Commit a159ad30 authored by Neil Conway's avatar Neil Conway

Remove support for Kerberos V4. It seems no one is using this, it has

some security issues, and upstream has declared it "dead". Patch from
Magnus Hagander, minor editorialization from Neil Conway.
parent a051da02
This diff is collapsed.
dnl Process this file with autoconf to produce a configure script. dnl Process this file with autoconf to produce a configure script.
dnl $PostgreSQL: pgsql/configure.in,v 1.412 2005/06/04 20:42:41 momjian Exp $ dnl $PostgreSQL: pgsql/configure.in,v 1.413 2005/06/27 02:04:23 neilc Exp $
dnl dnl
dnl Developers, please strive to achieve this order: dnl Developers, please strive to achieve this order:
dnl dnl
...@@ -409,19 +409,6 @@ PGAC_ARG_BOOL(with, python, no, [ --with-python build Python modules ...@@ -409,19 +409,6 @@ PGAC_ARG_BOOL(with, python, no, [ --with-python build Python modules
AC_MSG_RESULT([$with_python]) AC_MSG_RESULT([$with_python])
AC_SUBST(with_python) AC_SUBST(with_python)
#
# Kerberos 4
#
AC_MSG_CHECKING([whether to build with Kerberos 4 support])
PGAC_ARG_BOOL(with, krb4, no, [ --with-krb4 build with Kerberos 4 support],
[
AC_DEFINE(KRB4, 1, [Define to build with Kerberos 4 support. (--with-krb4)])
krb_srvtab="/etc/srvtab"
])
AC_MSG_RESULT([$with_krb4])
AC_SUBST(with_krb4)
# #
# Kerberos 5 # Kerberos 5
# #
...@@ -435,11 +422,6 @@ AC_MSG_RESULT([$with_krb5]) ...@@ -435,11 +422,6 @@ AC_MSG_RESULT([$with_krb5])
AC_SUBST(with_krb5) AC_SUBST(with_krb5)
# Using both Kerberos 4 and Kerberos 5 at the same time isn't going to work.
if test "$with_krb4" = yes && test "$with_krb5" = yes ; then
AC_MSG_ERROR([Kerberos 4 and Kerberos 5 support cannot be combined])
fi
AC_SUBST(krb_srvtab) AC_SUBST(krb_srvtab)
...@@ -666,12 +648,6 @@ else ...@@ -666,12 +648,6 @@ else
*** Not using spinlocks will cause poor performance.]) *** Not using spinlocks will cause poor performance.])
fi fi
if test "$with_krb4" = yes ; then
AC_CHECK_LIB(des, des_encrypt, [], [AC_MSG_ERROR([library 'des' is required for Kerberos 4])])
AC_CHECK_LIB(krb, krb_sendauth, [], [AC_MSG_ERROR([library 'krb' is required for Kerberos 4])])
AC_REPLACE_FUNCS([gethostname])
fi
if test "$with_krb5" = yes ; then if test "$with_krb5" = yes ; then
if test "$PORTNAME" != "win32"; then if test "$PORTNAME" != "win32"; then
AC_SEARCH_LIBS(com_err, [krb5 'krb5 -ldes -lasn1 -lroken' com_err], [], AC_SEARCH_LIBS(com_err, [krb5 'krb5 -ldes -lasn1 -lroken' com_err], [],
...@@ -762,10 +738,6 @@ failure. It is possible the compiler isn't looking in the proper directory. ...@@ -762,10 +738,6 @@ failure. It is possible the compiler isn't looking in the proper directory.
Use --without-zlib to disable zlib support.])]) Use --without-zlib to disable zlib support.])])
fi fi
if test "$with_krb4" = yes ; then
AC_CHECK_HEADER(krb.h, [], [AC_MSG_ERROR([header file <krb.h> is required for Kerberos 4])])
fi
if test "$with_krb5" = yes ; then if test "$with_krb5" = yes ; then
AC_CHECK_HEADER(krb5.h, [], [AC_MSG_ERROR([header file <krb5.h> is required for Kerberos 5])]) AC_CHECK_HEADER(krb5.h, [], [AC_MSG_ERROR([header file <krb5.h> is required for Kerberos 5])])
fi fi
......
<!-- <!--
$PostgreSQL: pgsql/doc/src/sgml/client-auth.sgml,v 1.81 2005/06/21 04:02:29 tgl Exp $ $PostgreSQL: pgsql/doc/src/sgml/client-auth.sgml,v 1.82 2005/06/27 02:04:23 neilc Exp $
--> -->
<chapter id="client-authentication"> <chapter id="client-authentication">
...@@ -326,17 +326,6 @@ hostnossl <replaceable>database</replaceable> <replaceable>user</replaceable> ...@@ -326,17 +326,6 @@ hostnossl <replaceable>database</replaceable> <replaceable>user</replaceable>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><literal>krb4</></term>
<listitem>
<para>
Use Kerberos V4 to authenticate the user. This is only
available for TCP/IP connections. See <xref
linkend="kerberos-auth"> for details.
</para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term><literal>krb5</></term> <term><literal>krb5</></term>
<listitem> <listitem>
...@@ -623,11 +612,8 @@ local db1,db2,@demodbs all md5 ...@@ -623,11 +612,8 @@ local db1,db2,@demodbs all md5
</para> </para>
<para> <para>
While <productname>PostgreSQL</> supports both Kerberos 4 and <productname>PostgreSQL</> supports Kerberos version 5, and it has
Kerberos 5, only Kerberos 5 is recommended. Kerberos 4 is to be enabled at build time. See
considered insecure and no longer recommended for general
use. Only one version of Kerberos can be supported in any one
build, and support must be enabled at build time. See
<xref linkend="installation"> for more information. <xref linkend="installation"> for more information.
</para> </para>
...@@ -669,11 +655,9 @@ local db1,db2,@demodbs all md5 ...@@ -669,11 +655,9 @@ local db1,db2,@demodbs all md5
account. (See also <xref linkend="postgres-user">.) The location account. (See also <xref linkend="postgres-user">.) The location
of the key file is specified by the <xref of the key file is specified by the <xref
linkend="guc-krb-server-keyfile"> configuration linkend="guc-krb-server-keyfile"> configuration
parameter. The default parameter. The default is
is <filename>/etc/srvtab</> if you are using Kerberos 4 and
<filename>/usr/local/pgsql/etc/krb5.keytab</> (or whichever <filename>/usr/local/pgsql/etc/krb5.keytab</> (or whichever
directory was specified as <varname>sysconfdir</> at build time) directory was specified as <varname>sysconfdir</> at build time).
with Kerberos 5.
</para> </para>
<para> <para>
......
<!-- $PostgreSQL: pgsql/doc/src/sgml/installation.sgml,v 1.237 2005/06/21 20:45:43 tgl Exp $ --> <!-- $PostgreSQL: pgsql/doc/src/sgml/installation.sgml,v 1.238 2005/06/27 02:04:23 neilc Exp $ -->
<chapter id="installation"> <chapter id="installation">
<title><![%standalone-include[<productname>PostgreSQL</>]]> <title><![%standalone-include[<productname>PostgreSQL</>]]>
...@@ -787,12 +787,10 @@ su - postgres ...@@ -787,12 +787,10 @@ su - postgres
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><option>--with-krb4</option></term>
<term><option>--with-krb5</option></term> <term><option>--with-krb5</option></term>
<listitem> <listitem>
<para> <para>
Build with support for Kerberos authentication. You can use Build with support for Kerberos 5 authentication. On many
either Kerberos version 4 or 5, but not both. On many
systems, the Kerberos system is not installed in a location systems, the Kerberos system is not installed in a location
that is searched by default (e.g., <filename>/usr/include</>, that is searched by default (e.g., <filename>/usr/include</>,
<filename>/usr/lib</>), so you must use the options <filename>/usr/lib</>), so you must use the options
......
<!-- <!--
$PostgreSQL: pgsql/doc/src/sgml/libpq.sgml,v 1.187 2005/06/26 19:16:04 tgl Exp $ $PostgreSQL: pgsql/doc/src/sgml/libpq.sgml,v 1.188 2005/06/27 02:04:24 neilc Exp $
--> -->
<chapter id="libpq"> <chapter id="libpq">
...@@ -283,7 +283,7 @@ PGconn *PQconnectdb(const char *conninfo); ...@@ -283,7 +283,7 @@ PGconn *PQconnectdb(const char *conninfo);
<term><literal>krbsrvname</literal></term> <term><literal>krbsrvname</literal></term>
<listitem> <listitem>
<para> <para>
Kerberos service name to use when authenticating with Kerberos 4 or 5. Kerberos service name to use when authenticating with Kerberos 5.
This must match the service name specified in the server This must match the service name specified in the server
configuration for Kerberos authentication to succeed. (See also configuration for Kerberos authentication to succeed. (See also
<xref linkend="kerberos-auth">.) <xref linkend="kerberos-auth">.)
...@@ -3813,7 +3813,7 @@ setting, and is only available if ...@@ -3813,7 +3813,7 @@ setting, and is only available if
<primary><envar>PGKRBSRVNAME</envar></primary> <primary><envar>PGKRBSRVNAME</envar></primary>
</indexterm> </indexterm>
<envar>PGKRBSRVNAME</envar> sets the Kerberos service name to use when <envar>PGKRBSRVNAME</envar> sets the Kerberos service name to use when
authenticating with Kerberos 4 or 5. authenticating with Kerberos 5.
</para> </para>
</listitem> </listitem>
<listitem> <listitem>
......
<!-- $PostgreSQL: pgsql/doc/src/sgml/protocol.sgml,v 1.60 2005/06/26 19:16:04 tgl Exp $ --> <!-- $PostgreSQL: pgsql/doc/src/sgml/protocol.sgml,v 1.61 2005/06/27 02:04:24 neilc Exp $ -->
<chapter id="protocol"> <chapter id="protocol">
<title>Frontend/Backend Protocol</title> <title>Frontend/Backend Protocol</title>
...@@ -264,19 +264,6 @@ ...@@ -264,19 +264,6 @@
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term>AuthenticationKerberosV4</term>
<listitem>
<para>
The frontend must now take part in a Kerberos V4
authentication dialog (not described here, part of the
Kerberos specification) with the server. If this is
successful, the server responds with an AuthenticationOk,
otherwise it responds with an ErrorResponse.
</para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term>AuthenticationKerberosV5</term> <term>AuthenticationKerberosV5</term>
<listitem> <listitem>
...@@ -1411,50 +1398,6 @@ AuthenticationOk (B) ...@@ -1411,50 +1398,6 @@ AuthenticationOk (B)
</varlistentry> </varlistentry>
<varlistentry>
<term>
AuthenticationKerberosV4 (B)
</term>
<listitem>
<para>
<variablelist>
<varlistentry>
<term>
Byte1('R')
</term>
<listitem>
<para>
Identifies the message as an authentication request.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
Int32(8)
</term>
<listitem>
<para>
Length of message contents in bytes, including self.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
Int32(1)
</term>
<listitem>
<para>
Specifies that Kerberos V4 authentication is required.
</para>
</listitem>
</varlistentry>
</variablelist>
</para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term> <term>
AuthenticationKerberosV5 (B) AuthenticationKerberosV5 (B)
......
...@@ -8,7 +8,7 @@ ...@@ -8,7 +8,7 @@
* *
* *
* IDENTIFICATION * IDENTIFICATION
* $PostgreSQL: pgsql/src/backend/libpq/auth.c,v 1.125 2005/06/14 17:43:13 momjian Exp $ * $PostgreSQL: pgsql/src/backend/libpq/auth.c,v 1.126 2005/06/27 02:04:24 neilc Exp $
* *
*------------------------------------------------------------------------- *-------------------------------------------------------------------------
*/ */
...@@ -69,83 +69,6 @@ static Port *pam_port_cludge; /* Workaround for passing "Port *port" ...@@ -69,83 +69,6 @@ static Port *pam_port_cludge; /* Workaround for passing "Port *port"
* into pam_passwd_conv_proc */ * into pam_passwd_conv_proc */
#endif /* USE_PAM */ #endif /* USE_PAM */
#ifdef KRB4
/*----------------------------------------------------------------
* MIT Kerberos authentication system - protocol version 4
*----------------------------------------------------------------
*/
#include "krb.h"
/*
* pg_krb4_recvauth -- server routine to receive authentication information
* from the client
*
* Nothing unusual here, except that we compare the username obtained from
* the client's setup packet to the authenticated name. (We have to retain
* the name in the setup packet since we have to retain the ability to handle
* unauthenticated connections.)
*/
static int
pg_krb4_recvauth(Port *port)
{
long krbopts = 0; /* one-way authentication */
KTEXT_ST clttkt;
char instance[INST_SZ + 1],
version[KRB_SENDAUTH_VLEN + 1];
AUTH_DAT auth_data;
Key_schedule key_sched;
int status;
strcpy(instance, "*"); /* don't care, but arg gets expanded
* anyway */
status = krb_recvauth(krbopts,
port->sock,
&clttkt,
pg_krb_srvnam,
instance,
&port->raddr.in,
&port->laddr.in,
&auth_data,
pg_krb_server_keyfile,
key_sched,
version);
if (status != KSUCCESS)
{
ereport(LOG,
(errmsg("Kerberos error: %s", krb_err_txt[status])));
return STATUS_ERROR;
}
if (strncmp(version, PG_KRB4_VERSION, KRB_SENDAUTH_VLEN) != 0)
{
ereport(LOG,
(errmsg("unexpected Kerberos protocol version received from client (received \"%s\", expected \"%s\")",
version, PG_KRB4_VERSION)));
return STATUS_ERROR;
}
if (strncmp(port->user_name, auth_data.pname, SM_DATABASE_USER) != 0)
{
ereport(LOG,
(errmsg("unexpected Kerberos user name received from client (received \"%s\", expected \"%s\")",
port->user_name, auth_data.pname)));
return STATUS_ERROR;
}
return STATUS_OK;
}
#else
static int
pg_krb4_recvauth(Port *port)
{
ereport(LOG,
(errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
errmsg("Kerberos 4 not implemented on this server")));
return STATUS_ERROR;
}
#endif /* KRB4 */
#ifdef KRB5 #ifdef KRB5
/*---------------------------------------------------------------- /*----------------------------------------------------------------
* MIT Kerberos authentication system - protocol version 5 * MIT Kerberos authentication system - protocol version 5
...@@ -252,8 +175,7 @@ pg_krb5_init(void) ...@@ -252,8 +175,7 @@ pg_krb5_init(void)
* from the client * from the client
* *
* We still need to compare the username obtained from the client's setup * We still need to compare the username obtained from the client's setup
* packet to the authenticated name, as described in pg_krb4_recvauth. This * packet to the authenticated name.
* is a bit more problematic in v5, as described above in pg_an_to_ln.
* *
* We have our own keytab file because postgres is unlikely to run as root, * We have our own keytab file because postgres is unlikely to run as root,
* and so cannot read the default keytab. * and so cannot read the default keytab.
...@@ -380,9 +302,6 @@ auth_failed(Port *port, int status) ...@@ -380,9 +302,6 @@ auth_failed(Port *port, int status)
case uaReject: case uaReject:
errstr = gettext_noop("authentication failed for user \"%s\": host rejected"); errstr = gettext_noop("authentication failed for user \"%s\": host rejected");
break; break;
case uaKrb4:
errstr = gettext_noop("Kerberos 4 authentication failed for user \"%s\"");
break;
case uaKrb5: case uaKrb5:
errstr = gettext_noop("Kerberos 5 authentication failed for user \"%s\""); errstr = gettext_noop("Kerberos 5 authentication failed for user \"%s\"");
break; break;
...@@ -471,17 +390,6 @@ ClientAuthentication(Port *port) ...@@ -471,17 +390,6 @@ ClientAuthentication(Port *port)
break; break;
} }
case uaKrb4:
/* Kerberos 4 only seems to work with AF_INET. */
if (port->raddr.addr.ss_family != AF_INET
|| port->laddr.addr.ss_family != AF_INET)
ereport(FATAL,
(errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
errmsg("Kerberos 4 only supports IPv4 connections")));
sendAuthRequest(port, AUTH_REQ_KRB4);
status = pg_krb4_recvauth(port);
break;
case uaKrb5: case uaKrb5:
sendAuthRequest(port, AUTH_REQ_KRB5); sendAuthRequest(port, AUTH_REQ_KRB5);
status = pg_krb5_recvauth(port); status = pg_krb5_recvauth(port);
......
...@@ -10,7 +10,7 @@ ...@@ -10,7 +10,7 @@
* *
* *
* IDENTIFICATION * IDENTIFICATION
* $PostgreSQL: pgsql/src/backend/libpq/hba.c,v 1.141 2005/06/21 01:20:09 neilc Exp $ * $PostgreSQL: pgsql/src/backend/libpq/hba.c,v 1.142 2005/06/27 02:04:25 neilc Exp $
* *
*------------------------------------------------------------------------- *-------------------------------------------------------------------------
*/ */
...@@ -607,8 +607,6 @@ parse_hba_auth(ListCell **line_item, UserAuth *userauth_p, ...@@ -607,8 +607,6 @@ parse_hba_auth(ListCell **line_item, UserAuth *userauth_p,
*userauth_p = uaIdent; *userauth_p = uaIdent;
else if (strcmp(token, "password") == 0) else if (strcmp(token, "password") == 0)
*userauth_p = uaPassword; *userauth_p = uaPassword;
else if (strcmp(token, "krb4") == 0)
*userauth_p = uaKrb4;
else if (strcmp(token, "krb5") == 0) else if (strcmp(token, "krb5") == 0)
*userauth_p = uaKrb5; *userauth_p = uaKrb5;
else if (strcmp(token, "reject") == 0) else if (strcmp(token, "reject") == 0)
...@@ -694,8 +692,7 @@ parse_hba(List *line, int line_num, hbaPort *port, ...@@ -694,8 +692,7 @@ parse_hba(List *line, int line_num, hbaPort *port,
goto hba_syntax; goto hba_syntax;
/* Disallow auth methods that always need TCP/IP sockets to work */ /* Disallow auth methods that always need TCP/IP sockets to work */
if (port->auth_method == uaKrb4 || if (port->auth_method == uaKrb5)
port->auth_method == uaKrb5)
goto hba_syntax; goto hba_syntax;
/* Does not match if connection isn't AF_UNIX */ /* Does not match if connection isn't AF_UNIX */
......
...@@ -35,7 +35,7 @@ ...@@ -35,7 +35,7 @@
# an IP address and netmask in separate columns to specify the set of hosts. # an IP address and netmask in separate columns to specify the set of hosts.
# #
# METHOD can be "trust", "reject", "md5", "crypt", "password", # METHOD can be "trust", "reject", "md5", "crypt", "password",
# "krb4", "krb5", "ident", or "pam". Note that "password" sends passwords # "krb5", "ident", or "pam". Note that "password" sends passwords
# in clear text; "md5" is preferred since it sends encrypted passwords. # in clear text; "md5" is preferred since it sends encrypted passwords.
# #
# OPTION is the ident map or the name of the PAM service, depending on METHOD. # OPTION is the ident map or the name of the PAM service, depending on METHOD.
......
...@@ -7,7 +7,7 @@ ...@@ -7,7 +7,7 @@
* Portions Copyright (c) 1996-2005, PostgreSQL Global Development Group * Portions Copyright (c) 1996-2005, PostgreSQL Global Development Group
* Portions Copyright (c) 1994, Regents of the University of California * Portions Copyright (c) 1994, Regents of the University of California
* *
* $PostgreSQL: pgsql/src/include/libpq/auth.h,v 1.28 2005/06/14 17:43:14 momjian Exp $ * $PostgreSQL: pgsql/src/include/libpq/auth.h,v 1.29 2005/06/27 02:04:25 neilc Exp $
* *
*------------------------------------------------------------------------- *-------------------------------------------------------------------------
*/ */
...@@ -23,8 +23,7 @@ ...@@ -23,8 +23,7 @@
extern void ClientAuthentication(Port *port); extern void ClientAuthentication(Port *port);
#define PG_KRB4_VERSION "PGVER4.1" /* at most KRB_SENDAUTH_VLEN chars */ #define PG_KRB5_VERSION "PGVER5.1" /* at most KRB_SENDAUTH_VLEN chars */
#define PG_KRB5_VERSION "PGVER5.1"
extern char *pg_krb_server_keyfile; extern char *pg_krb_server_keyfile;
extern char *pg_krb_srvnam; extern char *pg_krb_srvnam;
......
...@@ -4,7 +4,7 @@ ...@@ -4,7 +4,7 @@
* Interface to hba.c * Interface to hba.c
* *
* *
* $PostgreSQL: pgsql/src/include/libpq/hba.h,v 1.36 2005/02/26 18:43:34 tgl Exp $ * $PostgreSQL: pgsql/src/include/libpq/hba.h,v 1.37 2005/06/27 02:04:25 neilc Exp $
* *
*------------------------------------------------------------------------- *-------------------------------------------------------------------------
*/ */
...@@ -17,7 +17,6 @@ ...@@ -17,7 +17,6 @@
typedef enum UserAuth typedef enum UserAuth
{ {
uaReject, uaReject,
uaKrb4,
uaKrb5, uaKrb5,
uaTrust, uaTrust,
uaIdent, uaIdent,
......
...@@ -9,7 +9,7 @@ ...@@ -9,7 +9,7 @@
* Portions Copyright (c) 1996-2005, PostgreSQL Global Development Group * Portions Copyright (c) 1996-2005, PostgreSQL Global Development Group
* Portions Copyright (c) 1994, Regents of the University of California * Portions Copyright (c) 1994, Regents of the University of California
* *
* $PostgreSQL: pgsql/src/include/libpq/pqcomm.h,v 1.96 2004/12/31 22:03:32 pgsql Exp $ * $PostgreSQL: pgsql/src/include/libpq/pqcomm.h,v 1.97 2005/06/27 02:04:26 neilc Exp $
* *
*------------------------------------------------------------------------- *-------------------------------------------------------------------------
*/ */
...@@ -160,7 +160,7 @@ extern bool Db_user_namespace; ...@@ -160,7 +160,7 @@ extern bool Db_user_namespace;
/* These are the authentication request codes sent by the backend. */ /* These are the authentication request codes sent by the backend. */
#define AUTH_REQ_OK 0 /* User is authenticated */ #define AUTH_REQ_OK 0 /* User is authenticated */
#define AUTH_REQ_KRB4 1 /* Kerberos V4 */ #define AUTH_REQ_KRB4 1 /* Kerberos V4. Not supported any more. */
#define AUTH_REQ_KRB5 2 /* Kerberos V5 */ #define AUTH_REQ_KRB5 2 /* Kerberos V5 */
#define AUTH_REQ_PASSWORD 3 /* Password */ #define AUTH_REQ_PASSWORD 3 /* Password */
#define AUTH_REQ_CRYPT 4 /* crypt password */ #define AUTH_REQ_CRYPT 4 /* crypt password */
......
...@@ -575,9 +575,6 @@ ...@@ -575,9 +575,6 @@
/* Define to the appropriate snprintf format for 64-bit ints, if any. */ /* Define to the appropriate snprintf format for 64-bit ints, if any. */
#undef INT64_FORMAT #undef INT64_FORMAT
/* Define to build with Kerberos 4 support. (--with-krb4) */
#undef KRB4
/* Define to build with Kerberos 5 support. (--with-krb5) */ /* Define to build with Kerberos 5 support. (--with-krb5) */
#undef KRB5 #undef KRB5
......
...@@ -6,7 +6,7 @@ ...@@ -6,7 +6,7 @@
* Portions Copyright (c) 1996-2005, PostgreSQL Global Development Group * Portions Copyright (c) 1996-2005, PostgreSQL Global Development Group
* Portions Copyright (c) 1994, Regents of the University of California * Portions Copyright (c) 1994, Regents of the University of California
* *
* $PostgreSQL: pgsql/src/include/port.h,v 1.75 2005/05/25 21:40:41 momjian Exp $ * $PostgreSQL: pgsql/src/include/port.h,v 1.76 2005/06/27 02:04:25 neilc Exp $
* *
*------------------------------------------------------------------------- *-------------------------------------------------------------------------
*/ */
...@@ -267,10 +267,6 @@ extern int getopt(int nargc, char *const * nargv, const char *ostr); ...@@ -267,10 +267,6 @@ extern int getopt(int nargc, char *const * nargv, const char *ostr);
extern int isinf(double x); extern int isinf(double x);
#endif #endif
#if !defined(HAVE_GETHOSTNAME) && defined(KRB4)
extern int gethostname(char *name, int namelen);
#endif
#ifndef HAVE_RINT #ifndef HAVE_RINT
extern double rint(double x); extern double rint(double x);
#endif #endif
......
...@@ -5,7 +5,7 @@ ...@@ -5,7 +5,7 @@
# Portions Copyright (c) 1996-2005, PostgreSQL Global Development Group # Portions Copyright (c) 1996-2005, PostgreSQL Global Development Group
# Portions Copyright (c) 1994, Regents of the University of California # Portions Copyright (c) 1994, Regents of the University of California
# #
# $PostgreSQL: pgsql/src/interfaces/libpq/Makefile,v 1.133 2005/04/29 14:07:27 momjian Exp $ # $PostgreSQL: pgsql/src/interfaces/libpq/Makefile,v 1.134 2005/06/27 02:04:26 neilc Exp $
# #
#------------------------------------------------------------------------- #-------------------------------------------------------------------------
...@@ -53,7 +53,7 @@ endif ...@@ -53,7 +53,7 @@ endif
# Add libraries that libpq depends (or might depend) on into the # Add libraries that libpq depends (or might depend) on into the
# shared library link. (The order in which you list them here doesn't # shared library link. (The order in which you list them here doesn't
# matter.) # matter.)
SHLIB_LINK += $(filter -lcrypt -ldes -lkrb -lcom_err -lcrypto -lk5crypto -lkrb5 -lssl -lsocket -lnsl -lresolv -lintl, $(LIBS)) $(PTHREAD_LIBS) SHLIB_LINK += $(filter -lcrypt -ldes -lcom_err -lcrypto -lk5crypto -lkrb5 -lssl -lsocket -lnsl -lresolv -lintl, $(LIBS)) $(PTHREAD_LIBS)
ifeq ($(PORTNAME), win32) ifeq ($(PORTNAME), win32)
SHLIB_LINK += -lshfolder -lwsock32 -lws2_32 $(filter -leay32 -lssleay32 -lcomerr32 -lkrb5_32, $(LIBS)) SHLIB_LINK += -lshfolder -lwsock32 -lws2_32 $(filter -leay32 -lssleay32 -lcomerr32 -lkrb5_32, $(LIBS))
endif endif
......
...@@ -10,7 +10,7 @@ ...@@ -10,7 +10,7 @@
* exceed INITIAL_EXPBUFFER_SIZE (currently 256 bytes). * exceed INITIAL_EXPBUFFER_SIZE (currently 256 bytes).
* *
* IDENTIFICATION * IDENTIFICATION
* $PostgreSQL: pgsql/src/interfaces/libpq/fe-auth.c,v 1.101 2005/06/04 20:42:43 momjian Exp $ * $PostgreSQL: pgsql/src/interfaces/libpq/fe-auth.c,v 1.102 2005/06/27 02:04:26 neilc Exp $
* *
*------------------------------------------------------------------------- *-------------------------------------------------------------------------
*/ */
...@@ -64,7 +64,7 @@ ...@@ -64,7 +64,7 @@
*/ */
#define STARTUP_MSG 7 /* Initialise a connection */ #define STARTUP_MSG 7 /* Initialise a connection */
#define STARTUP_KRB4_MSG 10 /* krb4 session follows */ #define STARTUP_KRB4_MSG 10 /* krb4 session follows. Not supported any more. */
#define STARTUP_KRB5_MSG 11 /* krb5 session follows */ #define STARTUP_KRB5_MSG 11 /* krb5 session follows */
#define STARTUP_PASSWORD_MSG 14 /* Password follows */ #define STARTUP_PASSWORD_MSG 14 /* Password follows */
...@@ -87,157 +87,22 @@ struct authsvc ...@@ -87,157 +87,22 @@ struct authsvc
* isn't any authentication system. * isn't any authentication system.
*/ */
static const struct authsvc authsvcs[] = { static const struct authsvc authsvcs[] = {
#ifdef KRB4
{"krb4", STARTUP_KRB4_MSG, 1},
{"kerberos", STARTUP_KRB4_MSG, 1},
#endif /* KRB4 */
#ifdef KRB5 #ifdef KRB5
{"krb5", STARTUP_KRB5_MSG, 1}, {"krb5", STARTUP_KRB5_MSG, 1},
{"kerberos", STARTUP_KRB5_MSG, 1}, {"kerberos", STARTUP_KRB5_MSG, 1},
#endif /* KRB5 */ #endif /* KRB5 */
{UNAUTHNAME, STARTUP_MSG, {UNAUTHNAME, STARTUP_MSG,
#if defined(KRB4) || defined(KRB5) #ifdef KRB5
0 0
#else /* !(KRB4 || KRB5) */ #else /* !KRB5 */
1 1
#endif /* !(KRB4 || KRB5) */ #endif /* !KRB5 */
}, },
{"password", STARTUP_PASSWORD_MSG, 0} {"password", STARTUP_PASSWORD_MSG, 0}
}; };
static const int n_authsvcs = sizeof(authsvcs) / sizeof(struct authsvc); static const int n_authsvcs = sizeof(authsvcs) / sizeof(struct authsvc);
#ifdef KRB4
/*
* MIT Kerberos authentication system - protocol version 4
*/
#include "krb.h"
/* for some reason, this is not defined in krb.h ... */
extern char *tkt_string(void);
/*
* pg_krb4_init -- initialization performed before any Kerberos calls are made
*
* For v4, all we need to do is make sure the library routines get the right
* ticket file if we want them to see a special one. (They will open the file
* themselves.)
*/
static void
pg_krb4_init()
{
char *realm;
static int init_done = 0;
if (init_done)
return;
init_done = 1;
/*
* If the user set PGREALM, then we use a ticket file with a special
* name: <usual-ticket-file-name>@<PGREALM-value>
*/
if ((realm = getenv("PGREALM")))
{
char tktbuf[MAXPGPATH];
(void) snprintf(tktbuf, sizeof(tktbuf), "%s@%s", tkt_string(), realm);
krb_set_tkt_string(tktbuf);
}
}
/*
* pg_krb4_authname -- returns a pointer to static space containing whatever
* name the user has authenticated to the system
*
* We obtain this information by digging around in the ticket file.
*/
static char *
pg_krb4_authname(char *PQerrormsg)
{
char instance[INST_SZ + 1];
char realm[REALM_SZ + 1];
int status;
static char name[SNAME_SZ + 1] = "";
if (name[0])
return name;
pg_krb4_init();
name[SNAME_SZ] = '\0';
status = krb_get_tf_fullname(tkt_string(), name, instance, realm);
if (status != KSUCCESS)
{
snprintf(PQerrormsg, PQERRORMSG_LENGTH,
"pg_krb4_authname: krb_get_tf_fullname: %s\n",
krb_err_txt[status]);
return NULL;
}
return name;
}
/*
* pg_krb4_sendauth -- client routine to send authentication information to
* the server
*
* This routine does not do mutual authentication, nor does it return enough
* information to do encrypted connections. But then, if we want to do
* encrypted connections, we'll have to redesign the whole RPC mechanism
* anyway.
*
* If the user is too lazy to feed us a hostname, we try to come up with
* something other than "localhost" since the hostname is used as an
* instance and instance names in v4 databases are usually actual hostnames
* (canonicalized to omit all domain suffixes).
*/
static int
pg_krb4_sendauth(char *PQerrormsg, int sock,
struct sockaddr_in * laddr,
struct sockaddr_in * raddr,
const char *hostname,
const char *servicename)
{
long krbopts = 0; /* one-way authentication */
KTEXT_ST clttkt;
int status;
char hostbuf[MAXHOSTNAMELEN];
const char *realm = getenv("PGREALM"); /* NULL == current realm */
if (!hostname || !(*hostname))
{
if (gethostname(hostbuf, MAXHOSTNAMELEN) < 0)
strcpy(hostbuf, "localhost");
hostname = hostbuf;
}
pg_krb4_init();
status = krb_sendauth(krbopts,
sock,
&clttkt,
servicename,
hostname,
realm,
(u_long) 0,
NULL,
NULL,
NULL,
laddr,
raddr,
PG_KRB4_VERSION);
if (status != KSUCCESS)
{
snprintf(PQerrormsg, PQERRORMSG_LENGTH,
libpq_gettext("Kerberos 4 error: %s\n"),
krb_err_txt[status]);
return STATUS_ERROR;
}
return STATUS_OK;
}
#endif /* KRB4 */
#ifdef KRB5 #ifdef KRB5
/* /*
* MIT Kerberos authentication system - protocol version 5 * MIT Kerberos authentication system - protocol version 5
...@@ -597,7 +462,7 @@ int ...@@ -597,7 +462,7 @@ int
fe_sendauth(AuthRequest areq, PGconn *conn, const char *hostname, fe_sendauth(AuthRequest areq, PGconn *conn, const char *hostname,
const char *password, char *PQerrormsg) const char *password, char *PQerrormsg)
{ {
#if !defined(KRB4) && !defined(KRB5) #ifndef KRB5
(void) hostname; /* not used */ (void) hostname; /* not used */
#endif #endif
...@@ -607,24 +472,9 @@ fe_sendauth(AuthRequest areq, PGconn *conn, const char *hostname, ...@@ -607,24 +472,9 @@ fe_sendauth(AuthRequest areq, PGconn *conn, const char *hostname,
break; break;
case AUTH_REQ_KRB4: case AUTH_REQ_KRB4:
#ifdef KRB4
pglock_thread();
if (pg_krb4_sendauth(PQerrormsg, conn->sock,
(struct sockaddr_in *) & conn->laddr.addr,
(struct sockaddr_in *) & conn->raddr.addr,
hostname, conn->krbsrvname) != STATUS_OK)
{
/* PQerrormsg already filled in */
pgunlock_thread();
return STATUS_ERROR;
}
pgunlock_thread();
break;
#else
snprintf(PQerrormsg, PQERRORMSG_LENGTH, snprintf(PQerrormsg, PQERRORMSG_LENGTH,
libpq_gettext("Kerberos 4 authentication not supported\n")); libpq_gettext("Kerberos 4 authentication not supported\n"));
return STATUS_ERROR; return STATUS_ERROR;
#endif
case AUTH_REQ_KRB5: case AUTH_REQ_KRB5:
#ifdef KRB5 #ifdef KRB5
...@@ -754,17 +604,12 @@ fe_getauthname(char *PQerrormsg) ...@@ -754,17 +604,12 @@ fe_getauthname(char *PQerrormsg)
pglock_thread(); pglock_thread();
#ifdef KRB4
if (authsvc == STARTUP_KRB4_MSG)
name = pg_krb4_authname(PQerrormsg);
#endif
#ifdef KRB5 #ifdef KRB5
if (authsvc == STARTUP_KRB5_MSG) if (authsvc == STARTUP_KRB5_MSG)
name = pg_krb5_authname(PQerrormsg); name = pg_krb5_authname(PQerrormsg);
#endif #endif
if (authsvc == STARTUP_MSG if (authsvc == STARTUP_MSG
|| (authsvc == STARTUP_KRB4_MSG && !name)
|| (authsvc == STARTUP_KRB5_MSG && !name)) || (authsvc == STARTUP_KRB5_MSG && !name))
{ {
#ifdef WIN32 #ifdef WIN32
...@@ -776,7 +621,7 @@ fe_getauthname(char *PQerrormsg) ...@@ -776,7 +621,7 @@ fe_getauthname(char *PQerrormsg)
#endif #endif
} }
if (authsvc != STARTUP_MSG && authsvc != STARTUP_KRB4_MSG && authsvc != STARTUP_KRB5_MSG) if (authsvc != STARTUP_MSG && authsvc != STARTUP_KRB5_MSG)
snprintf(PQerrormsg, PQERRORMSG_LENGTH, snprintf(PQerrormsg, PQERRORMSG_LENGTH,
libpq_gettext("fe_getauthname: invalid authentication system: %d\n"), libpq_gettext("fe_getauthname: invalid authentication system: %d\n"),
authsvc); authsvc);
......
...@@ -7,7 +7,7 @@ ...@@ -7,7 +7,7 @@
* Portions Copyright (c) 1996-2005, PostgreSQL Global Development Group * Portions Copyright (c) 1996-2005, PostgreSQL Global Development Group
* Portions Copyright (c) 1994, Regents of the University of California * Portions Copyright (c) 1994, Regents of the University of California
* *
* $PostgreSQL: pgsql/src/interfaces/libpq/fe-auth.h,v 1.20 2004/12/31 22:03:50 pgsql Exp $ * $PostgreSQL: pgsql/src/interfaces/libpq/fe-auth.h,v 1.21 2005/06/27 02:04:26 neilc Exp $
* *
*------------------------------------------------------------------------- *-------------------------------------------------------------------------
*/ */
...@@ -27,11 +27,11 @@ ...@@ -27,11 +27,11 @@
#define UNAUTHNAME "unauth" #define UNAUTHNAME "unauth"
/* what a frontend uses by default */ /* what a frontend uses by default */
#if !defined(KRB4) && !defined(KRB5) #ifndef KRB5
#define DEFAULT_CLIENT_AUTHSVC UNAUTHNAME #define DEFAULT_CLIENT_AUTHSVC UNAUTHNAME
#else /* KRB4 || KRB5 */ #else
#define DEFAULT_CLIENT_AUTHSVC "kerberos" #define DEFAULT_CLIENT_AUTHSVC "kerberos"
#endif /* KRB4 || KRB5 */ #endif /* KRB5 */
extern int fe_sendauth(AuthRequest areq, PGconn *conn, const char *hostname, extern int fe_sendauth(AuthRequest areq, PGconn *conn, const char *hostname,
const char *password, char *PQerrormsg); const char *password, char *PQerrormsg);
...@@ -39,7 +39,6 @@ extern MsgType fe_getauthsvc(char *PQerrormsg); ...@@ -39,7 +39,6 @@ extern MsgType fe_getauthsvc(char *PQerrormsg);
extern void fe_setauthsvc(const char *name, char *PQerrormsg); extern void fe_setauthsvc(const char *name, char *PQerrormsg);
extern char *fe_getauthname(char *PQerrormsg); extern char *fe_getauthname(char *PQerrormsg);
#define PG_KRB4_VERSION "PGVER4.1" /* at most KRB_SENDAUTH_VLEN chars */ #define PG_KRB5_VERSION "PGVER5.1" /* at most KRB_SENDAUTH_VLEN chars */
#define PG_KRB5_VERSION "PGVER5.1"
#endif /* FE_AUTH_H */ #endif /* FE_AUTH_H */
...@@ -8,7 +8,7 @@ ...@@ -8,7 +8,7 @@
* *
* *
* IDENTIFICATION * IDENTIFICATION
* $PostgreSQL: pgsql/src/interfaces/libpq/fe-connect.c,v 1.312 2005/06/19 13:10:55 momjian Exp $ * $PostgreSQL: pgsql/src/interfaces/libpq/fe-connect.c,v 1.313 2005/06/27 02:04:26 neilc Exp $
* *
*------------------------------------------------------------------------- *-------------------------------------------------------------------------
*/ */
...@@ -170,7 +170,7 @@ static const PQconninfoOption PQconninfoOptions[] = { ...@@ -170,7 +170,7 @@ static const PQconninfoOption PQconninfoOptions[] = {
{"sslmode", "PGSSLMODE", DefaultSSLMode, NULL, {"sslmode", "PGSSLMODE", DefaultSSLMode, NULL,
"SSL-Mode", "", 8}, /* sizeof("disable") == 8 */ "SSL-Mode", "", 8}, /* sizeof("disable") == 8 */
#if defined(KRB4) || defined(KRB5) #ifdef KRB5
/* Kerberos authentication supports specifying the service name */ /* Kerberos authentication supports specifying the service name */
{"krbsrvname", "PGKRBSRVNAME", PG_KRB_SRVNAM, NULL, {"krbsrvname", "PGKRBSRVNAME", PG_KRB_SRVNAM, NULL,
"Kerberos-service-name", "", 20}, "Kerberos-service-name", "", 20},
...@@ -401,7 +401,7 @@ connectOptions1(PGconn *conn, const char *conninfo) ...@@ -401,7 +401,7 @@ connectOptions1(PGconn *conn, const char *conninfo)
conn->sslmode = strdup("require"); conn->sslmode = strdup("require");
} }
#endif #endif
#if defined(KRB4) || defined(KRB5) #ifdef KRB5
tmp = conninfo_getval(connOptions, "krbsrvname"); tmp = conninfo_getval(connOptions, "krbsrvname");
conn->krbsrvname = tmp ? strdup(tmp) : NULL; conn->krbsrvname = tmp ? strdup(tmp) : NULL;
#endif #endif
...@@ -1916,7 +1916,7 @@ freePGconn(PGconn *conn) ...@@ -1916,7 +1916,7 @@ freePGconn(PGconn *conn)
free(conn->pgpass); free(conn->pgpass);
if (conn->sslmode) if (conn->sslmode)
free(conn->sslmode); free(conn->sslmode);
#if defined(KRB4) || defined(KRB5) #ifdef KRB5
if (conn->krbsrvname) if (conn->krbsrvname)
free(conn->krbsrvname); free(conn->krbsrvname);
#endif #endif
......
...@@ -12,7 +12,7 @@ ...@@ -12,7 +12,7 @@
* Portions Copyright (c) 1996-2005, PostgreSQL Global Development Group * Portions Copyright (c) 1996-2005, PostgreSQL Global Development Group
* Portions Copyright (c) 1994, Regents of the University of California * Portions Copyright (c) 1994, Regents of the University of California
* *
* $PostgreSQL: pgsql/src/interfaces/libpq/libpq-int.h,v 1.103 2005/06/13 02:26:53 tgl Exp $ * $PostgreSQL: pgsql/src/interfaces/libpq/libpq-int.h,v 1.104 2005/06/27 02:04:26 neilc Exp $
* *
*------------------------------------------------------------------------- *-------------------------------------------------------------------------
*/ */
...@@ -262,7 +262,7 @@ struct pg_conn ...@@ -262,7 +262,7 @@ struct pg_conn
char *pguser; /* Postgres username and password, if any */ char *pguser; /* Postgres username and password, if any */
char *pgpass; char *pgpass;
char *sslmode; /* SSL mode (require,prefer,allow,disable) */ char *sslmode; /* SSL mode (require,prefer,allow,disable) */
#if defined(KRB5) || defined(KRB4) #ifdef KRB5
char *krbsrvname; /* Kerberos service name */ char *krbsrvname; /* Kerberos service name */
#endif #endif
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment