Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit3a7c93e

Browse files
committed
From: Dan McGuirk <mcguirk@indirect.com>
Subject: [HACKERS] password authenticationThis patch adds support for plaintext password authentication. To useit, you add a line likehost all 0.0.0.0 0.0.0.0 password pg_pwd.confto your pg_hba.conf, where 'pg_pwd.conf' is the name of a file containingthe usernames and password hashes in the format of the first two fieldsof a Unix /etc/passwd file. (Of course, you can use a specific databasename or IP instead.)Then, to connect with a password through libpq, you use the PQconnectdb()function, specifying the "password=" tag in the connect string and alsoadding the tag "authtype=password".I also added a command-line switch '-u' to psql that tells it to promptfor a username and password and use password authentication.
1 parent5dde558 commit3a7c93e

File tree

13 files changed

+345
-85
lines changed

13 files changed

+345
-85
lines changed

‎src/backend/libpq/Makefile

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@
44
# Makefile for libpq subsystem (backend half of libpq interface)
55
#
66
# IDENTIFICATION
7-
# $Header: /cvsroot/pgsql/src/backend/libpq/Makefile,v 1.4 1996/11/14 10:23:51 bryanh Exp $
7+
# $Header: /cvsroot/pgsql/src/backend/libpq/Makefile,v 1.5 1997/03/12 21:17:45 scrappy Exp $
88
#
99
#-------------------------------------------------------------------------
1010

@@ -24,7 +24,8 @@ LDADD+= $(KRBLIBS)
2424
endif
2525

2626
OBJS = be-dumpdata.o be-fsstubs.o be-pqexec.o\
27-
auth.o hba.o pqcomm.o portal.o util.o portalbuf.o pqpacket.o pqsignal.o
27+
auth.o hba.o pqcomm.o portal.o util.o portalbuf.o pqpacket.o pqsignal.o\
28+
password.o
2829

2930
all: SUBSYS.o
3031

‎src/backend/libpq/auth.c

Lines changed: 42 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -7,7 +7,7 @@
77
*
88
*
99
* IDENTIFICATION
10-
* $Header: /cvsroot/pgsql/src/backend/libpq/auth.c,v 1.8 1996/11/16 08:09:15 bryanh Exp $
10+
* $Header: /cvsroot/pgsql/src/backend/libpq/auth.c,v 1.9 1997/03/12 21:17:48 scrappy Exp $
1111
*
1212
*-------------------------------------------------------------------------
1313
*/
@@ -70,6 +70,7 @@
7070
#include<libpq/libpq.h>
7171
#include<libpq/libpq-be.h>
7272
#include<libpq/hba.h>
73+
#include<libpq/password.h>
7374

7475
/*----------------------------------------------------------------
7576
* common definitions for generic fe/be routines
@@ -113,10 +114,11 @@ static struct authsvc authsvcs[] = {
113114
{"krb4",STARTUP_KRB4_MSG,1 },
114115
{"krb5",STARTUP_KRB5_MSG,1 },
115116
#if defined(KRB5)
116-
{"kerberos",STARTUP_KRB5_MSG,1 }
117+
{"kerberos",STARTUP_KRB5_MSG,1 },
117118
#else
118-
{ "kerberos",STARTUP_KRB4_MSG,1 }
119+
{"kerberos",STARTUP_KRB4_MSG,1 },
119120
#endif
121+
{"password",STARTUP_PASSWORD_MSG,1 }
120122
};
121123

122124
staticn_authsvcs=sizeof(authsvcs) /sizeof(structauthsvc);
@@ -403,6 +405,26 @@ return(STATUS_ERROR);
403405
}
404406
#endif/* KRB5 */
405407

408+
staticint
409+
pg_password_recvauth(Port*port,char*database,char*DataDir)
410+
{
411+
PacketBufbuf;
412+
char*user,*password;
413+
414+
if(PacketReceive(port,&buf,BLOCKING)!=STATUS_OK) {
415+
sprintf(PQerrormsg,
416+
"pg_password_recvauth: failed to receive authentication packet.\n");
417+
fputs(PQerrormsg,stderr);
418+
pqdebug("%s",PQerrormsg);
419+
returnSTATUS_ERROR;
420+
}
421+
422+
user=buf.data;
423+
password=buf.data+strlen(user)+1;
424+
425+
returnverify_password(user,password,port,database,DataDir);
426+
}
427+
406428
/*
407429
* be_recvauth -- server demux routine for incoming authentication information
408430
*/
@@ -418,8 +440,8 @@ be_recvauth(MsgType msgtype_arg, Port *port, char *username, StartupInfo* sp)
418440
*/
419441
if (msgtype_arg==STARTUP_MSG&&useHostBasedAuth)
420442
msgtype=STARTUP_HBA_MSG;
421-
else
422-
msgtype=STARTUP_UNAUTH_MSG;
443+
else
444+
msgtype=msgtype_arg;
423445

424446
if (!username) {
425447
(void)sprintf(PQerrormsg,
@@ -490,6 +512,21 @@ be_recvauth(MsgType msgtype_arg, Port *port, char *username, StartupInfo* sp)
490512
return(STATUS_ERROR);
491513
}
492514
break;
515+
caseSTARTUP_PASSWORD_MSG:
516+
if(!be_getauthsvc(msgtype)) {
517+
sprintf(PQerrormsg,
518+
"be_recvauth: "
519+
"plaintext password authentication disallowed\n");
520+
fputs(PQerrormsg,stderr);
521+
pqdebug("%s",PQerrormsg);
522+
return(STATUS_ERROR);
523+
}
524+
if(pg_password_recvauth(port,sp->database,DataDir)!=STATUS_OK) {
525+
/* pg_password_recvauth or lower-level routines have already set */
526+
/* the error message */
527+
return(STATUS_ERROR);
528+
}
529+
break;
493530
default:
494531
(void)sprintf(PQerrormsg,
495532
"be_recvauth: unrecognized message type: %d\n",

‎src/backend/libpq/hba.c

Lines changed: 45 additions & 55 deletions
Original file line numberDiff line numberDiff line change
@@ -7,7 +7,7 @@
77
*
88
*
99
* IDENTIFICATION
10-
* $Header: /cvsroot/pgsql/src/backend/libpq/hba.c,v 1.15 1997/01/14 01:56:44 momjian Exp $
10+
* $Header: /cvsroot/pgsql/src/backend/libpq/hba.c,v 1.16 1997/03/12 21:17:53 scrappy Exp $
1111
*
1212
*-------------------------------------------------------------------------
1313
*/
@@ -30,31 +30,6 @@
3030
#include<port/inet_aton.h>/* For inet_aton() */
3131

3232

33-
#defineCONF_FILE "pg_hba.conf"
34-
/* Name of the config file */
35-
36-
#defineMAP_FILE "pg_ident.conf"
37-
/* Name of the usermap file */
38-
39-
#defineOLD_CONF_FILE "pg_hba"
40-
/* Name of the config file in prior releases of Postgres. */
41-
42-
#defineMAX_LINES 255
43-
/* Maximum number of config lines that can apply to one database */
44-
45-
#defineMAX_TOKEN 80
46-
/* Maximum size of one token in the configuration file */
47-
48-
#defineUSERMAP_NAME_SIZE 16/* Max size of a usermap name */
49-
50-
#defineIDENT_PORT 113
51-
/* Standard TCP port number for Ident service. Assigned by IANA */
52-
53-
#defineIDENT_USERNAME_MAX 512
54-
/* Max size of username ident server can return */
55-
56-
enumUserauth {Trust,Ident};
57-
5833
/* Some standard C libraries, including GNU, have an isblank() function.
5934
Others, including Solaris, do not. So we have our own.
6035
*/
@@ -108,7 +83,7 @@ read_through_eol(FILE *file) {
10883

10984
staticvoid
11085
read_hba_entry2(FILE*file,enumUserauth*userauth_p,charusermap_name[],
111-
bool*error_p) {
86+
bool*error_p,bool*matches_p,boolfind_password_entries) {
11287
/*--------------------------------------------------------------------------
11388
Read from file FILE the rest of a host record, after the mask field,
11489
and return the interpretation of it as *userauth_p, usermap_name, and
@@ -120,34 +95,47 @@ read_hba_entry2(FILE *file, enum Userauth *userauth_p, char usermap_name[],
12095

12196
/* Get authentication type token. */
12297
next_token(file,buf,sizeof(buf));
98+
userauth_valid= false;
12399
if (buf[0]=='\0') {
124100
*error_p= true;
125-
read_through_eol(file);
126101
}else {
127-
if (strcmp(buf,"trust")==0) {
128-
userauth_valid= true;
102+
userauth_valid= true;
103+
if(strcmp(buf,"trust")==0) {
129104
*userauth_p=Trust;
130-
}elseif (strcmp(buf,"ident")==0) {
131-
userauth_valid= true;
105+
}elseif(strcmp(buf,"ident")==0) {
132106
*userauth_p=Ident;
133-
}elseuserauth_valid= false;
107+
}elseif(strcmp(buf,"password")==0) {
108+
*userauth_p=Password;
109+
}else {
110+
userauth_valid= false;
111+
}
112+
113+
if((find_password_entries&&strcmp(buf,"password")==0)||
114+
(!find_password_entries&&strcmp(buf,"password")!=0)) {
115+
*matches_p= true;
116+
}else {
117+
*matches_p= false;
118+
}
119+
}
120+
121+
if(!userauth_valid|| !*matches_p||*error_p) {
134122
if (!userauth_valid) {
135123
*error_p= true;
136-
read_through_eol(file);
124+
}
125+
read_through_eol(file);
126+
}else {
127+
/* Get the map name token, if any */
128+
next_token(file,buf,sizeof(buf));
129+
if (buf[0]=='\0') {
130+
*error_p= false;
131+
usermap_name[0]='\0';
137132
}else {
138-
/* Get the map name token, if any */
133+
strncpy(usermap_name,buf,USERMAP_NAME_SIZE);
139134
next_token(file,buf,sizeof(buf));
140-
if (buf[0]=='\0') {
141-
*error_p= false;
142-
usermap_name[0]='\0';
143-
}else {
144-
strncpy(usermap_name,buf,USERMAP_NAME_SIZE);
145-
next_token(file,buf,sizeof(buf));
146-
if (buf[0]!='\0') {
147-
*error_p= true;
148-
read_through_eol(file);
149-
}else*error_p= false;
150-
}
135+
if (buf[0]!='\0') {
136+
*error_p= true;
137+
read_through_eol(file);
138+
}else*error_p= false;
151139
}
152140
}
153141
}
@@ -158,7 +146,8 @@ static void
158146
process_hba_record(FILE*file,
159147
conststructin_addrip_addr,constchardatabase[],
160148
bool*matches_p,bool*error_p,
161-
enumUserauth*userauth_p,charusermap_name[] ) {
149+
enumUserauth*userauth_p,charusermap_name[],
150+
boolfind_password_entries) {
162151
/*---------------------------------------------------------------------------
163152
Process the non-comment record in the config file that is next on the file.
164153
See if it applies to a connection to a host with IP address "ip_addr"
@@ -221,8 +210,7 @@ process_hba_record(FILE *file,
221210
the rest of the info from it.
222211
*/
223212
read_hba_entry2(file,userauth_p,usermap_name,
224-
error_p);
225-
*matches_p= true;
213+
error_p,matches_p,find_password_entries);
226214
if (*error_p) {
227215
sprintf(PQerrormsg,
228216
"process_hba_record: invalid syntax in "
@@ -249,7 +237,7 @@ static void
249237
process_open_config_file(FILE*file,
250238
conststructin_addrip_addr,constchardatabase[],
251239
bool*host_ok_p,enumUserauth*userauth_p,
252-
charusermap_name[]) {
240+
charusermap_name[],boolfind_password_entries) {
253241
/*---------------------------------------------------------------------------
254242
This function does the same thing as find_hba_entry, only with
255243
the config file already open on stream descriptor "file".
@@ -274,7 +262,8 @@ process_open_config_file(FILE *file,
274262
if (c=='#')read_through_eol(file);
275263
else {
276264
process_hba_record(file,ip_addr,database,
277-
&found_entry,&error,userauth_p,usermap_name);
265+
&found_entry,&error,userauth_p,usermap_name,
266+
find_password_entries);
278267
}
279268
}
280269
}
@@ -286,11 +275,11 @@ process_open_config_file(FILE *file,
286275

287276

288277

289-
staticvoid
278+
void
290279
find_hba_entry(constcharDataDir[],conststructin_addrip_addr,
291280
constchardatabase[],
292281
bool*host_ok_p,enumUserauth*userauth_p,
293-
charusermap_name[]) {
282+
charusermap_name[],boolfind_password_entries) {
294283
/*--------------------------------------------------------------------------
295284
Read the config file and find an entry that allows connection from
296285
host "ip_addr" to database "database". If not found, return
@@ -360,7 +349,7 @@ find_hba_entry(const char DataDir[], const struct in_addr ip_addr,
360349
pqdebug("%s",PQerrormsg);
361350
}else {
362351
process_open_config_file(file,ip_addr,database,host_ok_p,userauth_p,
363-
usermap_name);
352+
usermap_name,find_password_entries);
364353
fclose(file);
365354
}
366355
free(conf_file);
@@ -731,7 +720,8 @@ hba_recvauth(const Port *port, const char database[], const char user[],
731720

732721

733722
find_hba_entry(DataDir,port->raddr.sin_addr,database,
734-
&host_ok,&userauth,usermap_name);
723+
&host_ok,&userauth,usermap_name,
724+
false/* don't find password entries of type 'password' */);
735725

736726
if (!host_ok)retvalue=STATUS_ERROR;
737727
else {

‎src/backend/libpq/pqcomm.c

Lines changed: 27 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -7,7 +7,7 @@
77
*
88
*
99
* IDENTIFICATION
10-
* $Header: /cvsroot/pgsql/src/backend/libpq/pqcomm.c,v 1.11 1997/02/14 04:15:29 momjian Exp $
10+
* $Header: /cvsroot/pgsql/src/backend/libpq/pqcomm.c,v 1.12 1997/03/12 21:17:58 scrappy Exp $
1111
*
1212
*-------------------------------------------------------------------------
1313
*/
@@ -703,3 +703,29 @@ StreamOpen(char *hostName, short portName, Port *port)
703703

704704
return(STATUS_OK);
705705
}
706+
707+
staticchar*authentication_type_name[]= {
708+
0,0,0,0,0,0,0,
709+
"the default authentication type",
710+
0,0,
711+
"Kerberos v4",
712+
"Kerberos v5",
713+
"host-based authentication",
714+
"unauthenication",
715+
"plaintext password authentication"
716+
};
717+
718+
char*name_of_authentication_type(inttype)
719+
{
720+
char*result=0;
721+
722+
if(type >=1&&type <=LAST_AUTHENTICATION_TYPE) {
723+
result=authentication_type_name[type];
724+
}
725+
726+
if(result==0) {
727+
result="<unknown authentication type>";
728+
}
729+
730+
returnresult;
731+
}

‎src/backend/postmaster/postmaster.c

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -10,7 +10,7 @@
1010
*
1111
*
1212
* IDENTIFICATION
13-
* $Header: /cvsroot/pgsql/src/backend/postmaster/postmaster.c,v 1.43 1997/03/02 02:17:32 momjian Exp $
13+
* $Header: /cvsroot/pgsql/src/backend/postmaster/postmaster.c,v 1.44 1997/03/12 21:18:38 scrappy Exp $
1414
*
1515
* NOTES
1616
*
@@ -660,8 +660,8 @@ ConnStartup(Port *port, int *status,
660660
charbuffer[200+sizeof(namebuf)];
661661
sprintf(buffer,
662662
"Failed to authenticate client as Postgres user '%s' "
663-
"usingauthentication scheme %d.",
664-
namebuf,msgType);
663+
"using%s: %s",
664+
namebuf,name_of_authentication_type(msgType),PQerrormsg);
665665
strncpy(errormsg,buffer,errormsg_len);
666666
*status=STATUS_ERROR;
667667
}else {

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp