM support. (--with-pam) */ #undef USE_PAM -/* Define to 1 to build with Bonjour support. (--with-bonjour) */ -#undef USE_BONJOUR - /* Use replacement snprintf() functions. */ #undef USE_SNPRINTF diff --git a/src/interfaces/libpq/fe-auth.c b/src/interfaces/libpq/fe-auth.c index 0dda34401bb..6624df1ad0a 100644 --- a/src/interfaces/libpq/fe-auth.c +++ b/src/interfaces/libpq/fe-auth.c @@ -10,7 +10,7 @@ * exceed INITIAL_EXPBUFFER_SIZE (currently 256 bytes). * * IDENTIFICATION - * $PostgreSQL: pgsql/src/interfaces/libpq/fe-auth.c,v 1.100 2005/03/25 00:34:28 tgl Exp $ + * $PostgreSQL: pgsql/src/interfaces/libpq/fe-auth.c,v 1.101 2005/06/04 20:42:43 momjian Exp $ * *------------------------------------------------------------------------- */ @@ -196,7 +196,8 @@ static int pg_krb4_sendauth(char *PQerrormsg, int sock, struct sockaddr_in * laddr, struct sockaddr_in * raddr, - const char *hostname) + const char *hostname, + const char *servicename) { long krbopts = 0; /* one-way authentication */ KTEXT_ST clttkt; @@ -216,7 +217,7 @@ pg_krb4_sendauth(char *PQerrormsg, int sock, status = krb_sendauth(krbopts, sock, &clttkt, - PG_KRB_SRVNAM, + servicename, hostname, realm, (u_long) 0, @@ -260,6 +261,10 @@ pg_krb4_sendauth(char *PQerrormsg, int sock, * provide an aname mapping database...it may be a better idea to use * krb5_an_to_ln, except that it punts if multiple components are found, * and we can't afford to punt. + * + * For WIN32, convert username to lowercase because the Win32 kerberos library + * generates tickets with the username as the user entered it instead of as + * it is entered in the directory. */ static char * pg_an_to_ln(char *aname) @@ -268,6 +273,11 @@ pg_an_to_ln(char *aname) if ((p = strchr(aname, '/')) || (p = strchr(aname, '@'))) *p = '\0'; +#ifdef WIN32 + for (p = aname; *p ; p++) + *p = pg_tolower(*p); +#endif + return aname; } @@ -360,7 +370,7 @@ pg_krb5_authname(char *PQerrormsg) * the server */ static int -pg_krb5_sendauth(char *PQerrormsg, int sock, const char *hostname) +pg_krb5_sendauth(char *PQerrormsg, int sock, const char *hostname, const char *servicename) { krb5_error_code retval; int ret; @@ -379,7 +389,7 @@ pg_krb5_sendauth(char *PQerrormsg, int sock, const char *hostname) if (ret != STATUS_OK) return ret; - retval = krb5_sname_to_principal(pg_krb5_context, hostname, PG_KRB_SRVNAM, + retval = krb5_sname_to_principal(pg_krb5_context, hostname, servicename, KRB5_NT_SRV_HST, &server); if (retval) { @@ -405,7 +415,7 @@ pg_krb5_sendauth(char *PQerrormsg, int sock, const char *hostname) } retval = krb5_sendauth(pg_krb5_context, &auth_context, - (krb5_pointer) & sock, PG_KRB_SRVNAM, + (krb5_pointer) & sock, "postgres", pg_krb5_client, server, AP_OPTS_MUTUAL_REQUIRED, NULL, 0, /* no creds, use ccache instead */ @@ -602,7 +612,7 @@ fe_sendauth(AuthRequest areq, PGconn *conn, const char *hostname, if (pg_krb4_sendauth(PQerrormsg, conn->sock, (struct sockaddr_in *) & conn->laddr.addr, (struct sockaddr_in *) & conn->raddr.addr, - hostname) != STATUS_OK) + hostname, conn->krbsrvname) != STATUS_OK) { /* PQerrormsg already filled in */ pgunlock_thread(); @@ -620,7 +630,7 @@ fe_sendauth(AuthRequest areq, PGconn *conn, const char *hostname, #ifdef KRB5 pglock_thread(); if (pg_krb5_sendauth(PQerrormsg, conn->sock, - hostname) != STATUS_OK) + hostname, conn->krbsrvname) != STATUS_OK) { /* PQerrormsg already filled in */ pgunlock_thread(); diff --git a/src/interfaces/libpq/fe-connect.c b/src/interfaces/libpq/fe-connect.c index 15bcf5f911b..05899450237 100644 --- a/src/interfaces/libpq/fe-connect.c +++ b/src/interfaces/libpq/fe-connect.c @@ -8,7 +8,7 @@ * * * IDENTIFICATION - * $PostgreSQL: pgsql/src/interfaces/libpq/fe-connect.c,v 1.306 2005/05/05 16:40:42 momjian Exp $ + * $PostgreSQL: pgsql/src/interfaces/libpq/fe-connect.c,v 1.307 2005/06/04 20:42:43 momjian Exp $ * *------------------------------------------------------------------------- */ @@ -170,6 +170,12 @@ static const PQconninfoOption PQconninfoOptions[] = { {"sslmode", "PGSSLMODE", DefaultSSLMode, NULL, "SSL-Mode", "", 8}, /* sizeof("disable") == 8 */ +#if defined(KRB4) || defined(KRB5) + /* Kerberos authentication supports specifying the service name */ + {"krbsrvname", "PGKRBSRVNAME", PG_KRB_SRVNAM, NULL, + "Kerberos-service-name", "", 20}, +#endif + /* Terminating entry --- MUST BE LAST */ {NULL, NULL, NULL, NULL, NULL, NULL, 0} @@ -393,6 +399,10 @@ connectOptions1(PGconn *conn, const char *conninfo) conn->sslmode = strdup("require"); } #endif +#if defined(KRB4) || defined(KRB5) + tmp = conninfo_getval(connOptions, "krbsrvname"); + conn->krbsrvname = tmp ? strdup(tmp) : NULL; +#endif /* * Free the option info - all is in conn now @@ -2074,6 +2084,10 @@ freePGconn(PGconn *conn) free(conn->pgpass); if (conn->sslmode) free(conn->sslmode); +#if defined(KRB4) || defined(KRB5) + if (conn->krbsrvname) + free(conn->krbsrvname); +#endif /* Note that conn->Pfdebug is not ours to close or free */ notify = conn->notifyHead; while (notify != NULL) diff --git a/src/interfaces/libpq/libpq-int.h b/src/interfaces/libpq/libpq-int.h index 9862e01bc91..e4692d5d5f6 100644 --- a/src/interfaces/libpq/libpq-int.h +++ b/src/interfaces/libpq/libpq-int.h @@ -12,7 +12,7 @@ * Portions Copyright (c) 1996-2005, PostgreSQL Global Development Group * Portions Copyright (c) 1994, Regents of the University of California * - * $PostgreSQL: pgsql/src/interfaces/libpq/libpq-int.h,v 1.100 2005/01/06 00:59:47 tgl Exp $ + * $PostgreSQL: pgsql/src/interfaces/libpq/libpq-int.h,v 1.101 2005/06/04 20:42:43 momjian Exp $ * *------------------------------------------------------------------------- */ @@ -261,6 +261,9 @@ struct pg_conn char *pguser; /* Postgres username and password, if any */ char *pgpass; char *sslmode; /* SSL mode (require,prefer,allow,disable) */ +#if defined(KRB5) || defined(KRB4) + char *krbsrvname; /* Kerberos service name */ +#endif /* Optional file to write trace info to */ FILE *Pfdebug; |