Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit4be69e2

Browse files
committed
Avoid downcasing/truncation of RADIUS authentication parameters.
Commit6b76f1b changed all the RADIUS auth parameters to be listsrather than single values. But its use of SplitIdentifierStringto parse the list format was not very carefully thought through,because that function thinks it's parsing SQL identifiers, whichmeans it will (a) downcase the strings and (b) truncate them tobe shorter than NAMEDATALEN. While downcasing should be harmlessfor the server names and ports, it's just wrong for the sharedsecrets, and probably for the NAS Identifier strings as well.The truncation aspect is at least potentially a problem too,though typical values for these parameters would fit in 63 bytes.Fortunately, we now have a function SplitGUCList that is exactlythe same except for not doing the two unwanted things, so fixingthis is a trivial matter of calling that function instead.While here, improve the documentation to show how to double-quotethe parameter values. I failed to resist the temptation to dosome copy-editing as well.Report and patch from Marcos David (bug #16106); doc changes by me.Back-patch to v10 where the aforesaid commit came in, since this isarguably a regression from our previous behavior with RADIUS auth.Discussion:https://postgr.es/m/16106-7d319e4295d08e70@postgresql.org
1 parente25c4b3 commit4be69e2

File tree

2 files changed

+29
-18
lines changed

2 files changed

+29
-18
lines changed

‎doc/src/sgml/client-auth.sgml

Lines changed: 25 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -1688,7 +1688,7 @@ host ... ldap ldapurl="ldap://ldap.example.net/dc=example,dc=net?uid?sub"
16881688
<literal>user name</>, <literal>password</> (encrypted) and
16891689
<literal>NAS Identifier</>. The request will be encrypted using
16901690
a secret shared with the server. The RADIUS server will respond to
1691-
thisserver with either <literal>Access Accept</> or
1691+
thisrequest with either <literal>Access Accept</> or
16921692
<literal>Access Reject</>. There is no support for RADIUS accounting.
16931693
</para>
16941694

@@ -1697,11 +1697,11 @@ host ... ldap ldapurl="ldap://ldap.example.net/dc=example,dc=net?uid?sub"
16971697
be tried sequentially. If a negative response is received from
16981698
a server, the authentication will fail. If no response is received,
16991699
the next server in the list will be tried. To specify multiple
1700-
servers,put the nameswithin quotes andseparate theserver names
1701-
witha comma. If multiple servers are specified,all other RADIUS
1702-
options can also be given asacomma separate list, toapply
1703-
individual valuesto each server. They can also be specified as
1704-
a single value, in which casethis value will apply to all servers.
1700+
servers,separate theservernameswith commas andsurround thelist
1701+
withdouble quotes. If multiple servers are specified,the other
1702+
RADIUSoptions can also be given as comma-separated lists, toprovide
1703+
individual valuesfor each server. They can also be specified as
1704+
a single value, in which casethat value will apply to all servers.
17051705
</para>
17061706

17071707
<para>
@@ -1711,7 +1711,7 @@ host ... ldap ldapurl="ldap://ldap.example.net/dc=example,dc=net?uid?sub"
17111711
<term><literal>radiusservers</literal></term>
17121712
<listitem>
17131713
<para>
1714-
Thename or IP addresses of the RADIUS servers to connect to.
1714+
TheDNS names or IP addresses of the RADIUS servers to connect to.
17151715
This parameter is required.
17161716
</para>
17171717
</listitem>
@@ -1722,7 +1722,7 @@ host ... ldap ldapurl="ldap://ldap.example.net/dc=example,dc=net?uid?sub"
17221722
<listitem>
17231723
<para>
17241724
The shared secrets used when talking securely to the RADIUS
1725-
server. This must have exactly the same value on the PostgreSQL
1725+
servers. This must have exactly the same value on the PostgreSQL
17261726
and RADIUS servers. It is recommended that this be a string of
17271727
at least 16 characters. This parameter is required.
17281728
<note>
@@ -1742,8 +1742,9 @@ host ... ldap ldapurl="ldap://ldap.example.net/dc=example,dc=net?uid?sub"
17421742
<term><literal>radiusports</literal></term>
17431743
<listitem>
17441744
<para>
1745-
The port number on the RADIUS servers to connect to. If no port
1746-
is specified, the default port <literal>1812</> will be used.
1745+
The port numbers to connect to on the RADIUS servers. If no port
1746+
is specified, the default RADIUS port (<literal>1812</>)
1747+
will be used.
17471748
</para>
17481749
</listitem>
17491750
</varlistentry>
@@ -1752,10 +1753,10 @@ host ... ldap ldapurl="ldap://ldap.example.net/dc=example,dc=net?uid?sub"
17521753
<term><literal>radiusidentifiers</literal></term>
17531754
<listitem>
17541755
<para>
1755-
Thestringused as <literal>NAS Identifier</> in the RADIUS
1756-
requests. This parameter can be used as a second parameter
1757-
identifying for examplewhich databaseuser the user is attempting
1758-
to authenticate as, which can beused for policy matching on
1756+
Thestrings to beused as <literal>NAS Identifier</> in the
1757+
RADIUSrequests. This parameter can be used, for example, to
1758+
identifywhich databasecluster the user is attempting to connect
1759+
to, which can beuseful for policy matching on
17591760
the RADIUS server. If no identifier is specified, the default
17601761
<literal>postgresql</> will be used.
17611762
</para>
@@ -1764,6 +1765,16 @@ host ... ldap ldapurl="ldap://ldap.example.net/dc=example,dc=net?uid?sub"
17641765

17651766
</variablelist>
17661767
</para>
1768+
1769+
<para>
1770+
If it is necessary to have a comma or whitespace in a RADIUS parameter
1771+
value, that can be done by putting double quotes around the value, but
1772+
it is tedious because two layers of double-quoting are now required.
1773+
An example of putting whitespace into RADIUS secret strings is:
1774+
<programlisting>
1775+
host ... radius radiusservers="server1,server2" radiussecrets="""secret one"",""secret two"""
1776+
</programlisting>
1777+
</para>
17671778
</sect2>
17681779

17691780
<sect2 id="auth-cert">

‎src/backend/libpq/hba.c

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1851,7 +1851,7 @@ parse_hba_auth_opt(char *name, char *val, HbaLine *hbaline,
18511851

18521852
REQUIRE_AUTH_OPTION(uaRADIUS,"radiusservers","radius");
18531853

1854-
if (!SplitIdentifierString(dupval,',',&parsed_servers))
1854+
if (!SplitGUCList(dupval,',',&parsed_servers))
18551855
{
18561856
/* syntax error in list */
18571857
ereport(elevel,
@@ -1900,7 +1900,7 @@ parse_hba_auth_opt(char *name, char *val, HbaLine *hbaline,
19001900

19011901
REQUIRE_AUTH_OPTION(uaRADIUS,"radiusports","radius");
19021902

1903-
if (!SplitIdentifierString(dupval,',',&parsed_ports))
1903+
if (!SplitGUCList(dupval,',',&parsed_ports))
19041904
{
19051905
ereport(elevel,
19061906
(errcode(ERRCODE_CONFIG_FILE_ERROR),
@@ -1935,7 +1935,7 @@ parse_hba_auth_opt(char *name, char *val, HbaLine *hbaline,
19351935

19361936
REQUIRE_AUTH_OPTION(uaRADIUS,"radiussecrets","radius");
19371937

1938-
if (!SplitIdentifierString(dupval,',',&parsed_secrets))
1938+
if (!SplitGUCList(dupval,',',&parsed_secrets))
19391939
{
19401940
/* syntax error in list */
19411941
ereport(elevel,
@@ -1957,7 +1957,7 @@ parse_hba_auth_opt(char *name, char *val, HbaLine *hbaline,
19571957

19581958
REQUIRE_AUTH_OPTION(uaRADIUS,"radiusidentifiers","radius");
19591959

1960-
if (!SplitIdentifierString(dupval,',',&parsed_identifiers))
1960+
if (!SplitGUCList(dupval,',',&parsed_identifiers))
19611961
{
19621962
/* syntax error in list */
19631963
ereport(elevel,

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp