Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
P
Postgres FD Implementation
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Analytics
Analytics
CI / CD
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Abuhujair Javed
Postgres FD Implementation
Commits
d45f7dfd
Commit
d45f7dfd
authored
May 27, 2000
by
Bruce Momjian
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Update kerberos patch
parent
4f326011
Changes
6
Hide whitespace changes
Inline
Side-by-side
Showing
6 changed files
with
241 additions
and
960 deletions
+241
-960
doc/README.kerberos
doc/README.kerberos
+3
-694
src/Makefile.global.in
src/Makefile.global.in
+7
-7
src/backend/libpq/auth.c
src/backend/libpq/auth.c
+104
-99
src/interfaces/libpq/Makefile.in
src/interfaces/libpq/Makefile.in
+2
-1
src/interfaces/libpq/fe-auth.c
src/interfaces/libpq/fe-auth.c
+123
-158
src/interfaces/libpq/libpq-int.h
src/interfaces/libpq/libpq-int.h
+2
-1
No files found.
doc/README.kerberos
View file @
d45f7dfd
From pgsql-patches-owner@hub.org Mon May 8 13:28:54 2000
Received: from walter.doc.ic.ac.uk (IDENT:VjgMrPQKQlAhOUagIW0/IaLLtzgPtWaj@walter.doc.ic.ac.uk [146.169.2.50])
by hub.org (8.9.3/8.9.3) with ESMTP id NAA78580
for <pgsql-patches@postgresql.org>; Mon, 8 May 2000 13:27:41 -0400 (EDT)
(envelope-from mw@doc.ic.ac.uk)
Received: from [146.169.51.42] (helo=kungfu.doc.ic.ac.uk ident=mw)
by walter.doc.ic.ac.uk with esmtp (Exim 1.890 #1)
for pgsql-patches@postgresql.org
id 12orKe-0000J8-00; Mon, 8 May 2000 18:28:36 +0100
Date: Mon, 8 May 2000 18:27:40 +0100 (BST)
From: Mike Wyer <mw@doc.ic.ac.uk>
To: pgsql-patches@postgresql.org
Subject: kerberos 5 patch against 7.0RC5
Message-ID: <Pine.LNX.4.21.0005081804430.1265-100000@kungfu.doc.ic.ac.uk>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-Archive-Number: 200005/24
Status: ORr
You can find it after my sig. Hideous abuse of netiquette, but needs
must ...
Most (nearly all) of the work was done by David Wragg <dpw@doc.ic.ac.uk>
He patched 6.5.3. I've updated it for 7.0RC5.
It works for MIT kerberos 1.1.1 (and previously for 1.0.6 as well).
I've got the patch against 6.5.3, plus kerberized RPMS.
Install:
Assuming postgresql-7.0RC5 is in /usr/local/src
cd /usr/local/src
patch -p0 < krb5-patch
Edit postgresql-7.0RC5/src/Makefile.global.in
Change PG_KRB_SRVTAB to somewhere useful for you, and PG_KRB_SRVNAM to
whatever you want your postgres kerberos service called.
make and install PostgreSQL.
Uncommment out KRBVERS=5 in Makefile.global.in.
Run configure, make, and install PostgreSQL.
Generate the keytab (PG_KRB_SRVTAB):
kadmin% ank -randkey postgres/server.my.domain.org
...
...
@@ -64,659 +29,3 @@ Mike Wyer <mw@doc.ic.ac.uk> || "Woof?"
http://www.doc.ic.ac.uk/~mw || Gaspode the Wonder Dog
Work: 020 7594 8440 || from "Moving Pictures"
Mobile: 07879 697119 || by Terry Pratchett
===========================8<----------------------------------------------
diff -u -r postgresql-7.0RC5/src/Makefile.global.in postgresql-7.0RC5.krb5/src/Makefile.global.in
--- postgresql-7.0RC5/src/Makefile.global.in Mon May 8 17:22:40 2000
+++ postgresql-7.0RC5.krb5/src/Makefile.global.in Sat May 6 17:23:49 2000
@@ -120,7 +120,7 @@
# Set KRBVERS to "4" for Kerberos v4, "5" for Kerberos v5.
# XXX Edit the default Kerberos variables below!
#
-#KRBVERS= 5
+KRBVERS=5
# Globally pass Kerberos file locations.
# these are used in the postmaster and all libpq applications.
@@ -132,9 +132,9 @@
# PG_KRB_SRVTAB is the location of the server's keytab file.
#
ifdef KRBVERS
-KRBINCS= -I/usr/athena/include
-KRBLIBS= -L/usr/athena/lib
-KRBFLAGS+= $(KRBINCS) -DPG_KRB_SRVNAM='"postgres_dbms"'
+KRBINCS= -I/usr/krb5/include
+KRBLIBS= -L/usr/krb5/lib
+KRBFLAGS+= $(KRBINCS) -DPG_KRB_SRVNAM='"postgres"'
ifeq ($(KRBVERS), 4)
KRBFLAGS+= -DKRB4
KRBFLAGS+= -DPG_KRB_SRVTAB='"/etc/srvtab"'
@@ -142,8 +142,8 @@
else
ifeq ($(KRBVERS), 5)
KRBFLAGS+= -DKRB5
-KRBFLAGS+= -DPG_KRB_SRVTAB='"FILE:/krb5/srvtab.postgres"'
-KRBLIBS+= -lkrb5 -lcrypto -lcom_err -lisode
+KRBFLAGS+= -DPG_KRB_SRVTAB='"FILE:/usr/local/postgres/krb5.keytab"'
+KRBLIBS+= -lkrb5 -lcrypto -lcom_err
endif
endif
endif
diff -u -r postgresql-7.0RC5/src/backend/libpq/auth.c postgresql-7.0RC5.krb5/src/backend/libpq/auth.c
--- postgresql-7.0RC5/src/backend/libpq/auth.c Mon May 8 17:22:40 2000
+++ postgresql-7.0RC5.krb5/src/backend/libpq/auth.c Sat May 6 17:17:13 2000
@@ -149,7 +149,8 @@
*----------------------------------------------------------------
*/
-#include "krb5/krb5.h"
+#include <krb5.h>
+#include <com_err.h>
/*
* pg_an_to_ln -- return the local name corresponding to an authentication
@@ -174,130 +175,134 @@
return aname;
}
+
/*
- * pg_krb5_recvauth -- server routine to receive authentication information
- * from the client
- *
- * We still need to compare the username obtained from the client's setup
- * packet to the authenticated name, as described in pg_krb4_recvauth. This
- * is a bit more problematic in v5, as described above in pg_an_to_ln.
- *
- * In addition, as described above in pg_krb5_sendauth, we still need to
- * canonicalize the server name v4-style before constructing a principal
- * from it. Again, this is kind of iffy.
- *
- * Finally, we need to tangle with the fact that v5 doesn't let you explicitly
- * set server keytab file names -- you have to feed lower-level routines a
- * function to retrieve the contents of a keytab, along with a single argument
- * that allows them to open the keytab. We assume that a server keytab is
- * always a real file so we can allow people to specify their own filenames.
- * (This is important because the POSTGRES keytab needs to be readable by
- * non-root users/groups; the v4 tools used to force you do dump a whole
- * host's worth of keys into a file, effectively forcing you to use one file,
- * but kdb5_edit allows you to select which principals to dump. Yay!)
+ * Various krb5 state which is not connection specfic, and a flag to
+ * indicate whether we have initialised it yet.
*/
+static int pg_krb5_initialised;
+static krb5_context pg_krb5_context;
+static krb5_keytab pg_krb5_keytab;
+static krb5_principal pg_krb5_server;
+
+
static int
-pg_krb5_recvauth(Port *port)
+pg_krb5_init(void)
{
- char servbuf[MAXHOSTNAMELEN + 1 +
- sizeof(PG_KRB_SRVNAM)];
- char *hostp,
- *kusername = (char *) NULL;
- krb5_error_code code;
- krb5_principal client,
- server;
- krb5_address sender_addr;
- krb5_rdreq_key_proc keyproc = (krb5_rdreq_key_proc) NULL;
- krb5_pointer keyprocarg = (krb5_pointer) NULL;
+ krb5_error_code retval;
- /*
- * Set up server side -- since we have no ticket file to make this
- * easy, we construct our own name and parse it. See note on
- * canonicalization above.
- */
- strcpy(servbuf, PG_KRB_SRVNAM);
- *(hostp = servbuf + (sizeof(PG_KRB_SRVNAM) - 1)) = '/';
- if (gethostname(++hostp, MAXHOSTNAMELEN) < 0)
- strcpy(hostp, "localhost");
- if (hostp = strchr(hostp, '.'))
- *hostp = '\0';
- if (code = krb5_parse_name(servbuf, &server))
- {
+ if (pg_krb5_initialised)
+ return STATUS_OK;
+
+ retval = krb5_init_context(&pg_krb5_context);
+ if (retval) {
snprintf(PQerrormsg, PQERRORMSG_LENGTH,
- "pg_krb5_recvauth: Kerberos error %d in krb5_parse_name\n", code);
- com_err("pg_krb5_recvauth", code, "in krb5_parse_name");
+ "pg_krb5_init: krb5_init_context returned"
+ " Kerberos error %d\n", retval);
+ com_err("postgres", retval, "while initializing krb5");
return STATUS_ERROR;
}
- /*
- * krb5_sendauth needs this to verify the address in the client
- * authenticator.
- */
- sender_addr.addrtype = port->raddr.in.sin_family;
- sender_addr.length = sizeof(port->raddr.in.sin_addr);
- sender_addr.contents = (krb5_octet *) & (port->raddr.in.sin_addr);
-
- if (strcmp(PG_KRB_SRVTAB, ""))
- {
- keyproc = krb5_kt_read_service_key;
- keyprocarg = PG_KRB_SRVTAB;
+ retval = krb5_kt_resolve(pg_krb5_context, PG_KRB_SRVTAB, &pg_krb5_keytab);
+ if (retval) {
+ snprintf(PQerrormsg, PQERRORMSG_LENGTH,
+ "pg_krb5_init: krb5_kt_resolve returned"
+ " Kerberos error %d\n", retval);
+ com_err("postgres", retval, "while resolving keytab file %s",
+ PG_KRB_SRVTAB);
+ krb5_free_context(pg_krb5_context);
+ return STATUS_ERROR;
}
- if (code = krb5_recvauth((krb5_pointer) & port->sock,
- PG_KRB5_VERSION,
- server,
- &sender_addr,
- (krb5_pointer) NULL,
- keyproc,
- keyprocarg,
- (char *) NULL,
- (krb5_int32 *) NULL,
- &client,
- (krb5_ticket **) NULL,
- (krb5_authenticator **) NULL))
- {
+ retval = krb5_sname_to_principal(pg_krb5_context, NULL, PG_KRB_SRVNAM,
+ KRB5_NT_SRV_HST, &pg_krb5_server);
+ if (retval) {
snprintf(PQerrormsg, PQERRORMSG_LENGTH,
- "pg_krb5_recvauth: Kerberos error %d in krb5_recvauth\n", code);
- com_err("pg_krb5_recvauth", code, "in krb5_recvauth");
- krb5_free_principal(server);
+ "pg_krb5_init: krb5_sname_to_principal returned"
+ " Kerberos error %d\n", retval);
+ com_err("postgres", retval,
+ "while getting server principal for service %s",
+ PG_KRB_SRVTAB);
+ krb5_kt_close(pg_krb5_context, pg_krb5_keytab);
+ krb5_free_context(pg_krb5_context);
return STATUS_ERROR;
}
- krb5_free_principal(server);
+
+ pg_krb5_initialised = 1;
+ return STATUS_OK;
+}
+
+
+/*
+ * pg_krb5_recvauth -- server routine to receive authentication information
+ * from the client
+ *
+ * We still need to compare the username obtained from the client's setup
+ * packet to the authenticated name, as described in pg_krb4_recvauth. This
+ * is a bit more problematic in v5, as described above in pg_an_to_ln.
+ *
+ * We have our own keytab file because postgres is unlikely to run as root,
+ * and so cannot read the default keytab.
+ */
+static int
+pg_krb5_recvauth(Port *port)
+{
+ krb5_error_code retval;
+ int ret;
+ krb5_auth_context auth_context = NULL;
+ krb5_ticket *ticket;
+ char *kusername;
+
+ ret = pg_krb5_init();
+ if (ret != STATUS_OK)
+ return ret;
+
+ retval = krb5_recvauth(pg_krb5_context, &auth_context,
+ (krb5_pointer)&port->sock, PG_KRB_SRVNAM,
+ pg_krb5_server, 0, pg_krb5_keytab, &ticket);
+ if (retval) {
+ snprintf(PQerrormsg, PQERRORMSG_LENGTH,
+ "pg_krb5_recvauth: krb5_recvauth returned"
+ " Kerberos error %d\n", retval);
+ com_err("postgres", retval, "from krb5_recvauth");
+ return STATUS_ERROR;
+ }
/*
* The "client" structure comes out of the ticket and is therefore
* authenticated. Use it to check the username obtained from the
* postmaster startup packet.
+ *
+ * I have no idea why this is considered necessary.
*/
- if ((code = krb5_unparse_name(client, &kusername)))
- {
+ retval = krb5_unparse_name(pg_krb5_context,
+ ticket->enc_part2->client, &kusername);
+ if (retval) {
snprintf(PQerrormsg, PQERRORMSG_LENGTH,
- "pg_krb5_recvauth: Kerberos error %d in krb5_unparse_name\n", code);
- com_err("pg_krb5_recvauth", code, "in krb5_unparse_name");
- krb5_free_principal(client);
- return STATUS_ERROR;
- }
- krb5_free_principal(client);
- if (!kusername)
- {
- snprintf(PQerrormsg, PQERRORMSG_LENGTH,
- "pg_krb5_recvauth: could not decode username\n");
- fputs(PQerrormsg, stderr);
- pqdebug("%s", PQerrormsg);
+ "pg_krb5_recvauth: krb5_unparse_name returned"
+ " Kerberos error %d\n", retval);
+ com_err("postgres", retval, "while unparsing client name");
+ krb5_free_ticket(pg_krb5_context, ticket);
+ krb5_auth_con_free(pg_krb5_context, auth_context);
return STATUS_ERROR;
}
+
kusername = pg_an_to_ln(kusername);
- if (strncmp(username, kusername, SM_USER))
+ if (strncmp(port->user, kusername, SM_USER))
{
snprintf(PQerrormsg, PQERRORMSG_LENGTH,
- "pg_krb5_recvauth: name \"%s\" != \"%s\"\n", port->user, kusername);
- fputs(PQerrormsg, stderr);
- pqdebug("%s", PQerrormsg);
- pfree(kusername);
- return STATUS_ERROR;
- }
- pfree(kusername);
- return STATUS_OK;
+ "pg_krb5_recvauth: user name \"%s\" != krb5 name \"%s\"\n",
+ port->user, kusername);
+ ret = STATUS_ERROR;
+ }
+ else
+ ret = STATUS_OK;
+
+ krb5_free_ticket(pg_krb5_context, ticket);
+ krb5_auth_con_free(pg_krb5_context, auth_context);
+ free(kusername);
+
+ return ret;
}
#else
diff -u -r postgresql-7.0RC5/src/interfaces/libpq/Makefile.in postgresql-7.0RC5.krb5/src/interfaces/libpq/Makefile.in
--- postgresql-7.0RC5/src/interfaces/libpq/Makefile.in Mon May 8 17:22:40 2000
+++ postgresql-7.0RC5.krb5/src/interfaces/libpq/Makefile.in Sat May 6 17:17:13 2000
@@ -21,6 +21,7 @@
ifdef KRBVERS
CFLAGS+= $(KRBFLAGS)
+SHLIB_LINK += $(KRBLIBS)
endif
OBJS= fe-auth.o fe-connect.o fe-exec.o fe-misc.o fe-print.o fe-lobj.o \
diff -u -r postgresql-7.0RC5/src/interfaces/libpq/fe-auth.c postgresql-7.0RC5.krb5/src/interfaces/libpq/fe-auth.c
--- postgresql-7.0RC5/src/interfaces/libpq/fe-auth.c Mon May 8 17:22:40 2000
+++ postgresql-7.0RC5.krb5/src/interfaces/libpq/fe-auth.c Sat May 6 17:17:13 2000
@@ -39,6 +39,7 @@
#include "win32.h"
#else
#include <unistd.h>
+#include <fcntl.h>
#include <sys/param.h> /* for MAXHOSTNAMELEN on most */
#ifndef MAXHOSTNAMELEN
#include <netdb.h> /* for MAXHOSTNAMELEN on some */
@@ -234,7 +235,8 @@
*----------------------------------------------------------------
*/
-#include "krb5/krb5.h"
+#include <krb5.h>
+#include <com_err.h>
/*
* pg_an_to_ln -- return the local name corresponding to an authentication
@@ -250,7 +252,7 @@
* and we can't afford to punt.
*/
static char *
-pg_an_to_ln(const char *aname)
+pg_an_to_ln(char *aname)
{
char *p;
@@ -261,197 +263,160 @@
/*
- * pg_krb5_init -- initialization performed before any Kerberos calls are made
- *
- * With v5, we can no longer set the ticket (credential cache) file name;
- * we now have to provide a file handle for the open (well, "resolved")
- * ticket file everywhere.
- *
+ * Various krb5 state which is not connection specfic, and a flag to
+ * indicate whether we have initialised it yet.
*/
+static int pg_krb5_initialised;
+static krb5_context pg_krb5_context;
+static krb5_ccache pg_krb5_ccache;
+static krb5_principal pg_krb5_client;
+static char *pg_krb5_name;
+
+
static int
- krb5_ccache
-pg_krb5_init(void)
+pg_krb5_init(char *PQerrormsg)
{
- krb5_error_code code;
- char *realm,
- *defname;
- char tktbuf[MAXPGPATH];
- static krb5_ccache ccache = (krb5_ccache) NULL;
+ krb5_error_code retval;
- if (ccache)
- return ccache;
+ if (pg_krb5_initialised)
+ return STATUS_OK;
- /*
- * If the user set PGREALM, then we use a ticket file with a special
- * name: <usual-ticket-file-name>@<PGREALM-value>
- */
- if (!(defname = krb5_cc_default_name()))
- {
- (void) sprintf(PQerrormsg,
- "pg_krb5_init: krb5_cc_default_name failed\n");
- return (krb5_ccache) NULL;
- }
- strcpy(tktbuf, defname);
- if (realm = getenv("PGREALM"))
- {
- strcat(tktbuf, "@");
- strcat(tktbuf, realm);
+ retval = krb5_init_context(&pg_krb5_context);
+ if (retval) {
+ snprintf(PQerrormsg, PQERRORMSG_LENGTH,
+ "pg_krb5_init: krb5_init_context: %s",
+ error_message(retval));
+ return STATUS_ERROR;
}
- if (code = krb5_cc_resolve(tktbuf, &ccache))
- {
- (void) sprintf(PQerrormsg,
- "pg_krb5_init: Kerberos error %d in krb5_cc_resolve\n", code);
- com_err("pg_krb5_init", code, "in krb5_cc_resolve");
- return (krb5_ccache) NULL;
- }
- return ccache;
+ retval = krb5_cc_default(pg_krb5_context, &pg_krb5_ccache);
+ if (retval) {
+ snprintf(PQerrormsg, PQERRORMSG_LENGTH,
+ "pg_krb5_init: krb5_cc_default: %s",
+ error_message(retval));
+ krb5_free_context(pg_krb5_context);
+ return STATUS_ERROR;
+ }
+
+ retval = krb5_cc_get_principal(pg_krb5_context, pg_krb5_ccache,
+ &pg_krb5_client);
+ if (retval) {
+ snprintf(PQerrormsg, PQERRORMSG_LENGTH,
+ "pg_krb5_init: krb5_cc_get_principal: %s",
+ error_message(retval));
+ krb5_cc_close(pg_krb5_context, pg_krb5_ccache);
+ krb5_free_context(pg_krb5_context);
+ return STATUS_ERROR;
+ }
+
+ retval = krb5_unparse_name(pg_krb5_context, pg_krb5_client, &pg_krb5_name);
+ if (retval) {
+ snprintf(PQerrormsg, PQERRORMSG_LENGTH,
+ "pg_krb5_init: krb5_unparse_name: %s",
+ error_message(retval));
+ krb5_free_principal(pg_krb5_context, pg_krb5_client);
+ krb5_cc_close(pg_krb5_context, pg_krb5_ccache);
+ krb5_free_context(pg_krb5_context);
+ return STATUS_ERROR;
+ }
+
+ pg_krb5_name = pg_an_to_ln(pg_krb5_name);
+
+ pg_krb5_initialised = 1;
+ return STATUS_OK;
}
+
/*
* pg_krb5_authname -- returns a pointer to static space containing whatever
* name the user has authenticated to the system
- *
- * We obtain this information by digging around in the ticket file.
- */
+ */
static const char *
-pg_krb5_authname(const char *PQerrormsg)
+pg_krb5_authname(char *PQerrormsg)
{
- krb5_ccache ccache;
- krb5_principal principal;
- krb5_error_code code;
- static char *authname = (char *) NULL;
-
- if (authname)
- return authname;
+ if (pg_krb5_init(PQerrormsg) != STATUS_OK)
+ return NULL;
- ccache = pg_krb5_init(); /* don't free this */
-
- if (code = krb5_cc_get_principal(ccache, &principal))
- {
- (void) sprintf(PQerrormsg,
- "pg_krb5_authname: Kerberos error %d in krb5_cc_get_principal\n", code);
- com_err("pg_krb5_authname", code, "in krb5_cc_get_principal");
- return (char *) NULL;
- }
- if (code = krb5_unparse_name(principal, &authname))
- {
- (void) sprintf(PQerrormsg,
- "pg_krb5_authname: Kerberos error %d in krb5_unparse_name\n", code);
- com_err("pg_krb5_authname", code, "in krb5_unparse_name");
- krb5_free_principal(principal);
- return (char *) NULL;
- }
- krb5_free_principal(principal);
- return pg_an_to_ln(authname);
+ return pg_krb5_name;
}
+
/*
* pg_krb5_sendauth -- client routine to send authentication information to
* the server
- *
- * This routine does not do mutual authentication, nor does it return enough
- * information to do encrypted connections. But then, if we want to do
- * encrypted connections, we'll have to redesign the whole RPC mechanism
- * anyway.
- *
- * Server hostnames are canonicalized v4-style, i.e., all domain suffixes
- * are simply chopped off. Hence, we are assuming that you've entered your
- * server instances as
- * <value-of-PG_KRB_SRVNAM>/<canonicalized-hostname>
- * in the PGREALM (or local) database. This is probably a bad assumption.
*/
static int
-pg_krb5_sendauth(const char *PQerrormsg, int sock,
+pg_krb5_sendauth(char *PQerrormsg, int sock,
struct sockaddr_in * laddr,
struct sockaddr_in * raddr,
const char *hostname)
{
- char servbuf[MAXHOSTNAMELEN + 1 +
- sizeof(PG_KRB_SRVNAM)];
- const char *hostp;
- const char *realm;
- krb5_error_code code;
- krb5_principal client,
- server;
- krb5_ccache ccache;
- krb5_error *error = (krb5_error *) NULL;
-
- ccache = pg_krb5_init(); /* don't free this */
-
- /*
- * set up client -- this is easy, we can get it out of the ticket
- * file.
- */
- if (code = krb5_cc_get_principal(ccache, &client))
- {
- (void) sprintf(PQerrormsg,
- "pg_krb5_sendauth: Kerberos error %d in krb5_cc_get_principal\n", code);
- com_err("pg_krb5_sendauth", code, "in krb5_cc_get_principal");
+ krb5_error_code retval;
+ int ret;
+ krb5_principal server;
+ krb5_auth_context auth_context = NULL;
+ krb5_error *err_ret = NULL;
+ int flags;
+
+ ret = pg_krb5_init(PQerrormsg);
+ if (ret != STATUS_OK)
+ return ret;
+
+ retval = krb5_sname_to_principal(pg_krb5_context, hostname, PG_KRB_SRVNAM,
+ KRB5_NT_SRV_HST, &server);
+ if (retval) {
+ snprintf(PQerrormsg, PQERRORMSG_LENGTH,
+ "pg_krb5_sendauth: krb5_sname_to_principal: %s",
+ error_message(retval));
return STATUS_ERROR;
}
- /*
- * set up server -- canonicalize as described above
+ /*
+ * libpq uses a non-blocking socket. But kerberos needs a blocking
+ * socket, and we have to block somehow to do mutual authentication
+ * anyway. So we temporarily make it blocking.
*/
- strcpy(servbuf, PG_KRB_SRVNAM);
- *(hostp = servbuf + (sizeof(PG_KRB_SRVNAM) - 1)) = '/';
- if (hostname || *hostname)
- strncpy(++hostp, hostname, MAXHOSTNAMELEN);
- else
- {
- if (gethostname(++hostp, MAXHOSTNAMELEN) < 0)
- strcpy(hostp, "localhost");
- }
- if (hostp = strchr(hostp, '.'))
- *hostp = '\0';
- if (realm = getenv("PGREALM"))
- {
- strcat(servbuf, "@");
- strcat(servbuf, realm);
- }
- if (code = krb5_parse_name(servbuf, &server))
- {
- (void) sprintf(PQerrormsg,
- "pg_krb5_sendauth: Kerberos error %d in krb5_parse_name\n", code);
- com_err("pg_krb5_sendauth", code, "in krb5_parse_name");
- krb5_free_principal(client);
+ flags = fcntl(sock, F_GETFL);
+ if (flags < 0 || fcntl(sock, F_SETFL, (long)(flags & ~O_NONBLOCK))) {
+ snprintf(PQerrormsg, PQERRORMSG_LENGTH,
+ "pg_krb5_sendauth: fcntl: %s", strerror(errno));
+ krb5_free_principal(pg_krb5_context, server);
return STATUS_ERROR;
}
- /*
- * The only thing we want back from krb5_sendauth is an error status
- * and any error messages.
- */
- if (code = krb5_sendauth((krb5_pointer) & sock,
- PG_KRB5_VERSION,
- client,
- server,
- (krb5_flags) 0,
- (krb5_checksum *) NULL,
- (krb5_creds *) NULL,
- ccache,
- (krb5_int32 *) NULL,
- (krb5_keyblock **) NULL,
- &error,
- (krb5_ap_rep_enc_part **) NULL))
- {
- if ((code == KRB5_SENDAUTH_REJECTED) && error)
- {
- (void) sprintf(PQerrormsg,
- "pg_krb5_sendauth: authentication rejected: \"%*s\"\n",
- error->text.length, error->text.data);
+ retval = krb5_sendauth(pg_krb5_context, &auth_context,
+ (krb5_pointer) &sock, PG_KRB_SRVNAM,
+ pg_krb5_client, server,
+ AP_OPTS_MUTUAL_REQUIRED,
+ NULL, 0, /* no creds, use ccache instead */
+ pg_krb5_ccache, &err_ret, NULL, NULL);
+ if (retval) {
+ if (retval == KRB5_SENDAUTH_REJECTED && err_ret) {
+ snprintf(PQerrormsg, PQERRORMSG_LENGTH,
+ "pg_krb5_sendauth: authentication rejected: \"%*s\"",
+ err_ret->text.length, err_ret->text.data);
}
- else
- {
- (void) sprintf(PQerrormsg,
- "pg_krb5_sendauth: Kerberos error %d in krb5_sendauth\n", code);
- com_err("pg_krb5_sendauth", code, "in krb5_sendauth");
+ else {
+ snprintf(PQerrormsg, PQERRORMSG_LENGTH,
+ "pg_krb5_sendauth: krb5_sendauth: %s",
+ error_message(retval));
}
+
+ if (err_ret)
+ krb5_free_error(pg_krb5_context, err_ret);
+
+ ret = STATUS_ERROR;
+ }
+
+ krb5_free_principal(pg_krb5_context, server);
+
+ if (fcntl(sock, F_SETFL, (long)flags)) {
+ snprintf(PQerrormsg, PQERRORMSG_LENGTH,
+ "pg_krb5_sendauth: fcntl: %s", strerror(errno));
+ ret = STATUS_ERROR;
}
- krb5_free_principal(client);
- krb5_free_principal(server);
- return code ? STATUS_ERROR : STATUS_OK;
+
+ return ret;
}
#endif /* KRB5 */
diff -u -r postgresql-7.0RC5/src/interfaces/libpq/libpq-int.h postgresql-7.0RC5.krb5/src/interfaces/libpq/libpq-int.h
--- postgresql-7.0RC5/src/interfaces/libpq/libpq-int.h Mon May 8 17:22:40 2000
+++ postgresql-7.0RC5.krb5/src/interfaces/libpq/libpq-int.h Sat May 6 17:49:38 2000
@@ -50,6 +50,7 @@
* POSTGRES backend dependent Constants.
*/
+#define PQERRORMSG_LENGTH 1024
#define CMDSTATUS_LEN 40
/*
src/Makefile.global.in
View file @
d45f7dfd
...
...
@@ -7,7 +7,7 @@
#
#
# IDENTIFICATION
# $Header: /cvsroot/pgsql/src/Makefile.global.in,v 1.7
3 2000/05/27 03:58:18
momjian Exp $
# $Header: /cvsroot/pgsql/src/Makefile.global.in,v 1.7
4 2000/05/27 04:13:04
momjian Exp $
#
# NOTES
# Essentially all Postgres make files include this file and use the
...
...
@@ -120,7 +120,7 @@ ENFORCE_ALIGNMENT= true
# Set KRBVERS to "4" for Kerberos v4, "5" for Kerberos v5.
# XXX Edit the default Kerberos variables below!
#
#KRBVERS=
5
#KRBVERS=5
# Globally pass Kerberos file locations.
# these are used in the postmaster and all libpq applications.
...
...
@@ -132,9 +132,9 @@ ENFORCE_ALIGNMENT= true
# PG_KRB_SRVTAB is the location of the server's keytab file.
#
ifdef
KRBVERS
KRBINCS
=
-I
/usr/
athena
/include
KRBLIBS
=
-L
/usr/
athena
/lib
KRBFLAGS
+=
$(KRBINCS)
-DPG_KRB_SRVNAM
=
'"postgres
_dbms
"'
KRBINCS
=
-I
/usr/
krb5
/include
KRBLIBS
=
-L
/usr/
krb5
/lib
KRBFLAGS
+=
$(KRBINCS)
-DPG_KRB_SRVNAM
=
'"postgres"'
ifeq
($(KRBVERS), 4)
KRBFLAGS
+=
-DKRB4
KRBFLAGS
+=
-DPG_KRB_SRVTAB
=
'"/etc/srvtab"'
...
...
@@ -142,8 +142,8 @@ KRBLIBS+= -lkrb -ldes
else
ifeq
($(KRBVERS), 5)
KRBFLAGS
+=
-DKRB5
KRBFLAGS
+=
-DPG_KRB_SRVTAB
=
'"FILE:/
krb5/srvtab.postgres
"'
KRBLIBS
+=
-lkrb5
-lcrypto
-lcom_err
-lisode
KRBFLAGS
+=
-DPG_KRB_SRVTAB
=
'"FILE:/
usr/local/postgres/krb5.keytab
"'
KRBLIBS
+=
-lkrb5
-lcrypto
-lcom_err
endif
endif
endif
...
...
src/backend/libpq/auth.c
View file @
d45f7dfd
...
...
@@ -8,7 +8,7 @@
*
*
* IDENTIFICATION
* $Header: /cvsroot/pgsql/src/backend/libpq/auth.c,v 1.4
6 2000/05/27 03:58:19
momjian Exp $
* $Header: /cvsroot/pgsql/src/backend/libpq/auth.c,v 1.4
7 2000/05/27 04:13:05
momjian Exp $
*
*-------------------------------------------------------------------------
*/
...
...
@@ -149,7 +149,8 @@ pg_krb4_recvauth(Port *port)
*----------------------------------------------------------------
*/
#include "krb5/krb5.h"
#include <krb5.h>
#include <com_err.h>
/*
* pg_an_to_ln -- return the local name corresponding to an authentication
...
...
@@ -174,130 +175,134 @@ pg_an_to_ln(char *aname)
return
aname
;
}
/*
* pg_krb5_recvauth -- server routine to receive authentication information
* from the client
*
* We still need to compare the username obtained from the client's setup
* packet to the authenticated name, as described in pg_krb4_recvauth. This
* is a bit more problematic in v5, as described above in pg_an_to_ln.
*
* In addition, as described above in pg_krb5_sendauth, we still need to
* canonicalize the server name v4-style before constructing a principal
* from it. Again, this is kind of iffy.
*
* Finally, we need to tangle with the fact that v5 doesn't let you explicitly
* set server keytab file names -- you have to feed lower-level routines a
* function to retrieve the contents of a keytab, along with a single argument
* that allows them to open the keytab. We assume that a server keytab is
* always a real file so we can allow people to specify their own filenames.
* (This is important because the POSTGRES keytab needs to be readable by
* non-root users/groups; the v4 tools used to force you do dump a whole
* host's worth of keys into a file, effectively forcing you to use one file,
* but kdb5_edit allows you to select which principals to dump. Yay!)
* Various krb5 state which is not connection specfic, and a flag to
* indicate whether we have initialised it yet.
*/
static
int
pg_krb5_initialised
;
static
krb5_context
pg_krb5_context
;
static
krb5_keytab
pg_krb5_keytab
;
static
krb5_principal
pg_krb5_server
;
static
int
pg_krb5_
recvauth
(
Port
*
port
)
pg_krb5_
init
(
void
)
{
char
servbuf
[
MAXHOSTNAMELEN
+
1
+
sizeof
(
PG_KRB_SRVNAM
)];
char
*
hostp
,
*
kusername
=
(
char
*
)
NULL
;
krb5_error_code
code
;
krb5_principal
client
,
server
;
krb5_address
sender_addr
;
krb5_rdreq_key_proc
keyproc
=
(
krb5_rdreq_key_proc
)
NULL
;
krb5_pointer
keyprocarg
=
(
krb5_pointer
)
NULL
;
krb5_error_code
retval
;
/*
* Set up server side -- since we have no ticket file to make this
* easy, we construct our own name and parse it. See note on
* canonicalization above.
*/
strcpy
(
servbuf
,
PG_KRB_SRVNAM
);
*
(
hostp
=
servbuf
+
(
sizeof
(
PG_KRB_SRVNAM
)
-
1
))
=
'/'
;
if
(
gethostname
(
++
hostp
,
MAXHOSTNAMELEN
)
<
0
)
strcpy
(
hostp
,
"localhost"
);
if
(
hostp
=
strchr
(
hostp
,
'.'
))
*
hostp
=
'\0'
;
if
(
code
=
krb5_parse_name
(
servbuf
,
&
server
))
{
if
(
pg_krb5_initialised
)
return
STATUS_OK
;
retval
=
krb5_init_context
(
&
pg_krb5_context
);
if
(
retval
)
{
snprintf
(
PQerrormsg
,
PQERRORMSG_LENGTH
,
"pg_krb5_recvauth: Kerberos error %d in krb5_parse_name
\n
"
,
code
);
com_err
(
"pg_krb5_recvauth"
,
code
,
"in krb5_parse_name"
);
"pg_krb5_init: krb5_init_context returned"
" Kerberos error %d
\n
"
,
retval
);
com_err
(
"postgres"
,
retval
,
"while initializing krb5"
);
return
STATUS_ERROR
;
}
/*
* krb5_sendauth needs this to verify the address in the client
* authenticator.
*/
sender_addr
.
addrtype
=
port
->
raddr
.
in
.
sin_family
;
sender_addr
.
length
=
sizeof
(
port
->
raddr
.
in
.
sin_addr
);
sender_addr
.
contents
=
(
krb5_octet
*
)
&
(
port
->
raddr
.
in
.
sin_addr
);
if
(
strcmp
(
PG_KRB_SRVTAB
,
""
))
{
keyproc
=
krb5_kt_read_service_key
;
keyprocarg
=
PG_KRB_SRVTAB
;
retval
=
krb5_kt_resolve
(
pg_krb5_context
,
PG_KRB_SRVTAB
,
&
pg_krb5_keytab
);
if
(
retval
)
{
snprintf
(
PQerrormsg
,
PQERRORMSG_LENGTH
,
"pg_krb5_init: krb5_kt_resolve returned"
" Kerberos error %d
\n
"
,
retval
);
com_err
(
"postgres"
,
retval
,
"while resolving keytab file %s"
,
PG_KRB_SRVTAB
);
krb5_free_context
(
pg_krb5_context
);
return
STATUS_ERROR
;
}
if
(
code
=
krb5_recvauth
((
krb5_pointer
)
&
port
->
sock
,
PG_KRB5_VERSION
,
server
,
&
sender_addr
,
(
krb5_pointer
)
NULL
,
keyproc
,
keyprocarg
,
(
char
*
)
NULL
,
(
krb5_int32
*
)
NULL
,
&
client
,
(
krb5_ticket
**
)
NULL
,
(
krb5_authenticator
**
)
NULL
))
{
retval
=
krb5_sname_to_principal
(
pg_krb5_context
,
NULL
,
PG_KRB_SRVNAM
,
KRB5_NT_SRV_HST
,
&
pg_krb5_server
);
if
(
retval
)
{
snprintf
(
PQerrormsg
,
PQERRORMSG_LENGTH
,
"pg_krb5_recvauth: Kerberos error %d in krb5_recvauth
\n
"
,
code
);
com_err
(
"pg_krb5_recvauth"
,
code
,
"in krb5_recvauth"
);
krb5_free_principal
(
server
);
"pg_krb5_init: krb5_sname_to_principal returned"
" Kerberos error %d
\n
"
,
retval
);
com_err
(
"postgres"
,
retval
,
"while getting server principal for service %s"
,
PG_KRB_SRVTAB
);
krb5_kt_close
(
pg_krb5_context
,
pg_krb5_keytab
);
krb5_free_context
(
pg_krb5_context
);
return
STATUS_ERROR
;
}
krb5_free_principal
(
server
);
pg_krb5_initialised
=
1
;
return
STATUS_OK
;
}
/*
* pg_krb5_recvauth -- server routine to receive authentication information
* from the client
*
* We still need to compare the username obtained from the client's setup
* packet to the authenticated name, as described in pg_krb4_recvauth. This
* is a bit more problematic in v5, as described above in pg_an_to_ln.
*
* We have our own keytab file because postgres is unlikely to run as root,
* and so cannot read the default keytab.
*/
static
int
pg_krb5_recvauth
(
Port
*
port
)
{
krb5_error_code
retval
;
int
ret
;
krb5_auth_context
auth_context
=
NULL
;
krb5_ticket
*
ticket
;
char
*
kusername
;
ret
=
pg_krb5_init
();
if
(
ret
!=
STATUS_OK
)
return
ret
;
retval
=
krb5_recvauth
(
pg_krb5_context
,
&
auth_context
,
(
krb5_pointer
)
&
port
->
sock
,
PG_KRB_SRVNAM
,
pg_krb5_server
,
0
,
pg_krb5_keytab
,
&
ticket
);
if
(
retval
)
{
snprintf
(
PQerrormsg
,
PQERRORMSG_LENGTH
,
"pg_krb5_recvauth: krb5_recvauth returned"
" Kerberos error %d
\n
"
,
retval
);
com_err
(
"postgres"
,
retval
,
"from krb5_recvauth"
);
return
STATUS_ERROR
;
}
/*
* The "client" structure comes out of the ticket and is therefore
* authenticated. Use it to check the username obtained from the
* postmaster startup packet.
*
* I have no idea why this is considered necessary.
*/
if
((
code
=
krb5_unparse_name
(
client
,
&
kusername
)))
{
retval
=
krb5_unparse_name
(
pg_krb5_context
,
ticket
->
enc_part2
->
client
,
&
kusername
);
if
(
retval
)
{
snprintf
(
PQerrormsg
,
PQERRORMSG_LENGTH
,
"pg_krb5_recvauth: Kerberos error %d in krb5_unparse_name
\n
"
,
code
);
com_err
(
"pg_krb5_recvauth"
,
code
,
"in krb5_unparse_name"
);
krb5_free_principal
(
client
);
return
STATUS_ERROR
;
}
krb5_free_principal
(
client
);
if
(
!
kusername
)
{
snprintf
(
PQerrormsg
,
PQERRORMSG_LENGTH
,
"pg_krb5_recvauth: could not decode username
\n
"
);
fputs
(
PQerrormsg
,
stderr
);
pqdebug
(
"%s"
,
PQerrormsg
);
"pg_krb5_recvauth: krb5_unparse_name returned"
" Kerberos error %d
\n
"
,
retval
);
com_err
(
"postgres"
,
retval
,
"while unparsing client name"
);
krb5_free_ticket
(
pg_krb5_context
,
ticket
);
krb5_auth_con_free
(
pg_krb5_context
,
auth_context
);
return
STATUS_ERROR
;
}
kusername
=
pg_an_to_ln
(
kusername
);
if
(
strncmp
(
username
,
kusername
,
SM_USER
))
if
(
strncmp
(
port
->
user
,
kusername
,
SM_USER
))
{
snprintf
(
PQerrormsg
,
PQERRORMSG_LENGTH
,
"pg_krb5_recvauth: name
\"
%s
\"
!=
\"
%s
\"\n
"
,
port
->
user
,
kusername
);
fputs
(
PQerrormsg
,
stderr
);
pqdebug
(
"%s"
,
PQerrormsg
);
pfree
(
kusername
);
return
STATUS_ERROR
;
"pg_krb5_recvauth: user name
\"
%s
\"
!= krb5 name
\"
%s
\"\n
"
,
port
->
user
,
kusername
);
ret
=
STATUS_ERROR
;
}
pfree
(
kusername
);
return
STATUS_OK
;
else
ret
=
STATUS_OK
;
krb5_free_ticket
(
pg_krb5_context
,
ticket
);
krb5_auth_con_free
(
pg_krb5_context
,
auth_context
);
free
(
kusername
);
return
ret
;
}
#else
...
...
src/interfaces/libpq/Makefile.in
View file @
d45f7dfd
...
...
@@ -6,7 +6,7 @@
# Copyright (c) 1994, Regents of the University of California
#
# IDENTIFICATION
# $Header: /cvsroot/pgsql/src/interfaces/libpq/Attic/Makefile.in,v 1.5
6 2000/05/27 03:58:20
momjian Exp $
# $Header: /cvsroot/pgsql/src/interfaces/libpq/Attic/Makefile.in,v 1.5
7 2000/05/27 04:13:05
momjian Exp $
#
#-------------------------------------------------------------------------
...
...
@@ -21,6 +21,7 @@ CFLAGS+= -DFRONTEND
ifdef
KRBVERS
CFLAGS
+=
$(KRBFLAGS)
SHLIB_LINK
+=
$(KRBLIBS)
endif
OBJS
=
fe-auth.o fe-connect.o fe-exec.o fe-misc.o fe-print.o fe-lobj.o
\
...
...
src/interfaces/libpq/fe-auth.c
View file @
d45f7dfd
...
...
@@ -10,7 +10,7 @@
* exceed INITIAL_EXPBUFFER_SIZE (currently 256 bytes).
*
* IDENTIFICATION
* $Header: /cvsroot/pgsql/src/interfaces/libpq/fe-auth.c,v 1.4
1 2000/05/27 03:58:20
momjian Exp $
* $Header: /cvsroot/pgsql/src/interfaces/libpq/fe-auth.c,v 1.4
2 2000/05/27 04:13:05
momjian Exp $
*
*-------------------------------------------------------------------------
*/
...
...
@@ -39,6 +39,7 @@
#include "win32.h"
#else
#include <unistd.h>
#include <fcntl.h>
#include <sys/param.h>
/* for MAXHOSTNAMELEN on most */
#ifndef MAXHOSTNAMELEN
#include <netdb.h>
/* for MAXHOSTNAMELEN on some */
...
...
@@ -234,7 +235,8 @@ pg_krb4_sendauth(const char *PQerrormsg, int sock,
*----------------------------------------------------------------
*/
#include "krb5/krb5.h"
#include <krb5.h>
#include <com_err.h>
/*
* pg_an_to_ln -- return the local name corresponding to an authentication
...
...
@@ -250,7 +252,7 @@ pg_krb4_sendauth(const char *PQerrormsg, int sock,
* and we can't afford to punt.
*/
static
char
*
pg_an_to_ln
(
c
onst
c
har
*
aname
)
pg_an_to_ln
(
char
*
aname
)
{
char
*
p
;
...
...
@@ -261,197 +263,160 @@ pg_an_to_ln(const char *aname)
/*
* pg_krb5_init -- initialization performed before any Kerberos calls are made
*
* With v5, we can no longer set the ticket (credential cache) file name;
* we now have to provide a file handle for the open (well, "resolved")
* ticket file everywhere.
*
* Various krb5 state which is not connection specfic, and a flag to
* indicate whether we have initialised it yet.
*/
static
int
pg_krb5_initialised
;
static
krb5_context
pg_krb5_context
;
static
krb5_ccache
pg_krb5_ccache
;
static
krb5_principal
pg_krb5_client
;
static
char
*
pg_krb5_name
;
static
int
krb5_ccache
pg_krb5_init
(
void
)
pg_krb5_init
(
char
*
PQerrormsg
)
{
krb5_error_code
code
;
char
*
realm
,
*
defname
;
char
tktbuf
[
MAXPGPATH
];
static
krb5_ccache
ccache
=
(
krb5_ccache
)
NULL
;
krb5_error_code
retval
;
if
(
ccache
)
return
ccache
;
if
(
pg_krb5_initialised
)
return
STATUS_OK
;
/*
* If the user set PGREALM, then we use a ticket file with a special
* name: <usual-ticket-file-name>@<PGREALM-value>
*/
if
(
!
(
defname
=
krb5_cc_default_name
()))
{
(
void
)
sprintf
(
PQerrormsg
,
"pg_krb5_init: krb5_cc_default_name failed
\n
"
);
return
(
krb5_ccache
)
NULL
;
}
strcpy
(
tktbuf
,
defname
);
if
(
realm
=
getenv
(
"PGREALM"
))
{
strcat
(
tktbuf
,
"@"
);
strcat
(
tktbuf
,
realm
);
retval
=
krb5_init_context
(
&
pg_krb5_context
);
if
(
retval
)
{
snprintf
(
PQerrormsg
,
PQERRORMSG_LENGTH
,
"pg_krb5_init: krb5_init_context: %s"
,
error_message
(
retval
));
return
STATUS_ERROR
;
}
if
(
code
=
krb5_cc_resolve
(
tktbuf
,
&
ccache
))
{
(
void
)
sprintf
(
PQerrormsg
,
"pg_krb5_init: Kerberos error %d in krb5_cc_resolve
\n
"
,
code
);
com_err
(
"pg_krb5_init"
,
code
,
"in krb5_cc_resolve"
);
return
(
krb5_ccache
)
NULL
;
}
return
ccache
;
retval
=
krb5_cc_default
(
pg_krb5_context
,
&
pg_krb5_ccache
);
if
(
retval
)
{
snprintf
(
PQerrormsg
,
PQERRORMSG_LENGTH
,
"pg_krb5_init: krb5_cc_default: %s"
,
error_message
(
retval
));
krb5_free_context
(
pg_krb5_context
);
return
STATUS_ERROR
;
}
retval
=
krb5_cc_get_principal
(
pg_krb5_context
,
pg_krb5_ccache
,
&
pg_krb5_client
);
if
(
retval
)
{
snprintf
(
PQerrormsg
,
PQERRORMSG_LENGTH
,
"pg_krb5_init: krb5_cc_get_principal: %s"
,
error_message
(
retval
));
krb5_cc_close
(
pg_krb5_context
,
pg_krb5_ccache
);
krb5_free_context
(
pg_krb5_context
);
return
STATUS_ERROR
;
}
retval
=
krb5_unparse_name
(
pg_krb5_context
,
pg_krb5_client
,
&
pg_krb5_name
);
if
(
retval
)
{
snprintf
(
PQerrormsg
,
PQERRORMSG_LENGTH
,
"pg_krb5_init: krb5_unparse_name: %s"
,
error_message
(
retval
));
krb5_free_principal
(
pg_krb5_context
,
pg_krb5_client
);
krb5_cc_close
(
pg_krb5_context
,
pg_krb5_ccache
);
krb5_free_context
(
pg_krb5_context
);
return
STATUS_ERROR
;
}
pg_krb5_name
=
pg_an_to_ln
(
pg_krb5_name
);
pg_krb5_initialised
=
1
;
return
STATUS_OK
;
}
/*
* pg_krb5_authname -- returns a pointer to static space containing whatever
* name the user has authenticated to the system
*
* We obtain this information by digging around in the ticket file.
*/
*/
static
const
char
*
pg_krb5_authname
(
c
onst
c
har
*
PQerrormsg
)
pg_krb5_authname
(
char
*
PQerrormsg
)
{
krb5_ccache
ccache
;
krb5_principal
principal
;
krb5_error_code
code
;
static
char
*
authname
=
(
char
*
)
NULL
;
if
(
authname
)
return
authname
;
if
(
pg_krb5_init
(
PQerrormsg
)
!=
STATUS_OK
)
return
NULL
;
ccache
=
pg_krb5_init
();
/* don't free this */
if
(
code
=
krb5_cc_get_principal
(
ccache
,
&
principal
))
{
(
void
)
sprintf
(
PQerrormsg
,
"pg_krb5_authname: Kerberos error %d in krb5_cc_get_principal
\n
"
,
code
);
com_err
(
"pg_krb5_authname"
,
code
,
"in krb5_cc_get_principal"
);
return
(
char
*
)
NULL
;
}
if
(
code
=
krb5_unparse_name
(
principal
,
&
authname
))
{
(
void
)
sprintf
(
PQerrormsg
,
"pg_krb5_authname: Kerberos error %d in krb5_unparse_name
\n
"
,
code
);
com_err
(
"pg_krb5_authname"
,
code
,
"in krb5_unparse_name"
);
krb5_free_principal
(
principal
);
return
(
char
*
)
NULL
;
}
krb5_free_principal
(
principal
);
return
pg_an_to_ln
(
authname
);
return
pg_krb5_name
;
}
/*
* pg_krb5_sendauth -- client routine to send authentication information to
* the server
*
* This routine does not do mutual authentication, nor does it return enough
* information to do encrypted connections. But then, if we want to do
* encrypted connections, we'll have to redesign the whole RPC mechanism
* anyway.
*
* Server hostnames are canonicalized v4-style, i.e., all domain suffixes
* are simply chopped off. Hence, we are assuming that you've entered your
* server instances as
* <value-of-PG_KRB_SRVNAM>/<canonicalized-hostname>
* in the PGREALM (or local) database. This is probably a bad assumption.
*/
static
int
pg_krb5_sendauth
(
c
onst
c
har
*
PQerrormsg
,
int
sock
,
pg_krb5_sendauth
(
char
*
PQerrormsg
,
int
sock
,
struct
sockaddr_in
*
laddr
,
struct
sockaddr_in
*
raddr
,
const
char
*
hostname
)
{
char
servbuf
[
MAXHOSTNAMELEN
+
1
+
sizeof
(
PG_KRB_SRVNAM
)];
const
char
*
hostp
;
const
char
*
realm
;
krb5_error_code
code
;
krb5_principal
client
,
server
;
krb5_ccache
ccache
;
krb5_error
*
error
=
(
krb5_error
*
)
NULL
;
ccache
=
pg_krb5_init
();
/* don't free this */
/*
* set up client -- this is easy, we can get it out of the ticket
* file.
*/
if
(
code
=
krb5_cc_get_principal
(
ccache
,
&
client
))
{
(
void
)
sprintf
(
PQerrormsg
,
"pg_krb5_sendauth: Kerberos error %d in krb5_cc_get_principal
\n
"
,
code
);
com_err
(
"pg_krb5_sendauth"
,
code
,
"in krb5_cc_get_principal"
);
krb5_error_code
retval
;
int
ret
;
krb5_principal
server
;
krb5_auth_context
auth_context
=
NULL
;
krb5_error
*
err_ret
=
NULL
;
int
flags
;
ret
=
pg_krb5_init
(
PQerrormsg
);
if
(
ret
!=
STATUS_OK
)
return
ret
;
retval
=
krb5_sname_to_principal
(
pg_krb5_context
,
hostname
,
PG_KRB_SRVNAM
,
KRB5_NT_SRV_HST
,
&
server
);
if
(
retval
)
{
snprintf
(
PQerrormsg
,
PQERRORMSG_LENGTH
,
"pg_krb5_sendauth: krb5_sname_to_principal: %s"
,
error_message
(
retval
));
return
STATUS_ERROR
;
}
/*
* set up server -- canonicalize as described above
/*
* libpq uses a non-blocking socket. But kerberos needs a blocking
* socket, and we have to block somehow to do mutual authentication
* anyway. So we temporarily make it blocking.
*/
strcpy
(
servbuf
,
PG_KRB_SRVNAM
);
*
(
hostp
=
servbuf
+
(
sizeof
(
PG_KRB_SRVNAM
)
-
1
))
=
'/'
;
if
(
hostname
||
*
hostname
)
strncpy
(
++
hostp
,
hostname
,
MAXHOSTNAMELEN
);
else
{
if
(
gethostname
(
++
hostp
,
MAXHOSTNAMELEN
)
<
0
)
strcpy
(
hostp
,
"localhost"
);
}
if
(
hostp
=
strchr
(
hostp
,
'.'
))
*
hostp
=
'\0'
;
if
(
realm
=
getenv
(
"PGREALM"
))
{
strcat
(
servbuf
,
"@"
);
strcat
(
servbuf
,
realm
);
}
if
(
code
=
krb5_parse_name
(
servbuf
,
&
server
))
{
(
void
)
sprintf
(
PQerrormsg
,
"pg_krb5_sendauth: Kerberos error %d in krb5_parse_name
\n
"
,
code
);
com_err
(
"pg_krb5_sendauth"
,
code
,
"in krb5_parse_name"
);
krb5_free_principal
(
client
);
flags
=
fcntl
(
sock
,
F_GETFL
);
if
(
flags
<
0
||
fcntl
(
sock
,
F_SETFL
,
(
long
)(
flags
&
~
O_NONBLOCK
)))
{
snprintf
(
PQerrormsg
,
PQERRORMSG_LENGTH
,
"pg_krb5_sendauth: fcntl: %s"
,
strerror
(
errno
));
krb5_free_principal
(
pg_krb5_context
,
server
);
return
STATUS_ERROR
;
}
/*
* The only thing we want back from krb5_sendauth is an error status
* and any error messages.
*/
if
(
code
=
krb5_sendauth
((
krb5_pointer
)
&
sock
,
PG_KRB5_VERSION
,
client
,
server
,
(
krb5_flags
)
0
,
(
krb5_checksum
*
)
NULL
,
(
krb5_creds
*
)
NULL
,
ccache
,
(
krb5_int32
*
)
NULL
,
(
krb5_keyblock
**
)
NULL
,
&
error
,
(
krb5_ap_rep_enc_part
**
)
NULL
))
{
if
((
code
==
KRB5_SENDAUTH_REJECTED
)
&&
error
)
{
(
void
)
sprintf
(
PQerrormsg
,
"pg_krb5_sendauth: authentication rejected:
\"
%*s
\"\n
"
,
error
->
text
.
length
,
error
->
text
.
data
);
retval
=
krb5_sendauth
(
pg_krb5_context
,
&
auth_context
,
(
krb5_pointer
)
&
sock
,
PG_KRB_SRVNAM
,
pg_krb5_client
,
server
,
AP_OPTS_MUTUAL_REQUIRED
,
NULL
,
0
,
/* no creds, use ccache instead */
pg_krb5_ccache
,
&
err_ret
,
NULL
,
NULL
);
if
(
retval
)
{
if
(
retval
==
KRB5_SENDAUTH_REJECTED
&&
err_ret
)
{
snprintf
(
PQerrormsg
,
PQERRORMSG_LENGTH
,
"pg_krb5_sendauth: authentication rejected:
\"
%*s
\"
"
,
err_ret
->
text
.
length
,
err_ret
->
text
.
data
);
}
else
{
(
void
)
sprintf
(
PQerrormsg
,
"pg_krb5_sendauth: Kerberos error %d in krb5_sendauth
\n
"
,
code
);
com_err
(
"pg_krb5_sendauth"
,
code
,
"in krb5_sendauth"
);
else
{
snprintf
(
PQerrormsg
,
PQERRORMSG_LENGTH
,
"pg_krb5_sendauth: krb5_sendauth: %s"
,
error_message
(
retval
));
}
if
(
err_ret
)
krb5_free_error
(
pg_krb5_context
,
err_ret
);
ret
=
STATUS_ERROR
;
}
krb5_free_principal
(
pg_krb5_context
,
server
);
if
(
fcntl
(
sock
,
F_SETFL
,
(
long
)
flags
))
{
snprintf
(
PQerrormsg
,
PQERRORMSG_LENGTH
,
"pg_krb5_sendauth: fcntl: %s"
,
strerror
(
errno
));
ret
=
STATUS_ERROR
;
}
krb5_free_principal
(
client
);
krb5_free_principal
(
server
);
return
code
?
STATUS_ERROR
:
STATUS_OK
;
return
ret
;
}
#endif
/* KRB5 */
...
...
src/interfaces/libpq/libpq-int.h
View file @
d45f7dfd
...
...
@@ -12,7 +12,7 @@
* Portions Copyright (c) 1996-2000, PostgreSQL, Inc
* Portions Copyright (c) 1994, Regents of the University of California
*
* $Id: libpq-int.h,v 1.2
5 2000/05/27 03:58:20
momjian Exp $
* $Id: libpq-int.h,v 1.2
6 2000/05/27 04:13:05
momjian Exp $
*
*-------------------------------------------------------------------------
*/
...
...
@@ -50,6 +50,7 @@
* POSTGRES backend dependent Constants.
*/
#define PQERRORMSG_LENGTH 1024
#define CMDSTATUS_LEN 40
/*
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment
