Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit32c469d

Browse files
committed
Allow krb_realm (krb5, gssapi and sspi) and krb_server_hostname (krb5 only)
authentication options to be set in pg_hba.conf on a per-line basis, tooverride the defaults set in postgresql.conf.
1 parentaf26089 commit32c469d

File tree

4 files changed

+90
-20
lines changed

4 files changed

+90
-20
lines changed

‎doc/src/sgml/client-auth.sgml

Lines changed: 31 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
<!-- $PostgreSQL: pgsql/doc/src/sgml/client-auth.sgml,v 1.115 2009/01/02 11:51:53 mha Exp $ -->
1+
<!-- $PostgreSQL: pgsql/doc/src/sgml/client-auth.sgml,v 1.116 2009/01/07 12:38:10 mha Exp $ -->
22

33
<chapter id="client-authentication">
44
<title>Client Authentication</title>
@@ -784,6 +784,26 @@ omicron bryanh guest1
784784
</para>
785785
</listitem>
786786
</varlistentry>
787+
788+
<varlistentry>
789+
<term>krb_realm</term>
790+
<listitem>
791+
<para>
792+
Overrides the <xref linkend="guc-krb-realm"> parameter, setting which realm
793+
to verify the authenticated user principal against.
794+
</para>
795+
</listitem>
796+
</varlistentry>
797+
798+
<varlistentry>
799+
<term>krb_server_hostname</term>
800+
<listitem>
801+
<para>
802+
Overrides the <xref linkend="guc-krb-server-hostname"> parameter, setting which
803+
hostname will be used for the server principal when using Kerberos.
804+
</para>
805+
</listitem>
806+
</varlistentry>
787807
</variablelist>
788808
</para>
789809
</sect2>
@@ -825,6 +845,16 @@ omicron bryanh guest1
825845
</para>
826846
</listitem>
827847
</varlistentry>
848+
849+
<varlistentry>
850+
<term>krb_realm</term>
851+
<listitem>
852+
<para>
853+
Overrides the <xref linkend="guc-krb-realm"> parameter, setting which realm
854+
to verify the authenticated user principal against.
855+
</para>
856+
</listitem>
857+
</varlistentry>
828858
</variablelist>
829859
</para>
830860
</sect2>

‎src/backend/libpq/auth.c

Lines changed: 38 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,7 @@
88
*
99
*
1010
* IDENTIFICATION
11-
* $PostgreSQL: pgsql/src/backend/libpq/auth.c,v 1.175 2009/01/01 17:23:42 momjian Exp $
11+
* $PostgreSQL: pgsql/src/backend/libpq/auth.c,v 1.176 2009/01/07 12:38:11 mha Exp $
1212
*
1313
*-------------------------------------------------------------------------
1414
*/
@@ -611,7 +611,7 @@ recv_and_check_password_packet(Port *port)
611611
#ifdefKRB5
612612

613613
staticint
614-
pg_krb5_init(void)
614+
pg_krb5_init(Port*port)
615615
{
616616
krb5_error_coderetval;
617617
char*khostname;
@@ -645,7 +645,10 @@ pg_krb5_init(void)
645645
* If no hostname was specified, pg_krb_server_hostname is already NULL.
646646
* If it's set to blank, force it to NULL.
647647
*/
648-
khostname=pg_krb_server_hostname;
648+
if (port->hba->krb_server_hostname)
649+
khostname=port->hba->krb_server_hostname;
650+
else
651+
khostname=pg_krb_server_hostname;
649652
if (khostname&&khostname[0]=='\0')
650653
khostname=NULL;
651654

@@ -691,11 +694,12 @@ pg_krb5_recvauth(Port *port)
691694
krb5_ticket*ticket;
692695
char*kusername;
693696
char*cp;
697+
char*realmmatch;
694698

695699
if (get_role_line(port->user_name)==NULL)
696700
returnSTATUS_ERROR;
697701

698-
ret=pg_krb5_init();
702+
ret=pg_krb5_init(port);
699703
if (ret!=STATUS_OK)
700704
returnret;
701705

@@ -736,33 +740,38 @@ pg_krb5_recvauth(Port *port)
736740
returnSTATUS_ERROR;
737741
}
738742

743+
if (port->hba->krb_realm)
744+
realmmatch=port->hba->krb_realm;
745+
else
746+
realmmatch=pg_krb_realm;
747+
739748
cp=strchr(kusername,'@');
740749
if (cp)
741750
{
742751
*cp='\0';
743752
cp++;
744753

745-
if (pg_krb_realm!=NULL&&strlen(pg_krb_realm))
754+
if (realmmatch!=NULL&&strlen(realmmatch))
746755
{
747756
/* Match realm against configured */
748757
if (pg_krb_caseins_users)
749-
ret=pg_strcasecmp(pg_krb_realm,cp);
758+
ret=pg_strcasecmp(realmmatch,cp);
750759
else
751-
ret=strcmp(pg_krb_realm,cp);
760+
ret=strcmp(realmmatch,cp);
752761

753762
if (ret)
754763
{
755764
elog(DEBUG2,
756765
"krb5 realm (%s) and configured realm (%s) don't match",
757-
cp,pg_krb_realm);
766+
cp,realmmatch);
758767

759768
krb5_free_ticket(pg_krb5_context,ticket);
760769
krb5_auth_con_free(pg_krb5_context,auth_context);
761770
returnSTATUS_ERROR;
762771
}
763772
}
764773
}
765-
elseif (pg_krb_realm&&strlen(pg_krb_realm))
774+
elseif (realmmatch&&strlen(realmmatch))
766775
{
767776
elog(DEBUG2,
768777
"krb5 did not return realm but realm matching was requested");
@@ -859,6 +868,7 @@ pg_GSS_recvauth(Port *port)
859868
intret;
860869
StringInfoDatabuf;
861870
gss_buffer_descgbuf;
871+
char*realmmatch;
862872

863873
/*
864874
* GSS auth is not supported for protocol versions before 3, because it
@@ -1018,6 +1028,11 @@ pg_GSS_recvauth(Port *port)
10181028
gettext_noop("retrieving GSS user name failed"),
10191029
maj_stat,min_stat);
10201030

1031+
if (port->hba->krb_realm)
1032+
realmmatch=port->hba->krb_realm;
1033+
else
1034+
realmmatch=pg_krb_realm;
1035+
10211036
/*
10221037
* Split the username at the realm separator
10231038
*/
@@ -1028,28 +1043,28 @@ pg_GSS_recvauth(Port *port)
10281043
*cp='\0';
10291044
cp++;
10301045

1031-
if (pg_krb_realm!=NULL&&strlen(pg_krb_realm))
1046+
if (realmmatch!=NULL&&strlen(realmmatch))
10321047
{
10331048
/*
10341049
* Match the realm part of the name first
10351050
*/
10361051
if (pg_krb_caseins_users)
1037-
ret=pg_strcasecmp(pg_krb_realm,cp);
1052+
ret=pg_strcasecmp(realmmatch,cp);
10381053
else
1039-
ret=strcmp(pg_krb_realm,cp);
1054+
ret=strcmp(realmmatch,cp);
10401055

10411056
if (ret)
10421057
{
10431058
/* GSS realm does not match */
10441059
elog(DEBUG2,
10451060
"GSSAPI realm (%s) and configured realm (%s) don't match",
1046-
cp,pg_krb_realm);
1061+
cp,realmmatch);
10471062
gss_release_buffer(&lmin_s,&gbuf);
10481063
returnSTATUS_ERROR;
10491064
}
10501065
}
10511066
}
1052-
elseif (pg_krb_realm&&strlen(pg_krb_realm))
1067+
elseif (realmmatch&&strlen(realmmatch))
10531068
{
10541069
elog(DEBUG2,
10551070
"GSSAPI did not return realm but realm matching was requested");
@@ -1113,6 +1128,7 @@ pg_SSPI_recvauth(Port *port)
11131128
SID_NAME_USEaccountnameuse;
11141129
HMODULEsecur32;
11151130
QUERY_SECURITY_CONTEXT_TOKEN_FN_QuerySecurityContextToken;
1131+
char*realmmatch;
11161132

11171133
/*
11181134
* SSPI auth is not supported for protocol versions before 3, because it
@@ -1325,13 +1341,18 @@ pg_SSPI_recvauth(Port *port)
13251341
* Compare realm/domain if requested. In SSPI, always compare case
13261342
* insensitive.
13271343
*/
1328-
if (pg_krb_realm&&strlen(pg_krb_realm))
1344+
if (port->hba->krb_realm)
1345+
realmmatch=port->hba->krb_realm;
1346+
else
1347+
realmmatch=pg_krb_realm;
1348+
1349+
if (realmmatch&&strlen(realmmatch))
13291350
{
1330-
if (pg_strcasecmp(pg_krb_realm,domainname))
1351+
if (pg_strcasecmp(realmmatch,domainname))
13311352
{
13321353
elog(DEBUG2,
13331354
"SSPI domain (%s) and configured domain (%s) don't match",
1334-
domainname,pg_krb_realm);
1355+
domainname,realmmatch);
13351356

13361357
returnSTATUS_ERROR;
13371358
}

‎src/backend/libpq/hba.c

Lines changed: 18 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -10,7 +10,7 @@
1010
*
1111
*
1212
* IDENTIFICATION
13-
* $PostgreSQL: pgsql/src/backend/libpq/hba.c,v 1.178 2009/01/02 11:34:03 mha Exp $
13+
* $PostgreSQL: pgsql/src/backend/libpq/hba.c,v 1.179 2009/01/07 12:38:11 mha Exp $
1414
*
1515
*-------------------------------------------------------------------------
1616
*/
@@ -1040,6 +1040,19 @@ parse_hba_line(List *line, int line_num, HbaLine *parsedline)
10401040
REQUIRE_AUTH_OPTION(uaLDAP,"ldapsuffix","ldap");
10411041
parsedline->ldapsuffix=pstrdup(c);
10421042
}
1043+
elseif (strcmp(token,"krb_server_hostname")==0)
1044+
{
1045+
REQUIRE_AUTH_OPTION(uaKrb5,"krb_server_hostname","krb5");
1046+
parsedline->krb_server_hostname=pstrdup(c);
1047+
}
1048+
elseif (strcmp(token,"krb_realm")==0)
1049+
{
1050+
if (parsedline->auth_method!=uaKrb5&&
1051+
parsedline->auth_method!=uaGSS&&
1052+
parsedline->auth_method!=uaSSPI)
1053+
INVALID_AUTH_OPTION("krb_realm","krb5, gssapi and sspi");
1054+
parsedline->krb_realm=pstrdup(c);
1055+
}
10431056
else
10441057
{
10451058
ereport(LOG,
@@ -1242,6 +1255,10 @@ free_hba_record(HbaLine *record)
12421255
pfree(record->ldapprefix);
12431256
if (record->ldapsuffix)
12441257
pfree(record->ldapsuffix);
1258+
if (record->krb_server_hostname)
1259+
pfree(record->krb_server_hostname);
1260+
if (record->krb_realm)
1261+
pfree(record->krb_realm);
12451262
}
12461263

12471264
/*

‎src/include/libpq/hba.h

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@
44
* Interface to hba.c
55
*
66
*
7-
* $PostgreSQL: pgsql/src/include/libpq/hba.h,v 1.53 2008/11/20 11:48:26 mha Exp $
7+
* $PostgreSQL: pgsql/src/include/libpq/hba.h,v 1.54 2009/01/07 12:38:11 mha Exp $
88
*
99
*-------------------------------------------------------------------------
1010
*/
@@ -56,6 +56,8 @@ typedef struct
5656
char*ldapprefix;
5757
char*ldapsuffix;
5858
boolclientcert;
59+
char*krb_server_hostname;
60+
char*krb_realm;
5961
}HbaLine;
6062

6163
typedefstructPorthbaPort;

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp