Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit7618eaf

Browse files
committed
Avoid downcasing/truncation of RADIUS authentication parameters.
Commit6b76f1b changed all the RADIUS auth parameters to be listsrather than single values. But its use of SplitIdentifierStringto parse the list format was not very carefully thought through,because that function thinks it's parsing SQL identifiers, whichmeans it will (a) downcase the strings and (b) truncate them tobe shorter than NAMEDATALEN. While downcasing should be harmlessfor the server names and ports, it's just wrong for the sharedsecrets, and probably for the NAS Identifier strings as well.The truncation aspect is at least potentially a problem too,though typical values for these parameters would fit in 63 bytes.Fortunately, we now have a function SplitGUCList that is exactlythe same except for not doing the two unwanted things, so fixingthis is a trivial matter of calling that function instead.While here, improve the documentation to show how to double-quotethe parameter values. I failed to resist the temptation to dosome copy-editing as well.Report and patch from Marcos David (bug #16106); doc changes by me.Back-patch to v10 where the aforesaid commit came in, since this isarguably a regression from our previous behavior with RADIUS auth.Discussion:https://postgr.es/m/16106-7d319e4295d08e70@postgresql.org
1 parent2c7b5da commit7618eaf

File tree

2 files changed

+29
-18
lines changed

2 files changed

+29
-18
lines changed

‎doc/src/sgml/client-auth.sgml

Lines changed: 25 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -1824,7 +1824,7 @@ host ... ldap ldapbasedn="dc=example,dc=net"
18241824
<literal>user name</literal>, <literal>password</literal> (encrypted) and
18251825
<literal>NAS Identifier</literal>. The request will be encrypted using
18261826
a secret shared with the server. The RADIUS server will respond to
1827-
thisserver with either <literal>Access Accept</literal> or
1827+
thisrequest with either <literal>Access Accept</literal> or
18281828
<literal>Access Reject</literal>. There is no support for RADIUS accounting.
18291829
</para>
18301830

@@ -1833,11 +1833,11 @@ host ... ldap ldapbasedn="dc=example,dc=net"
18331833
be tried sequentially. If a negative response is received from
18341834
a server, the authentication will fail. If no response is received,
18351835
the next server in the list will be tried. To specify multiple
1836-
servers,put the nameswithin quotes andseparate theserver names
1837-
witha comma. If multiple servers are specified,all other RADIUS
1838-
options can also be given asacomma separate list, toapply
1839-
individual valuesto each server. They can also be specified as
1840-
a single value, in which casethis value will apply to all servers.
1836+
servers,separate theservernameswith commas andsurround thelist
1837+
withdouble quotes. If multiple servers are specified,the other
1838+
RADIUSoptions can also be given as comma-separated lists, toprovide
1839+
individual valuesfor each server. They can also be specified as
1840+
a single value, in which casethat value will apply to all servers.
18411841
</para>
18421842

18431843
<para>
@@ -1847,7 +1847,7 @@ host ... ldap ldapbasedn="dc=example,dc=net"
18471847
<term><literal>radiusservers</literal></term>
18481848
<listitem>
18491849
<para>
1850-
Thename or IP addresses of the RADIUS servers to connect to.
1850+
TheDNS names or IP addresses of the RADIUS servers to connect to.
18511851
This parameter is required.
18521852
</para>
18531853
</listitem>
@@ -1858,7 +1858,7 @@ host ... ldap ldapbasedn="dc=example,dc=net"
18581858
<listitem>
18591859
<para>
18601860
The shared secrets used when talking securely to the RADIUS
1861-
server. This must have exactly the same value on the PostgreSQL
1861+
servers. This must have exactly the same value on the PostgreSQL
18621862
and RADIUS servers. It is recommended that this be a string of
18631863
at least 16 characters. This parameter is required.
18641864
<note>
@@ -1878,8 +1878,9 @@ host ... ldap ldapbasedn="dc=example,dc=net"
18781878
<term><literal>radiusports</literal></term>
18791879
<listitem>
18801880
<para>
1881-
The port number on the RADIUS servers to connect to. If no port
1882-
is specified, the default port <literal>1812</literal> will be used.
1881+
The port numbers to connect to on the RADIUS servers. If no port
1882+
is specified, the default RADIUS port (<literal>1812</literal>)
1883+
will be used.
18831884
</para>
18841885
</listitem>
18851886
</varlistentry>
@@ -1888,10 +1889,10 @@ host ... ldap ldapbasedn="dc=example,dc=net"
18881889
<term><literal>radiusidentifiers</literal></term>
18891890
<listitem>
18901891
<para>
1891-
Thestringused as <literal>NAS Identifier</literal> in the RADIUS
1892-
requests. This parameter can be used as a second parameter
1893-
identifying for examplewhich databaseuser the user is attempting
1894-
to authenticate as, which can beused for policy matching on
1892+
Thestrings to beused as <literal>NAS Identifier</literal> in the
1893+
RADIUSrequests. This parameter can be used, for example, to
1894+
identifywhich databasecluster the user is attempting to connect
1895+
to, which can beuseful for policy matching on
18951896
the RADIUS server. If no identifier is specified, the default
18961897
<literal>postgresql</literal> will be used.
18971898
</para>
@@ -1900,6 +1901,16 @@ host ... ldap ldapbasedn="dc=example,dc=net"
19001901

19011902
</variablelist>
19021903
</para>
1904+
1905+
<para>
1906+
If it is necessary to have a comma or whitespace in a RADIUS parameter
1907+
value, that can be done by putting double quotes around the value, but
1908+
it is tedious because two layers of double-quoting are now required.
1909+
An example of putting whitespace into RADIUS secret strings is:
1910+
<programlisting>
1911+
host ... radius radiusservers="server1,server2" radiussecrets="""secret one"",""secret two"""
1912+
</programlisting>
1913+
</para>
19031914
</sect1>
19041915

19051916
<sect1 id="auth-cert">

‎src/backend/libpq/hba.c

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1927,7 +1927,7 @@ parse_hba_auth_opt(char *name, char *val, HbaLine *hbaline,
19271927

19281928
REQUIRE_AUTH_OPTION(uaRADIUS,"radiusservers","radius");
19291929

1930-
if (!SplitIdentifierString(dupval,',',&parsed_servers))
1930+
if (!SplitGUCList(dupval,',',&parsed_servers))
19311931
{
19321932
/* syntax error in list */
19331933
ereport(elevel,
@@ -1976,7 +1976,7 @@ parse_hba_auth_opt(char *name, char *val, HbaLine *hbaline,
19761976

19771977
REQUIRE_AUTH_OPTION(uaRADIUS,"radiusports","radius");
19781978

1979-
if (!SplitIdentifierString(dupval,',',&parsed_ports))
1979+
if (!SplitGUCList(dupval,',',&parsed_ports))
19801980
{
19811981
ereport(elevel,
19821982
(errcode(ERRCODE_CONFIG_FILE_ERROR),
@@ -2011,7 +2011,7 @@ parse_hba_auth_opt(char *name, char *val, HbaLine *hbaline,
20112011

20122012
REQUIRE_AUTH_OPTION(uaRADIUS,"radiussecrets","radius");
20132013

2014-
if (!SplitIdentifierString(dupval,',',&parsed_secrets))
2014+
if (!SplitGUCList(dupval,',',&parsed_secrets))
20152015
{
20162016
/* syntax error in list */
20172017
ereport(elevel,
@@ -2033,7 +2033,7 @@ parse_hba_auth_opt(char *name, char *val, HbaLine *hbaline,
20332033

20342034
REQUIRE_AUTH_OPTION(uaRADIUS,"radiusidentifiers","radius");
20352035

2036-
if (!SplitIdentifierString(dupval,',',&parsed_identifiers))
2036+
if (!SplitGUCList(dupval,',',&parsed_identifiers))
20372037
{
20382038
/* syntax error in list */
20392039
ereport(elevel,

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp