NotificationsYou must be signed in to change notification settings
Fork6
Star31

Commit2f1d2b7

committed

Set PAM_RHOST item for PAM authentication

The PAM_RHOST item is set to the remote IP address or host name and canbe used by PAM modules. A pg_hba.conf option is provided to choosebetween IP address and resolved host name.From: Grzegorz Sampolski <grzsmp@gmail.com>Reviewed-by: Haribabu Kommi <kommi.haribabu@gmail.com>

1 parent4e55b3f commit2f1d2b7Copy full SHA for 2f1d2b7

File tree

4 files changed

+52

-4

lines changed

doc/src/sgml
- client-auth.sgml
src
- backend/libpq
  - auth.c
  - hba.c
- include/libpq
  - hba.h

4 files changed

+52

-4

lines changed

`‎doc/src/sgml/client-auth.sgml`

Lines changed: 19 additions & 4 deletions

Original file line number	Diff line number	Diff line change
`@@ -1617,10 +1617,11 @@ host ... ldap ldapurl="ldap://ldap.example.net/dc=example,dc=net?uid?sub"`
`1617`	`1617`	`<literal>password</literal> except that it uses PAM (Pluggable`
`1618`	`1618`	`Authentication Modules) as the authentication mechanism. The`
`1619`	`1619`	`default PAM service name is <literal>postgresql</literal>.`
`1620`		`- PAM is used only to validate user name/password pairs.`
`1621`		`- Therefore the user must already exist in the database before PAM`
`1622`		`- can be used for authentication. For more information about`
`1623`		`- PAM, please read the <ulink url="http://www.kernel.org/pub/linux/libs/pam/">`
	`1620`	`+ PAM is used only to validate user name/password pairs and optionally the`
	`1621`	`+ connected remote host name or IP address. Therefore the user must already`
	`1622`	`+ exist in the database before PAM can be used for authentication. For more`
	`1623`	`+ information about PAM, please read the`
	`1624`	`+ <ulink url="http://www.kernel.org/pub/linux/libs/pam/">`
`1624`	`1625`	`<productname>Linux-PAM</> Page</ulink>.`
`1625`	`1626`	`</para>`
`1626`	`1627`
`@@ -1635,6 +1636,20 @@ host ... ldap ldapurl="ldap://ldap.example.net/dc=example,dc=net?uid?sub"`
`1635`	`1636`	`</para>`
`1636`	`1637`	`</listitem>`
`1637`	`1638`	`</varlistentry>`
	`1639`	`+ <varlistentry>`
	`1640`	`+ <term><literal>pam_use_hostname</literal></term>`
	`1641`	`+ <listitem>`
	`1642`	`+ <para>`
	`1643`	`+ Determines whether the remote IP address or the host name is provided`
	`1644`	`+ to PAM modules through the <symbol>PAM_RHOST</symbol> item. By`
	`1645`	`+ default, the IP address is used. Set this option to 1 to use the`
	`1646`	`+ resolved host name instead. Host name resolution can lead to login`
	`1647`	`+ delays. (Most PAM configurations don't use this information, so it is`
	`1648`	`+ only necessary to consider this setting if a PAM configuration was`
	`1649`	`+ specifically created to make use of it.)`
	`1650`	`+ </para>`
	`1651`	`+ </listitem>`
	`1652`	`+ </varlistentry>`
`1638`	`1653`	`</variablelist>`
`1639`	`1654`	`</para>`
`1640`	`1655`

`‎src/backend/libpq/auth.c`

Lines changed: 23 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -1739,6 +1739,18 @@ CheckPAMAuth(Port port, char user, char *password)`
`1739`	`1739`	`{`
`1740`	`1740`	`intretval;`
`1741`	`1741`	`pam_handle_t*pamh=NULL;`
	`1742`	`+charhostinfo[NI_MAXHOST];`
	`1743`	`+`
	`1744`	`+retval=pg_getnameinfo_all(&port->raddr.addr,port->raddr.salen,`
	`1745`	`+hostinfo,sizeof(hostinfo),NULL,0,`
	`1746`	`+port->hba->pam_use_hostname ?0 :NI_NUMERICHOST \|NI_NUMERICSERV);`
	`1747`	`+if (retval!=0)`
	`1748`	`+{`
	`1749`	`+ereport(WARNING,`
	`1750`	`+(errmsg_internal("pg_getnameinfo_all() failed: %s",`
	`1751`	`+gai_strerror(retval))));`
	`1752`	`+returnSTATUS_ERROR;`
	`1753`	`+}`
`1742`	`1754`
`1743`	`1755`	`/*`
`1744`	`1756`	`* We can't entirely rely on PAM to pass through appdata --- it appears`
`@@ -1784,6 +1796,17 @@ CheckPAMAuth(Port port, char user, char *password)`
`1784`	`1796`	`returnSTATUS_ERROR;`
`1785`	`1797`	`}`
`1786`	`1798`
	`1799`	`+retval=pam_set_item(pamh,PAM_RHOST,hostinfo);`
	`1800`	`+`
	`1801`	`+if (retval!=PAM_SUCCESS)`
	`1802`	`+{`
	`1803`	`+ereport(LOG,`
	`1804`	`+(errmsg("pam_set_item(PAM_RHOST) failed: %s",`
	`1805`	`+pam_strerror(pamh,retval))));`
	`1806`	`+pam_passwd=NULL;`
	`1807`	`+returnSTATUS_ERROR;`
	`1808`	`+}`
	`1809`	`+`
`1787`	`1810`	`retval=pam_set_item(pamh,PAM_CONV,&pam_passw_conv);`
`1788`	`1811`
`1789`	`1812`	`if (retval!=PAM_SUCCESS)`

`‎src/backend/libpq/hba.c`

Lines changed: 9 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -1447,6 +1447,15 @@ parse_hba_auth_opt(char name, char val, HbaLine *hbaline, int line_num)`
`1447`	`1447`	`REQUIRE_AUTH_OPTION(uaPAM,"pamservice","pam");`
`1448`	`1448`	`hbaline->pamservice=pstrdup(val);`
`1449`	`1449`	`}`
	`1450`	`+elseif (strcmp(name,"pam_use_hostname")==0)`
	`1451`	`+{`
	`1452`	`+REQUIRE_AUTH_OPTION(uaPAM,"pam_use_hostname","pam");`
	`1453`	`+if (strcmp(val,"1")==0)`
	`1454`	`+hbaline->pam_use_hostname= true;`
	`1455`	`+else`
	`1456`	`+hbaline->pam_use_hostname= false;`
	`1457`	`+`
	`1458`	`+}`
`1450`	`1459`	`elseif (strcmp(name,"ldapurl")==0)`
`1451`	`1460`	`{`
`1452`	`1461`	`#ifdefLDAP_API_FEATURE_X_OPENLDAP`

`‎src/include/libpq/hba.h`

Lines changed: 1 addition & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -64,6 +64,7 @@ typedef struct HbaLine`
`64`	`64`
`65`	`65`	`char*usermap;`
`66`	`66`	`char*pamservice;`
	`67`	`+boolpam_use_hostname;`
`67`	`68`	`boolldaptls;`
`68`	`69`	`char*ldapserver;`
`69`	`70`	`intldapport;`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit2f1d2b7

File tree

4 files changed

4 files changed

`‎doc/src/sgml/client-auth.sgml`

`‎src/backend/libpq/auth.c`

`‎src/backend/libpq/hba.c`

`‎src/include/libpq/hba.h`

0 commit comments