Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commitd66e682

Browse files
committed
Avoid downcasing/truncation of RADIUS authentication parameters.
Commit6b76f1b changed all the RADIUS auth parameters to be listsrather than single values. But its use of SplitIdentifierStringto parse the list format was not very carefully thought through,because that function thinks it's parsing SQL identifiers, whichmeans it will (a) downcase the strings and (b) truncate them tobe shorter than NAMEDATALEN. While downcasing should be harmlessfor the server names and ports, it's just wrong for the sharedsecrets, and probably for the NAS Identifier strings as well.The truncation aspect is at least potentially a problem too,though typical values for these parameters would fit in 63 bytes.Fortunately, we now have a function SplitGUCList that is exactlythe same except for not doing the two unwanted things, so fixingthis is a trivial matter of calling that function instead.While here, improve the documentation to show how to double-quotethe parameter values. I failed to resist the temptation to dosome copy-editing as well.Report and patch from Marcos David (bug #16106); doc changes by me.Back-patch to v10 where the aforesaid commit came in, since this isarguably a regression from our previous behavior with RADIUS auth.Discussion:https://postgr.es/m/16106-7d319e4295d08e70@postgresql.org
1 parent94a9cb4 commitd66e682

File tree

2 files changed

+29
-18
lines changed

2 files changed

+29
-18
lines changed

‎doc/src/sgml/client-auth.sgml

Lines changed: 25 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -1751,7 +1751,7 @@ host ... ldap ldapserver=ldap.example.net ldapbasedn="dc=example, dc=net" ldapse
17511751
<literal>user name</literal>, <literal>password</literal> (encrypted) and
17521752
<literal>NAS Identifier</literal>. The request will be encrypted using
17531753
a secret shared with the server. The RADIUS server will respond to
1754-
thisserver with either <literal>Access Accept</literal> or
1754+
thisrequest with either <literal>Access Accept</literal> or
17551755
<literal>Access Reject</literal>. There is no support for RADIUS accounting.
17561756
</para>
17571757

@@ -1760,11 +1760,11 @@ host ... ldap ldapserver=ldap.example.net ldapbasedn="dc=example, dc=net" ldapse
17601760
be tried sequentially. If a negative response is received from
17611761
a server, the authentication will fail. If no response is received,
17621762
the next server in the list will be tried. To specify multiple
1763-
servers,put the nameswithin quotes andseparate theserver names
1764-
witha comma. If multiple servers are specified,all other RADIUS
1765-
options can also be given asacomma separate list, toapply
1766-
individual valuesto each server. They can also be specified as
1767-
a single value, in which casethis value will apply to all servers.
1763+
servers,separate theservernameswith commas andsurround thelist
1764+
withdouble quotes. If multiple servers are specified,the other
1765+
RADIUSoptions can also be given as comma-separated lists, toprovide
1766+
individual valuesfor each server. They can also be specified as
1767+
a single value, in which casethat value will apply to all servers.
17681768
</para>
17691769

17701770
<para>
@@ -1774,7 +1774,7 @@ host ... ldap ldapserver=ldap.example.net ldapbasedn="dc=example, dc=net" ldapse
17741774
<term><literal>radiusservers</literal></term>
17751775
<listitem>
17761776
<para>
1777-
Thename or IP addresses of the RADIUS servers to connect to.
1777+
TheDNS names or IP addresses of the RADIUS servers to connect to.
17781778
This parameter is required.
17791779
</para>
17801780
</listitem>
@@ -1785,7 +1785,7 @@ host ... ldap ldapserver=ldap.example.net ldapbasedn="dc=example, dc=net" ldapse
17851785
<listitem>
17861786
<para>
17871787
The shared secrets used when talking securely to the RADIUS
1788-
server. This must have exactly the same value on the PostgreSQL
1788+
servers. This must have exactly the same value on the PostgreSQL
17891789
and RADIUS servers. It is recommended that this be a string of
17901790
at least 16 characters. This parameter is required.
17911791
<note>
@@ -1805,8 +1805,9 @@ host ... ldap ldapserver=ldap.example.net ldapbasedn="dc=example, dc=net" ldapse
18051805
<term><literal>radiusports</literal></term>
18061806
<listitem>
18071807
<para>
1808-
The port number on the RADIUS servers to connect to. If no port
1809-
is specified, the default port <literal>1812</literal> will be used.
1808+
The port numbers to connect to on the RADIUS servers. If no port
1809+
is specified, the default RADIUS port (<literal>1812</literal>)
1810+
will be used.
18101811
</para>
18111812
</listitem>
18121813
</varlistentry>
@@ -1815,10 +1816,10 @@ host ... ldap ldapserver=ldap.example.net ldapbasedn="dc=example, dc=net" ldapse
18151816
<term><literal>radiusidentifiers</literal></term>
18161817
<listitem>
18171818
<para>
1818-
Thestringused as <literal>NAS Identifier</literal> in the RADIUS
1819-
requests. This parameter can be used as a second parameter
1820-
identifying for examplewhich databaseuser the user is attempting
1821-
to authenticate as, which can beused for policy matching on
1819+
Thestrings to beused as <literal>NAS Identifier</literal> in the
1820+
RADIUSrequests. This parameter can be used, for example, to
1821+
identifywhich databasecluster the user is attempting to connect
1822+
to, which can beuseful for policy matching on
18221823
the RADIUS server. If no identifier is specified, the default
18231824
<literal>postgresql</literal> will be used.
18241825
</para>
@@ -1827,6 +1828,16 @@ host ... ldap ldapserver=ldap.example.net ldapbasedn="dc=example, dc=net" ldapse
18271828

18281829
</variablelist>
18291830
</para>
1831+
1832+
<para>
1833+
If it is necessary to have a comma or whitespace in a RADIUS parameter
1834+
value, that can be done by putting double quotes around the value, but
1835+
it is tedious because two layers of double-quoting are now required.
1836+
An example of putting whitespace into RADIUS secret strings is:
1837+
<programlisting>
1838+
host ... radius radiusservers="server1,server2" radiussecrets="""secret one"",""secret two"""
1839+
</programlisting>
1840+
</para>
18301841
</sect1>
18311842

18321843
<sect1 id="auth-cert">

‎src/backend/libpq/hba.c

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1881,7 +1881,7 @@ parse_hba_auth_opt(char *name, char *val, HbaLine *hbaline,
18811881

18821882
REQUIRE_AUTH_OPTION(uaRADIUS,"radiusservers","radius");
18831883

1884-
if (!SplitIdentifierString(dupval,',',&parsed_servers))
1884+
if (!SplitGUCList(dupval,',',&parsed_servers))
18851885
{
18861886
/* syntax error in list */
18871887
ereport(elevel,
@@ -1930,7 +1930,7 @@ parse_hba_auth_opt(char *name, char *val, HbaLine *hbaline,
19301930

19311931
REQUIRE_AUTH_OPTION(uaRADIUS,"radiusports","radius");
19321932

1933-
if (!SplitIdentifierString(dupval,',',&parsed_ports))
1933+
if (!SplitGUCList(dupval,',',&parsed_ports))
19341934
{
19351935
ereport(elevel,
19361936
(errcode(ERRCODE_CONFIG_FILE_ERROR),
@@ -1965,7 +1965,7 @@ parse_hba_auth_opt(char *name, char *val, HbaLine *hbaline,
19651965

19661966
REQUIRE_AUTH_OPTION(uaRADIUS,"radiussecrets","radius");
19671967

1968-
if (!SplitIdentifierString(dupval,',',&parsed_secrets))
1968+
if (!SplitGUCList(dupval,',',&parsed_secrets))
19691969
{
19701970
/* syntax error in list */
19711971
ereport(elevel,
@@ -1987,7 +1987,7 @@ parse_hba_auth_opt(char *name, char *val, HbaLine *hbaline,
19871987

19881988
REQUIRE_AUTH_OPTION(uaRADIUS,"radiusidentifiers","radius");
19891989

1990-
if (!SplitIdentifierString(dupval,',',&parsed_identifiers))
1990+
if (!SplitGUCList(dupval,',',&parsed_identifiers))
19911991
{
19921992
/* syntax error in list */
19931993
ereport(elevel,

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp