1996-07-09 08:22:35 +02:00
|
|
|
/*-------------------------------------------------------------------------
|
|
|
|
|
*
|
1999-02-14 00:22:53 +01:00
|
|
|
* auth.c
|
1997-09-07 07:04:48 +02:00
|
|
|
* Routines to handle network authentication
|
1996-07-09 08:22:35 +02:00
|
|
|
*
|
2007-01-05 23:20:05 +01:00
|
|
|
* Portions Copyright (c) 1996-2007, PostgreSQL Global Development Group
|
2000-01-26 06:58:53 +01:00
|
|
|
* Portions Copyright (c) 1994, Regents of the University of California
|
1996-07-09 08:22:35 +02:00
|
|
|
*
|
|
|
|
|
*
|
|
|
|
|
* IDENTIFICATION
|
2007-07-12 22:36:11 +02:00
|
|
|
* $PostgreSQL: pgsql/src/backend/libpq/auth.c,v 1.153 2007/07/12 20:36:11 tgl Exp $
|
1996-07-09 08:22:35 +02:00
|
|
|
*
|
|
|
|
|
*-------------------------------------------------------------------------
|
|
|
|
|
*/
|
2001-06-20 20:07:56 +02:00
|
|
|
|
|
|
|
|
#include "postgres.h"
|
1996-07-09 08:22:35 +02:00
|
|
|
|
2001-08-21 17:21:25 +02:00
|
|
|
#include <sys/param.h>
|
2001-09-07 21:52:54 +02:00
|
|
|
#include <sys/socket.h>
|
|
|
|
|
#if defined(HAVE_STRUCT_CMSGCRED) || defined(HAVE_STRUCT_FCRED) || defined(HAVE_STRUCT_SOCKCRED)
|
|
|
|
|
#include <sys/uio.h>
|
2001-08-21 02:33:28 +02:00
|
|
|
#include <sys/ucred.h>
|
|
|
|
|
#endif
|
1996-07-09 08:22:35 +02:00
|
|
|
#include <netinet/in.h>
|
|
|
|
|
#include <arpa/inet.h>
|
2007-07-10 15:14:22 +02:00
|
|
|
#include <unistd.h>
|
2002-05-05 02:03:29 +02:00
|
|
|
|
1999-07-16 01:04:24 +02:00
|
|
|
#include "libpq/auth.h"
|
1999-07-16 07:00:38 +02:00
|
|
|
#include "libpq/crypt.h"
|
2006-07-13 18:49:20 +02:00
|
|
|
#include "libpq/ip.h"
|
1999-07-16 07:00:38 +02:00
|
|
|
#include "libpq/libpq.h"
|
2001-06-20 20:07:56 +02:00
|
|
|
#include "libpq/pqformat.h"
|
2002-05-05 02:03:29 +02:00
|
|
|
#include "storage/ipc.h"
|
|
|
|
|
|
1996-07-09 08:22:35 +02:00
|
|
|
|
2001-06-20 20:07:56 +02:00
|
|
|
static void sendAuthRequest(Port *port, AuthRequest areq);
|
2001-10-19 00:44:37 +02:00
|
|
|
static void auth_failed(Port *port, int status);
|
2003-04-19 02:02:30 +02:00
|
|
|
static char *recv_password_packet(Port *port);
|
2001-06-20 20:07:56 +02:00
|
|
|
static int recv_and_check_password_packet(Port *port);
|
1996-07-09 08:22:35 +02:00
|
|
|
|
2001-03-22 05:01:46 +01:00
|
|
|
char *pg_krb_server_keyfile;
|
2005-10-15 04:49:52 +02:00
|
|
|
char *pg_krb_srvnam;
|
2005-06-04 22:42:43 +02:00
|
|
|
bool pg_krb_caseins_users;
|
2005-06-14 19:43:14 +02:00
|
|
|
char *pg_krb_server_hostname = NULL;
|
2000-08-25 12:00:35 +02:00
|
|
|
|
2001-09-06 05:23:38 +02:00
|
|
|
#ifdef USE_PAM
|
2003-02-14 15:05:00 +01:00
|
|
|
#ifdef HAVE_PAM_PAM_APPL_H
|
|
|
|
|
#include <pam/pam_appl.h>
|
|
|
|
|
#endif
|
|
|
|
|
#ifdef HAVE_SECURITY_PAM_APPL_H
|
2001-09-06 05:23:38 +02:00
|
|
|
#include <security/pam_appl.h>
|
2003-02-14 15:05:00 +01:00
|
|
|
#endif
|
2001-09-06 05:23:38 +02:00
|
|
|
|
2001-10-25 07:50:21 +02:00
|
|
|
#define PGSQL_PAM_SERVICE "postgresql" /* Service name passed to PAM */
|
|
|
|
|
|
|
|
|
|
static int CheckPAMAuth(Port *port, char *user, char *password);
|
|
|
|
|
static int pam_passwd_conv_proc(int num_msg, const struct pam_message ** msg,
|
|
|
|
|
struct pam_response ** resp, void *appdata_ptr);
|
2001-09-06 05:23:38 +02:00
|
|
|
|
|
|
|
|
static struct pam_conv pam_passw_conv = {
|
2001-10-25 07:50:21 +02:00
|
|
|
&pam_passwd_conv_proc,
|
|
|
|
|
NULL
|
2001-09-06 05:23:38 +02:00
|
|
|
};
|
|
|
|
|
|
2001-10-25 07:50:21 +02:00
|
|
|
static char *pam_passwd = NULL; /* Workaround for Solaris 2.6 brokenness */
|
2005-10-15 04:49:52 +02:00
|
|
|
static Port *pam_port_cludge; /* Workaround for passing "Port *port" into
|
|
|
|
|
* pam_passwd_conv_proc */
|
2001-11-05 18:46:40 +01:00
|
|
|
#endif /* USE_PAM */
|
2000-08-25 12:00:35 +02:00
|
|
|
|
2006-03-06 18:41:44 +01:00
|
|
|
#ifdef USE_LDAP
|
|
|
|
|
#ifndef WIN32
|
2006-08-22 04:23:45 +02:00
|
|
|
/* We use a deprecated function to keep the codepath the same as win32. */
|
2006-03-06 18:41:44 +01:00
|
|
|
#define LDAP_DEPRECATED 1
|
|
|
|
|
#include <ldap.h>
|
|
|
|
|
#else
|
|
|
|
|
#include <winldap.h>
|
|
|
|
|
|
|
|
|
|
/* Correct header from the Platform SDK */
|
2006-10-04 02:30:14 +02:00
|
|
|
typedef
|
|
|
|
|
ULONG(*__ldap_start_tls_sA) (
|
|
|
|
|
IN PLDAP ExternalHandle,
|
|
|
|
|
OUT PULONG ServerReturnValue,
|
|
|
|
|
OUT LDAPMessage ** result,
|
|
|
|
|
IN PLDAPControlA * ServerControls,
|
|
|
|
|
IN PLDAPControlA * ClientControls
|
2006-03-06 18:41:44 +01:00
|
|
|
);
|
|
|
|
|
#endif
|
|
|
|
|
|
2006-10-04 02:30:14 +02:00
|
|
|
static int CheckLDAPAuth(Port *port);
|
2006-03-06 18:41:44 +01:00
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
|
1996-07-09 08:22:35 +02:00
|
|
|
#ifdef KRB5
|
|
|
|
|
/*----------------------------------------------------------------
|
|
|
|
|
* MIT Kerberos authentication system - protocol version 5
|
|
|
|
|
*----------------------------------------------------------------
|
|
|
|
|
*/
|
|
|
|
|
|
2000-05-27 06:13:05 +02:00
|
|
|
#include <krb5.h>
|
2005-01-12 22:37:54 +01:00
|
|
|
/* Some old versions of Kerberos do not include <com_err.h> in <krb5.h> */
|
|
|
|
|
#if !defined(__COM_ERR_H) && !defined(__COM_ERR_H__)
|
|
|
|
|
#include <com_err.h>
|
|
|
|
|
#endif
|
1996-07-09 08:22:35 +02:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* pg_an_to_ln -- return the local name corresponding to an authentication
|
1997-09-07 07:04:48 +02:00
|
|
|
* name
|
1996-07-09 08:22:35 +02:00
|
|
|
*
|
|
|
|
|
* XXX Assumes that the first aname component is the user name. This is NOT
|
1997-09-07 07:04:48 +02:00
|
|
|
* necessarily so, since an aname can actually be something out of your
|
|
|
|
|
* worst X.400 nightmare, like
|
|
|
|
|
* ORGANIZATION=U. C. Berkeley/NAME=Paul M. Aoki@CS.BERKELEY.EDU
|
|
|
|
|
* Note that the MIT an_to_ln code does the same thing if you don't
|
|
|
|
|
* provide an aname mapping database...it may be a better idea to use
|
|
|
|
|
* krb5_an_to_ln, except that it punts if multiple components are found,
|
|
|
|
|
* and we can't afford to punt.
|
1996-07-09 08:22:35 +02:00
|
|
|
*/
|
1997-09-08 04:41:22 +02:00
|
|
|
static char *
|
1996-07-09 08:22:35 +02:00
|
|
|
pg_an_to_ln(char *aname)
|
|
|
|
|
{
|
1997-09-08 04:41:22 +02:00
|
|
|
char *p;
|
1997-09-07 07:04:48 +02:00
|
|
|
|
|
|
|
|
if ((p = strchr(aname, '/')) || (p = strchr(aname, '@')))
|
|
|
|
|
*p = '\0';
|
1998-09-01 05:29:17 +02:00
|
|
|
return aname;
|
1996-07-09 08:22:35 +02:00
|
|
|
}
|
|
|
|
|
|
2000-05-27 06:13:05 +02:00
|
|
|
|
2000-05-27 05:39:33 +02:00
|
|
|
/*
|
2000-05-27 06:13:05 +02:00
|
|
|
* Various krb5 state which is not connection specfic, and a flag to
|
|
|
|
|
* indicate whether we have initialised it yet.
|
2000-05-27 05:39:33 +02:00
|
|
|
*/
|
2001-03-22 05:01:46 +01:00
|
|
|
static int pg_krb5_initialised;
|
2000-05-27 06:13:05 +02:00
|
|
|
static krb5_context pg_krb5_context;
|
|
|
|
|
static krb5_keytab pg_krb5_keytab;
|
|
|
|
|
static krb5_principal pg_krb5_server;
|
|
|
|
|
|
|
|
|
|
|
2000-05-27 05:39:33 +02:00
|
|
|
static int
|
2000-05-27 06:13:05 +02:00
|
|
|
pg_krb5_init(void)
|
2000-05-27 05:39:33 +02:00
|
|
|
{
|
2000-05-27 06:13:05 +02:00
|
|
|
krb5_error_code retval;
|
2005-10-15 04:49:52 +02:00
|
|
|
char *khostname;
|
2000-05-27 05:58:20 +02:00
|
|
|
|
2000-05-27 06:13:05 +02:00
|
|
|
if (pg_krb5_initialised)
|
|
|
|
|
return STATUS_OK;
|
|
|
|
|
|
|
|
|
|
retval = krb5_init_context(&pg_krb5_context);
|
2001-03-22 05:01:46 +01:00
|
|
|
if (retval)
|
|
|
|
|
{
|
2003-07-22 21:00:12 +02:00
|
|
|
ereport(LOG,
|
2003-09-25 08:58:07 +02:00
|
|
|
(errmsg("Kerberos initialization returned error %d",
|
2003-07-22 21:00:12 +02:00
|
|
|
retval)));
|
2000-05-27 06:13:05 +02:00
|
|
|
com_err("postgres", retval, "while initializing krb5");
|
2000-05-27 05:39:33 +02:00
|
|
|
return STATUS_ERROR;
|
2000-05-27 05:58:20 +02:00
|
|
|
}
|
|
|
|
|
|
2000-08-25 12:00:35 +02:00
|
|
|
retval = krb5_kt_resolve(pg_krb5_context, pg_krb_server_keyfile, &pg_krb5_keytab);
|
2001-03-22 05:01:46 +01:00
|
|
|
if (retval)
|
|
|
|
|
{
|
2003-07-22 21:00:12 +02:00
|
|
|
ereport(LOG,
|
2003-09-25 08:58:07 +02:00
|
|
|
(errmsg("Kerberos keytab resolving returned error %d",
|
2003-07-22 21:00:12 +02:00
|
|
|
retval)));
|
|
|
|
|
com_err("postgres", retval, "while resolving keytab file \"%s\"",
|
2000-08-25 12:00:35 +02:00
|
|
|
pg_krb_server_keyfile);
|
2000-05-27 06:13:05 +02:00
|
|
|
krb5_free_context(pg_krb5_context);
|
|
|
|
|
return STATUS_ERROR;
|
2000-05-27 05:58:20 +02:00
|
|
|
}
|
|
|
|
|
|
2005-10-08 21:32:58 +02:00
|
|
|
/*
|
2005-10-15 04:49:52 +02:00
|
|
|
* If no hostname was specified, pg_krb_server_hostname is already NULL.
|
|
|
|
|
* If it's set to blank, force it to NULL.
|
2005-10-08 21:32:58 +02:00
|
|
|
*/
|
|
|
|
|
khostname = pg_krb_server_hostname;
|
|
|
|
|
if (khostname && khostname[0] == '\0')
|
|
|
|
|
khostname = NULL;
|
|
|
|
|
|
|
|
|
|
retval = krb5_sname_to_principal(pg_krb5_context,
|
|
|
|
|
khostname,
|
|
|
|
|
pg_krb_srvnam,
|
|
|
|
|
KRB5_NT_SRV_HST,
|
|
|
|
|
&pg_krb5_server);
|
|
|
|
|
if (retval)
|
2001-03-22 05:01:46 +01:00
|
|
|
{
|
2005-10-08 21:32:58 +02:00
|
|
|
ereport(LOG,
|
2005-10-14 00:55:19 +02:00
|
|
|
(errmsg("Kerberos sname_to_principal(\"%s\", \"%s\") returned error %d",
|
2005-11-22 19:17:34 +01:00
|
|
|
khostname ? khostname : "server hostname", pg_krb_srvnam, retval)));
|
2005-10-08 21:32:58 +02:00
|
|
|
com_err("postgres", retval,
|
2005-10-15 04:49:52 +02:00
|
|
|
"while getting server principal for server \"%s\" for service \"%s\"",
|
2005-10-15 23:27:19 +02:00
|
|
|
khostname ? khostname : "server hostname", pg_krb_srvnam);
|
2005-10-08 21:32:58 +02:00
|
|
|
krb5_kt_close(pg_krb5_context, pg_krb5_keytab);
|
|
|
|
|
krb5_free_context(pg_krb5_context);
|
|
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
2000-05-27 06:13:05 +02:00
|
|
|
|
|
|
|
|
pg_krb5_initialised = 1;
|
|
|
|
|
return STATUS_OK;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* pg_krb5_recvauth -- server routine to receive authentication information
|
|
|
|
|
* from the client
|
|
|
|
|
*
|
|
|
|
|
* We still need to compare the username obtained from the client's setup
|
2005-06-27 04:04:26 +02:00
|
|
|
* packet to the authenticated name.
|
2000-05-27 06:13:05 +02:00
|
|
|
*
|
|
|
|
|
* We have our own keytab file because postgres is unlikely to run as root,
|
|
|
|
|
* and so cannot read the default keytab.
|
|
|
|
|
*/
|
|
|
|
|
static int
|
|
|
|
|
pg_krb5_recvauth(Port *port)
|
|
|
|
|
{
|
|
|
|
|
krb5_error_code retval;
|
2001-03-22 05:01:46 +01:00
|
|
|
int ret;
|
2000-05-27 06:13:05 +02:00
|
|
|
krb5_auth_context auth_context = NULL;
|
|
|
|
|
krb5_ticket *ticket;
|
2001-03-22 05:01:46 +01:00
|
|
|
char *kusername;
|
2000-05-27 06:13:05 +02:00
|
|
|
|
2007-02-08 05:52:18 +01:00
|
|
|
if (get_role_line(port->user_name) == NULL)
|
|
|
|
|
return STATUS_ERROR;
|
|
|
|
|
|
2000-05-27 06:13:05 +02:00
|
|
|
ret = pg_krb5_init();
|
|
|
|
|
if (ret != STATUS_OK)
|
|
|
|
|
return ret;
|
|
|
|
|
|
|
|
|
|
retval = krb5_recvauth(pg_krb5_context, &auth_context,
|
2005-10-08 21:32:58 +02:00
|
|
|
(krb5_pointer) & port->sock, pg_krb_srvnam,
|
2000-05-27 06:13:05 +02:00
|
|
|
pg_krb5_server, 0, pg_krb5_keytab, &ticket);
|
2001-03-22 05:01:46 +01:00
|
|
|
if (retval)
|
|
|
|
|
{
|
2003-07-22 21:00:12 +02:00
|
|
|
ereport(LOG,
|
2003-09-25 08:58:07 +02:00
|
|
|
(errmsg("Kerberos recvauth returned error %d",
|
2003-07-22 21:00:12 +02:00
|
|
|
retval)));
|
2001-03-22 05:01:46 +01:00
|
|
|
com_err("postgres", retval, "from krb5_recvauth");
|
2000-05-27 06:13:05 +02:00
|
|
|
return STATUS_ERROR;
|
2001-03-22 05:01:46 +01:00
|
|
|
}
|
1997-09-07 07:04:48 +02:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* The "client" structure comes out of the ticket and is therefore
|
|
|
|
|
* authenticated. Use it to check the username obtained from the
|
|
|
|
|
* postmaster startup packet.
|
2000-05-27 06:13:05 +02:00
|
|
|
*
|
|
|
|
|
* I have no idea why this is considered necessary.
|
1997-09-07 07:04:48 +02:00
|
|
|
*/
|
2002-02-23 05:17:47 +01:00
|
|
|
#if defined(HAVE_KRB5_TICKET_ENC_PART2)
|
2001-03-22 05:01:46 +01:00
|
|
|
retval = krb5_unparse_name(pg_krb5_context,
|
2000-05-27 06:13:05 +02:00
|
|
|
ticket->enc_part2->client, &kusername);
|
2002-02-23 05:17:47 +01:00
|
|
|
#elif defined(HAVE_KRB5_TICKET_CLIENT)
|
|
|
|
|
retval = krb5_unparse_name(pg_krb5_context,
|
|
|
|
|
ticket->client, &kusername);
|
|
|
|
|
#else
|
|
|
|
|
#error "bogus configuration"
|
|
|
|
|
#endif
|
2001-03-22 05:01:46 +01:00
|
|
|
if (retval)
|
|
|
|
|
{
|
2003-07-22 21:00:12 +02:00
|
|
|
ereport(LOG,
|
2003-09-25 08:58:07 +02:00
|
|
|
(errmsg("Kerberos unparse_name returned error %d",
|
2003-07-22 21:00:12 +02:00
|
|
|
retval)));
|
2001-03-22 05:01:46 +01:00
|
|
|
com_err("postgres", retval, "while unparsing client name");
|
2000-05-27 06:13:05 +02:00
|
|
|
krb5_free_ticket(pg_krb5_context, ticket);
|
|
|
|
|
krb5_auth_con_free(pg_krb5_context, auth_context);
|
1998-09-01 05:29:17 +02:00
|
|
|
return STATUS_ERROR;
|
1997-09-07 07:04:48 +02:00
|
|
|
}
|
2000-05-27 06:13:05 +02:00
|
|
|
|
1997-09-07 07:04:48 +02:00
|
|
|
kusername = pg_an_to_ln(kusername);
|
2005-06-04 22:42:43 +02:00
|
|
|
if (pg_krb_caseins_users)
|
2005-07-25 06:52:32 +02:00
|
|
|
ret = pg_strncasecmp(port->user_name, kusername, SM_DATABASE_USER);
|
2005-06-04 22:42:43 +02:00
|
|
|
else
|
|
|
|
|
ret = strncmp(port->user_name, kusername, SM_DATABASE_USER);
|
|
|
|
|
if (ret)
|
1997-09-07 07:04:48 +02:00
|
|
|
{
|
2003-07-22 21:00:12 +02:00
|
|
|
ereport(LOG,
|
2003-09-25 08:58:07 +02:00
|
|
|
(errmsg("unexpected Kerberos user name received from client (received \"%s\", expected \"%s\")",
|
2003-07-22 21:00:12 +02:00
|
|
|
port->user_name, kusername)));
|
2000-05-27 06:13:05 +02:00
|
|
|
ret = STATUS_ERROR;
|
1997-09-07 07:04:48 +02:00
|
|
|
}
|
2000-05-27 06:13:05 +02:00
|
|
|
else
|
|
|
|
|
ret = STATUS_OK;
|
2001-03-22 05:01:46 +01:00
|
|
|
|
2000-05-27 06:13:05 +02:00
|
|
|
krb5_free_ticket(pg_krb5_context, ticket);
|
|
|
|
|
krb5_auth_con_free(pg_krb5_context, auth_context);
|
|
|
|
|
free(kusername);
|
|
|
|
|
|
|
|
|
|
return ret;
|
1996-07-09 08:22:35 +02:00
|
|
|
}
|
1996-10-12 09:47:12 +02:00
|
|
|
#else
|
2002-03-04 02:46:04 +01:00
|
|
|
|
1996-07-09 08:22:35 +02:00
|
|
|
static int
|
1998-01-26 02:42:53 +01:00
|
|
|
pg_krb5_recvauth(Port *port)
|
1996-07-09 08:22:35 +02:00
|
|
|
{
|
2003-07-22 21:00:12 +02:00
|
|
|
ereport(LOG,
|
|
|
|
|
(errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
|
2003-09-25 08:58:07 +02:00
|
|
|
errmsg("Kerberos 5 not implemented on this server")));
|
1998-09-01 05:29:17 +02:00
|
|
|
return STATUS_ERROR;
|
1996-07-09 08:22:35 +02:00
|
|
|
}
|
2001-11-05 18:46:40 +01:00
|
|
|
#endif /* KRB5 */
|
1996-07-09 08:22:35 +02:00
|
|
|
|
2007-07-10 15:14:22 +02:00
|
|
|
#ifdef ENABLE_GSS
|
|
|
|
|
/*----------------------------------------------------------------
|
|
|
|
|
* GSSAPI authentication system
|
|
|
|
|
*----------------------------------------------------------------
|
|
|
|
|
*/
|
|
|
|
|
|
2007-07-12 16:36:52 +02:00
|
|
|
#if defined(HAVE_GSSAPI_H)
|
|
|
|
|
#include <gssapi.h>
|
|
|
|
|
#else
|
2007-07-10 15:14:22 +02:00
|
|
|
#include <gssapi/gssapi.h>
|
2007-07-12 16:36:52 +02:00
|
|
|
#endif
|
2007-07-10 15:14:22 +02:00
|
|
|
|
2007-07-12 16:43:21 +02:00
|
|
|
#if defined(WIN32) && !defined(WIN32_ONLY_COMPILER)
|
2007-07-10 15:14:22 +02:00
|
|
|
/*
|
2007-07-12 16:43:21 +02:00
|
|
|
* MIT Kerberos GSSAPI DLL doesn't properly export the symbols for MingW
|
2007-07-10 15:14:22 +02:00
|
|
|
* that contain the OIDs required. Redefine here, values copied
|
|
|
|
|
* from src/athena/auth/krb5/src/lib/gssapi/generic/gssapi_generic.c
|
|
|
|
|
*/
|
|
|
|
|
static const gss_OID_desc GSS_C_NT_USER_NAME_desc =
|
|
|
|
|
{10, (void *)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x01\x02"};
|
|
|
|
|
static GSS_DLLIMP gss_OID GSS_C_NT_USER_NAME = &GSS_C_NT_USER_NAME_desc;
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
static void
|
2007-07-11 10:27:33 +02:00
|
|
|
pg_GSS_error(int severity, char *errmsg, OM_uint32 maj_stat, OM_uint32 min_stat)
|
2007-07-10 15:14:22 +02:00
|
|
|
{
|
|
|
|
|
gss_buffer_desc gmsg;
|
|
|
|
|
OM_uint32 lmaj_s, lmin_s, msg_ctx;
|
2007-07-11 10:27:33 +02:00
|
|
|
char msg_major[128],
|
|
|
|
|
msg_minor[128];
|
2007-07-10 15:14:22 +02:00
|
|
|
|
|
|
|
|
/* Fetch major status message */
|
|
|
|
|
msg_ctx = 0;
|
|
|
|
|
lmaj_s = gss_display_status(&lmin_s, maj_stat, GSS_C_GSS_CODE,
|
|
|
|
|
GSS_C_NO_OID, &msg_ctx, &gmsg);
|
2007-07-11 10:27:33 +02:00
|
|
|
strlcpy(msg_major, gmsg.value, sizeof(msg_major));
|
2007-07-10 15:14:22 +02:00
|
|
|
gss_release_buffer(&lmin_s, &gmsg);
|
|
|
|
|
|
|
|
|
|
if (msg_ctx)
|
|
|
|
|
/* More than one message available.
|
|
|
|
|
* XXX: Should we loop and read all messages?
|
|
|
|
|
* (same below)
|
|
|
|
|
*/
|
|
|
|
|
ereport(WARNING,
|
|
|
|
|
(errmsg_internal("incomplete GSS error report")));
|
|
|
|
|
|
|
|
|
|
/* Fetch mechanism minor status message */
|
|
|
|
|
msg_ctx = 0;
|
|
|
|
|
lmaj_s = gss_display_status(&lmin_s, min_stat, GSS_C_MECH_CODE,
|
|
|
|
|
GSS_C_NO_OID, &msg_ctx, &gmsg);
|
2007-07-11 10:27:33 +02:00
|
|
|
strlcpy(msg_minor, gmsg.value, sizeof(msg_minor));
|
2007-07-10 15:14:22 +02:00
|
|
|
gss_release_buffer(&lmin_s, &gmsg);
|
|
|
|
|
|
|
|
|
|
if (msg_ctx)
|
|
|
|
|
ereport(WARNING,
|
|
|
|
|
(errmsg_internal("incomplete GSS minor error report")));
|
|
|
|
|
|
|
|
|
|
/* errmsg_internal, since translation of the first part must be
|
|
|
|
|
* done before calling this function anyway. */
|
|
|
|
|
ereport(severity,
|
2007-07-11 10:27:33 +02:00
|
|
|
(errmsg_internal("%s", errmsg),
|
|
|
|
|
errdetail("%s: %s", msg_major, msg_minor)));
|
2007-07-10 15:14:22 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int
|
|
|
|
|
pg_GSS_recvauth(Port *port)
|
|
|
|
|
{
|
|
|
|
|
OM_uint32 maj_stat, min_stat, lmin_s, gflags;
|
|
|
|
|
char *kt_path;
|
|
|
|
|
int mtype;
|
|
|
|
|
int ret;
|
|
|
|
|
StringInfoData buf;
|
|
|
|
|
gss_buffer_desc gbuf;
|
|
|
|
|
|
|
|
|
|
if (pg_krb_server_keyfile && strlen(pg_krb_server_keyfile) > 0)
|
|
|
|
|
{
|
|
|
|
|
/*
|
|
|
|
|
* Set default Kerberos keytab file for the Krb5 mechanism.
|
|
|
|
|
*
|
|
|
|
|
* setenv("KRB5_KTNAME", pg_krb_server_keyfile, 0);
|
|
|
|
|
* except setenv() not always available.
|
|
|
|
|
*/
|
|
|
|
|
if (!getenv("KRB5_KTNAME"))
|
|
|
|
|
{
|
2007-07-12 16:43:21 +02:00
|
|
|
kt_path = palloc(MAXPGPATH + 13);
|
|
|
|
|
snprintf(kt_path, MAXPGPATH + 13,
|
2007-07-10 15:14:22 +02:00
|
|
|
"KRB5_KTNAME=%s", pg_krb_server_keyfile);
|
|
|
|
|
putenv(kt_path);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* We accept any service principal that's present in our
|
|
|
|
|
* keytab. This increases interoperability between kerberos
|
|
|
|
|
* implementations that see for example case sensitivity
|
|
|
|
|
* differently, while not really opening up any vector
|
|
|
|
|
* of attack.
|
|
|
|
|
*/
|
|
|
|
|
port->gss->cred = GSS_C_NO_CREDENTIAL;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Initialize sequence with an empty context
|
|
|
|
|
*/
|
|
|
|
|
port->gss->ctx = GSS_C_NO_CONTEXT;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Loop through GSSAPI message exchange. This exchange can consist
|
|
|
|
|
* of multiple messags sent in both directions. First message is always
|
|
|
|
|
* from the client. All messages from client to server are password
|
|
|
|
|
* packets (type 'p').
|
|
|
|
|
*/
|
|
|
|
|
do
|
|
|
|
|
{
|
|
|
|
|
mtype = pq_getbyte();
|
|
|
|
|
if (mtype != 'p')
|
|
|
|
|
{
|
|
|
|
|
/* Only log error if client didn't disconnect. */
|
|
|
|
|
if (mtype != EOF)
|
|
|
|
|
ereport(COMMERROR,
|
|
|
|
|
(errcode(ERRCODE_PROTOCOL_VIOLATION),
|
|
|
|
|
errmsg("expected GSS response, got message type %d",
|
|
|
|
|
mtype)));
|
|
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Get the actual GSS token */
|
|
|
|
|
initStringInfo(&buf);
|
|
|
|
|
if (pq_getmessage(&buf, 2000))
|
|
|
|
|
{
|
|
|
|
|
/* EOF - pq_getmessage already logged error */
|
|
|
|
|
pfree(buf.data);
|
|
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Map to GSSAPI style buffer */
|
|
|
|
|
gbuf.length = buf.len;
|
|
|
|
|
gbuf.value = buf.data;
|
|
|
|
|
|
2007-07-11 10:27:33 +02:00
|
|
|
elog(DEBUG4, "Processing received GSS token of length %u",
|
2007-07-12 22:36:11 +02:00
|
|
|
(unsigned int) gbuf.length);
|
2007-07-10 15:14:22 +02:00
|
|
|
|
|
|
|
|
maj_stat = gss_accept_sec_context(
|
|
|
|
|
&min_stat,
|
|
|
|
|
&port->gss->ctx,
|
|
|
|
|
port->gss->cred,
|
|
|
|
|
&gbuf,
|
|
|
|
|
GSS_C_NO_CHANNEL_BINDINGS,
|
|
|
|
|
&port->gss->name,
|
|
|
|
|
NULL,
|
|
|
|
|
&port->gss->outbuf,
|
|
|
|
|
&gflags,
|
|
|
|
|
NULL,
|
|
|
|
|
NULL);
|
|
|
|
|
|
|
|
|
|
/* gbuf no longer used */
|
|
|
|
|
pfree(buf.data);
|
|
|
|
|
|
2007-07-12 22:36:11 +02:00
|
|
|
elog(DEBUG5, "gss_accept_sec_context major: %d, "
|
|
|
|
|
"minor: %d, outlen: %u, outflags: %x",
|
|
|
|
|
maj_stat, min_stat,
|
|
|
|
|
(unsigned int) port->gss->outbuf.length, gflags);
|
2007-07-10 15:14:22 +02:00
|
|
|
|
|
|
|
|
if (port->gss->outbuf.length != 0)
|
|
|
|
|
{
|
|
|
|
|
/*
|
|
|
|
|
* Negotiation generated data to be sent to the client.
|
|
|
|
|
*/
|
2007-07-11 10:27:33 +02:00
|
|
|
elog(DEBUG4, "sending GSS response token of length %u",
|
2007-07-12 22:36:11 +02:00
|
|
|
(unsigned int) port->gss->outbuf.length);
|
2007-07-11 10:27:33 +02:00
|
|
|
|
2007-07-10 15:14:22 +02:00
|
|
|
sendAuthRequest(port, AUTH_REQ_GSS_CONT);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (maj_stat != GSS_S_COMPLETE && maj_stat != GSS_S_CONTINUE_NEEDED)
|
|
|
|
|
{
|
|
|
|
|
OM_uint32 lmin_s;
|
|
|
|
|
gss_delete_sec_context(&lmin_s, &port->gss->ctx, GSS_C_NO_BUFFER);
|
|
|
|
|
pg_GSS_error(ERROR,
|
|
|
|
|
gettext_noop("accepting GSS security context failed"),
|
|
|
|
|
maj_stat, min_stat);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (maj_stat == GSS_S_CONTINUE_NEEDED)
|
2007-07-11 10:27:33 +02:00
|
|
|
elog(DEBUG4, "GSS continue needed");
|
2007-07-10 15:14:22 +02:00
|
|
|
|
|
|
|
|
} while (maj_stat == GSS_S_CONTINUE_NEEDED);
|
|
|
|
|
|
|
|
|
|
if (port->gss->cred != GSS_C_NO_CREDENTIAL)
|
|
|
|
|
{
|
|
|
|
|
/*
|
|
|
|
|
* Release service principal credentials
|
|
|
|
|
*/
|
|
|
|
|
gss_release_cred(&min_stat, port->gss->cred);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* GSS_S_COMPLETE indicates that authentication is now complete.
|
|
|
|
|
*
|
|
|
|
|
* Get the name of the user that authenticated, and compare it to the
|
|
|
|
|
* pg username that was specified for the connection.
|
|
|
|
|
*/
|
|
|
|
|
maj_stat = gss_display_name(&min_stat, port->gss->name, &gbuf, NULL);
|
2007-07-11 10:27:33 +02:00
|
|
|
if (maj_stat != GSS_S_COMPLETE)
|
|
|
|
|
pg_GSS_error(ERROR,
|
|
|
|
|
gettext_noop("retreiving GSS user name failed"),
|
|
|
|
|
maj_stat, min_stat);
|
2007-07-10 15:14:22 +02:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Compare the part of the username that comes before the @
|
|
|
|
|
* sign only (ignore realm). The GSSAPI libraries won't have
|
|
|
|
|
* authenticated the user if he's from an invalid realm.
|
|
|
|
|
*/
|
|
|
|
|
if (strchr(gbuf.value, '@'))
|
|
|
|
|
{
|
|
|
|
|
char *cp = strchr(gbuf.value, '@');
|
|
|
|
|
*cp = '\0';
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (pg_krb_caseins_users)
|
|
|
|
|
ret = pg_strcasecmp(port->user_name, gbuf.value);
|
|
|
|
|
else
|
|
|
|
|
ret = strcmp(port->user_name, gbuf.value);
|
|
|
|
|
|
|
|
|
|
if (ret)
|
2007-07-11 10:27:33 +02:00
|
|
|
{
|
2007-07-10 15:14:22 +02:00
|
|
|
/* GSS name and PGUSER are not equivalent */
|
2007-07-11 10:27:33 +02:00
|
|
|
elog(DEBUG2,
|
|
|
|
|
"provided username (%s) and GSSAPI username (%s) don't match",
|
|
|
|
|
port->user_name, (char *)gbuf.value);
|
|
|
|
|
|
|
|
|
|
gss_release_buffer(&lmin_s, &gbuf);
|
|
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
2007-07-10 15:14:22 +02:00
|
|
|
|
|
|
|
|
gss_release_buffer(&lmin_s, &gbuf);
|
|
|
|
|
|
|
|
|
|
return STATUS_OK;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#else /* no ENABLE_GSS */
|
|
|
|
|
static int
|
|
|
|
|
pg_GSS_recvauth(Port *port)
|
|
|
|
|
{
|
|
|
|
|
ereport(LOG,
|
|
|
|
|
(errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
|
|
|
|
|
errmsg("GSSAPI not implemented on this server.")));
|
|
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
|
|
|
|
#endif /* ENABLE_GSS */
|
|
|
|
|
|
1998-01-26 02:42:53 +01:00
|
|
|
|
|
|
|
|
/*
|
1999-04-16 06:59:03 +02:00
|
|
|
* Tell the user the authentication failed, but not (much about) why.
|
|
|
|
|
*
|
|
|
|
|
* There is a tradeoff here between security concerns and making life
|
|
|
|
|
* unnecessarily difficult for legitimate users. We would not, for example,
|
|
|
|
|
* want to report the password we were expecting to receive...
|
|
|
|
|
* But it seems useful to report the username and authorization method
|
|
|
|
|
* in use, and these are items that must be presumed known to an attacker
|
|
|
|
|
* anyway.
|
|
|
|
|
* Note that many sorts of failure report additional information in the
|
|
|
|
|
* postmaster log, which we hope is only readable by good guys.
|
1998-01-26 02:42:53 +01:00
|
|
|
*/
|
1999-05-26 14:57:23 +02:00
|
|
|
static void
|
2001-10-19 00:44:37 +02:00
|
|
|
auth_failed(Port *port, int status)
|
1997-12-04 01:28:15 +01:00
|
|
|
{
|
2004-08-04 18:05:13 +02:00
|
|
|
const char *errstr;
|
1999-04-16 06:59:03 +02:00
|
|
|
|
2001-10-19 00:44:37 +02:00
|
|
|
/*
|
2001-10-25 07:50:21 +02:00
|
|
|
* If we failed due to EOF from client, just quit; there's no point in
|
2005-10-15 04:49:52 +02:00
|
|
|
* trying to send a message to the client, and not much point in logging
|
|
|
|
|
* the failure in the postmaster log. (Logging the failure might be
|
|
|
|
|
* desirable, were it not for the fact that libpq closes the connection
|
|
|
|
|
* unceremoniously if challenged for a password when it hasn't got one to
|
|
|
|
|
* send. We'll get a useless log entry for every psql connection under
|
|
|
|
|
* password auth, even if it's perfectly successful, if we log STATUS_EOF
|
|
|
|
|
* events.)
|
2001-10-19 00:44:37 +02:00
|
|
|
*/
|
|
|
|
|
if (status == STATUS_EOF)
|
|
|
|
|
proc_exit(0);
|
|
|
|
|
|
1999-04-16 06:59:03 +02:00
|
|
|
switch (port->auth_method)
|
|
|
|
|
{
|
|
|
|
|
case uaReject:
|
2004-10-12 23:54:45 +02:00
|
|
|
errstr = gettext_noop("authentication failed for user \"%s\": host rejected");
|
1999-04-16 06:59:03 +02:00
|
|
|
break;
|
|
|
|
|
case uaKrb5:
|
2004-10-12 23:54:45 +02:00
|
|
|
errstr = gettext_noop("Kerberos 5 authentication failed for user \"%s\"");
|
1999-04-16 06:59:03 +02:00
|
|
|
break;
|
2007-07-10 15:14:22 +02:00
|
|
|
case uaGSS:
|
|
|
|
|
errstr = gettext_noop("GSSAPI authentication failed for user \"%s\"");
|
|
|
|
|
break;
|
1999-04-16 06:59:03 +02:00
|
|
|
case uaTrust:
|
2004-10-12 23:54:45 +02:00
|
|
|
errstr = gettext_noop("\"trust\" authentication failed for user \"%s\"");
|
1999-04-16 06:59:03 +02:00
|
|
|
break;
|
|
|
|
|
case uaIdent:
|
2004-10-12 23:54:45 +02:00
|
|
|
errstr = gettext_noop("Ident authentication failed for user \"%s\"");
|
1999-04-16 06:59:03 +02:00
|
|
|
break;
|
2001-08-15 20:42:16 +02:00
|
|
|
case uaMD5:
|
2001-08-17 17:40:07 +02:00
|
|
|
case uaCrypt:
|
2001-08-17 17:44:17 +02:00
|
|
|
case uaPassword:
|
2004-10-12 23:54:45 +02:00
|
|
|
errstr = gettext_noop("password authentication failed for user \"%s\"");
|
1999-04-16 06:59:03 +02:00
|
|
|
break;
|
2001-09-06 05:23:38 +02:00
|
|
|
#ifdef USE_PAM
|
|
|
|
|
case uaPAM:
|
2004-08-04 23:55:27 +02:00
|
|
|
errstr = gettext_noop("PAM authentication failed for user \"%s\"");
|
2001-09-06 05:23:38 +02:00
|
|
|
break;
|
2001-11-05 18:46:40 +01:00
|
|
|
#endif /* USE_PAM */
|
2006-03-06 18:41:44 +01:00
|
|
|
#ifdef USE_LDAP
|
2006-10-04 02:30:14 +02:00
|
|
|
case uaLDAP:
|
|
|
|
|
errstr = gettext_noop("LDAP authentication failed for user \"%s\"");
|
|
|
|
|
break;
|
2006-03-06 18:41:44 +01:00
|
|
|
#endif /* USE_LDAP */
|
2004-08-29 07:07:03 +02:00
|
|
|
default:
|
2004-10-12 23:54:45 +02:00
|
|
|
errstr = gettext_noop("authentication failed for user \"%s\": invalid authentication method");
|
2004-08-04 18:05:13 +02:00
|
|
|
break;
|
1999-04-16 06:59:03 +02:00
|
|
|
}
|
|
|
|
|
|
2003-07-22 21:00:12 +02:00
|
|
|
ereport(FATAL,
|
|
|
|
|
(errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
|
2004-08-04 18:05:13 +02:00
|
|
|
errmsg(errstr, port->user_name)));
|
2001-10-19 00:44:37 +02:00
|
|
|
/* doesn't return */
|
1997-12-04 01:28:15 +01:00
|
|
|
}
|
|
|
|
|
|
1998-01-26 02:42:53 +01:00
|
|
|
|
1996-07-09 08:22:35 +02:00
|
|
|
/*
|
2001-06-20 20:07:56 +02:00
|
|
|
* Client authentication starts here. If there is an error, this
|
|
|
|
|
* function does not return and the backend process is terminated.
|
1996-07-09 08:22:35 +02:00
|
|
|
*/
|
1998-02-26 05:46:47 +01:00
|
|
|
void
|
2001-06-20 20:07:56 +02:00
|
|
|
ClientAuthentication(Port *port)
|
1996-07-09 08:22:35 +02:00
|
|
|
{
|
2001-10-25 07:50:21 +02:00
|
|
|
int status = STATUS_ERROR;
|
1998-02-26 05:46:47 +01:00
|
|
|
|
1997-09-07 07:04:48 +02:00
|
|
|
/*
|
1998-01-26 02:42:53 +01:00
|
|
|
* Get the authentication method to use for this frontend/database
|
2005-10-15 04:49:52 +02:00
|
|
|
* combination. Note: a failure return indicates a problem with the hba
|
|
|
|
|
* config file, not with the request. hba.c should have dropped an error
|
|
|
|
|
* message into the postmaster logfile if it failed.
|
1997-09-07 07:04:48 +02:00
|
|
|
*/
|
2000-04-12 19:17:23 +02:00
|
|
|
if (hba_getauthmethod(port) != STATUS_OK)
|
2003-07-22 21:00:12 +02:00
|
|
|
ereport(FATAL,
|
|
|
|
|
(errcode(ERRCODE_CONFIG_FILE_ERROR),
|
|
|
|
|
errmsg("missing or erroneous pg_hba.conf file"),
|
2003-09-25 08:58:07 +02:00
|
|
|
errhint("See server log for details.")));
|
1997-09-07 07:04:48 +02:00
|
|
|
|
2001-06-20 20:07:56 +02:00
|
|
|
switch (port->auth_method)
|
|
|
|
|
{
|
|
|
|
|
case uaReject:
|
|
|
|
|
|
2001-10-25 07:50:21 +02:00
|
|
|
/*
|
|
|
|
|
* This could have come from an explicit "reject" entry in
|
|
|
|
|
* pg_hba.conf, but more likely it means there was no matching
|
2005-10-15 04:49:52 +02:00
|
|
|
* entry. Take pity on the poor user and issue a helpful error
|
|
|
|
|
* message. NOTE: this is not a security breach, because all the
|
|
|
|
|
* info reported here is known at the frontend and must be assumed
|
|
|
|
|
* known to bad guys. We're merely helping out the less clueful
|
|
|
|
|
* good guys.
|
2001-10-25 07:50:21 +02:00
|
|
|
*/
|
|
|
|
|
{
|
2003-08-04 02:43:34 +02:00
|
|
|
char hostinfo[NI_MAXHOST];
|
2003-06-12 09:36:51 +02:00
|
|
|
|
2005-10-17 18:24:20 +02:00
|
|
|
pg_getnameinfo_all(&port->raddr.addr, port->raddr.salen,
|
|
|
|
|
hostinfo, sizeof(hostinfo),
|
|
|
|
|
NULL, 0,
|
|
|
|
|
NI_NUMERICHOST);
|
2001-10-25 07:50:21 +02:00
|
|
|
|
At long last I put together a patch to support 4 client SSL negotiation
modes (and replace the requiressl boolean). The four options were first
spelled out by Magnus Hagander <mha@sollentuna.net> on 2000-08-23 in email
to pgsql-hackers, archived here:
http://archives.postgresql.org/pgsql-hackers/2000-08/msg00639.php
My original less-flexible patch and the ensuing thread are archived at:
http://dbforums.com/t623845.html
Attached is a new patch, including documentation.
To sum up, there's a new client parameter "sslmode" and environment
variable "PGSSLMODE", with these options:
sslmode description
------- -----------
disable Unencrypted non-SSL only
allow Negotiate, prefer non-SSL
prefer Negotiate, prefer SSL (default)
require Require SSL
The only change to the server is a new pg_hba.conf line type,
"hostnossl", for specifying connections that are not allowed to use SSL
(for example, to prevent servers on a local network from accidentally
using SSL and wasting cycles). Thus the 3 pg_hba.conf line types are:
pg_hba.conf line types
----------------------
host applies to either SSL or regular connections
hostssl applies only to SSL connections
hostnossl applies only to regular connections
These client and server options, the postgresql.conf ssl = false option,
and finally the possibility of compiling with no SSL support at all,
make quite a range of combinations to test. I threw together a test
script to try many of them out. It's in a separate tarball with its
config files, a patch to psql so it'll announce SSL connections even in
absence of a tty, and the test output. The test is especially informative
when run on the same tty the postmaster was started on, so the FATAL:
errors during negotiation are interleaved with the psql client output.
I saw Tom write that new submissions for 7.4 have to be in before midnight
local time, and since I'm on the east coast in the US, this just makes it
in before the bell. :)
Jon Jensen
2003-07-26 15:50:02 +02:00
|
|
|
#ifdef USE_SSL
|
2003-07-22 21:00:12 +02:00
|
|
|
ereport(FATAL,
|
2005-10-15 04:49:52 +02:00
|
|
|
(errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
|
|
|
|
|
errmsg("no pg_hba.conf entry for host \"%s\", user \"%s\", database \"%s\", %s",
|
|
|
|
|
hostinfo, port->user_name, port->database_name,
|
|
|
|
|
port->ssl ? _("SSL on") : _("SSL off"))));
|
2003-07-26 17:22:22 +02:00
|
|
|
#else
|
|
|
|
|
ereport(FATAL,
|
2005-10-15 04:49:52 +02:00
|
|
|
(errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
|
|
|
|
|
errmsg("no pg_hba.conf entry for host \"%s\", user \"%s\", database \"%s\"",
|
2005-06-27 04:04:26 +02:00
|
|
|
hostinfo, port->user_name, port->database_name)));
|
2003-07-26 17:22:22 +02:00
|
|
|
#endif
|
2001-10-25 07:50:21 +02:00
|
|
|
break;
|
|
|
|
|
}
|
1998-01-26 02:42:53 +01:00
|
|
|
|
2001-06-20 20:07:56 +02:00
|
|
|
case uaKrb5:
|
|
|
|
|
sendAuthRequest(port, AUTH_REQ_KRB5);
|
|
|
|
|
status = pg_krb5_recvauth(port);
|
|
|
|
|
break;
|
1998-01-29 04:24:36 +01:00
|
|
|
|
2007-07-10 15:14:22 +02:00
|
|
|
case uaGSS:
|
|
|
|
|
sendAuthRequest(port, AUTH_REQ_GSS);
|
|
|
|
|
status = pg_GSS_recvauth(port);
|
|
|
|
|
break;
|
|
|
|
|
|
2001-06-20 20:07:56 +02:00
|
|
|
case uaIdent:
|
2004-08-29 07:07:03 +02:00
|
|
|
|
2001-08-21 02:33:28 +02:00
|
|
|
/*
|
2001-10-25 07:50:21 +02:00
|
|
|
* If we are doing ident on unix-domain sockets, use SCM_CREDS
|
|
|
|
|
* only if it is defined and SO_PEERCRED isn't.
|
2001-08-21 02:33:28 +02:00
|
|
|
*/
|
2003-12-20 19:24:52 +01:00
|
|
|
#if !defined(HAVE_GETPEEREID) && !defined(SO_PEERCRED) && \
|
|
|
|
|
(defined(HAVE_STRUCT_CMSGCRED) || defined(HAVE_STRUCT_FCRED) || \
|
|
|
|
|
(defined(HAVE_STRUCT_SOCKCRED) && defined(LOCAL_CREDS)))
|
|
|
|
|
if (port->raddr.addr.ss_family == AF_UNIX)
|
2001-08-21 02:33:28 +02:00
|
|
|
{
|
2003-12-20 19:24:52 +01:00
|
|
|
#if defined(HAVE_STRUCT_FCRED) || defined(HAVE_STRUCT_SOCKCRED)
|
2004-08-29 07:07:03 +02:00
|
|
|
|
2003-12-20 19:24:52 +01:00
|
|
|
/*
|
|
|
|
|
* Receive credentials on next message receipt, BSD/OS,
|
|
|
|
|
* NetBSD. We need to set this before the client sends the
|
|
|
|
|
* next packet.
|
|
|
|
|
*/
|
2001-10-25 07:50:21 +02:00
|
|
|
int on = 1;
|
|
|
|
|
|
2001-08-21 02:33:28 +02:00
|
|
|
if (setsockopt(port->sock, 0, LOCAL_CREDS, &on, sizeof(on)) < 0)
|
2003-07-22 21:00:12 +02:00
|
|
|
ereport(FATAL,
|
|
|
|
|
(errcode_for_socket_access(),
|
2005-10-15 04:49:52 +02:00
|
|
|
errmsg("could not enable credential reception: %m")));
|
2001-08-21 02:33:28 +02:00
|
|
|
#endif
|
2003-12-20 19:24:52 +01:00
|
|
|
|
2001-08-21 02:33:28 +02:00
|
|
|
sendAuthRequest(port, AUTH_REQ_SCM_CREDS);
|
2003-12-20 19:24:52 +01:00
|
|
|
}
|
2001-08-21 02:33:28 +02:00
|
|
|
#endif
|
2001-08-02 01:25:39 +02:00
|
|
|
status = authident(port);
|
2001-06-20 20:07:56 +02:00
|
|
|
break;
|
1998-02-26 05:46:47 +01:00
|
|
|
|
2001-08-17 17:40:07 +02:00
|
|
|
case uaMD5:
|
|
|
|
|
sendAuthRequest(port, AUTH_REQ_MD5);
|
2001-08-15 20:42:16 +02:00
|
|
|
status = recv_and_check_password_packet(port);
|
2001-08-16 18:24:16 +02:00
|
|
|
break;
|
|
|
|
|
|
2001-10-19 00:44:37 +02:00
|
|
|
case uaCrypt:
|
|
|
|
|
sendAuthRequest(port, AUTH_REQ_CRYPT);
|
|
|
|
|
status = recv_and_check_password_packet(port);
|
2001-10-25 07:50:21 +02:00
|
|
|
break;
|
|
|
|
|
|
2001-10-19 00:44:37 +02:00
|
|
|
case uaPassword:
|
|
|
|
|
sendAuthRequest(port, AUTH_REQ_PASSWORD);
|
|
|
|
|
status = recv_and_check_password_packet(port);
|
|
|
|
|
break;
|
|
|
|
|
|
2001-09-06 05:23:38 +02:00
|
|
|
#ifdef USE_PAM
|
|
|
|
|
case uaPAM:
|
|
|
|
|
pam_port_cludge = port;
|
2003-04-25 05:28:55 +02:00
|
|
|
status = CheckPAMAuth(port, port->user_name, "");
|
2001-08-17 17:44:17 +02:00
|
|
|
break;
|
2001-11-05 18:46:40 +01:00
|
|
|
#endif /* USE_PAM */
|
2001-08-17 17:44:17 +02:00
|
|
|
|
2006-03-06 18:41:44 +01:00
|
|
|
#ifdef USE_LDAP
|
2006-10-04 02:30:14 +02:00
|
|
|
case uaLDAP:
|
|
|
|
|
status = CheckLDAPAuth(port);
|
|
|
|
|
break;
|
2006-03-06 18:41:44 +01:00
|
|
|
#endif
|
|
|
|
|
|
2001-06-20 20:07:56 +02:00
|
|
|
case uaTrust:
|
|
|
|
|
status = STATUS_OK;
|
|
|
|
|
break;
|
1998-01-29 04:24:36 +01:00
|
|
|
}
|
2001-06-20 20:07:56 +02:00
|
|
|
|
|
|
|
|
if (status == STATUS_OK)
|
|
|
|
|
sendAuthRequest(port, AUTH_REQ_OK);
|
|
|
|
|
else
|
2001-10-19 00:44:37 +02:00
|
|
|
auth_failed(port, status);
|
1996-07-09 08:22:35 +02:00
|
|
|
}
|
1998-02-26 05:46:47 +01:00
|
|
|
|
1996-07-09 08:22:35 +02:00
|
|
|
|
|
|
|
|
/*
|
1998-01-26 02:42:53 +01:00
|
|
|
* Send an authentication request packet to the frontend.
|
1996-07-09 08:22:35 +02:00
|
|
|
*/
|
1998-02-26 05:46:47 +01:00
|
|
|
static void
|
2001-06-20 20:07:56 +02:00
|
|
|
sendAuthRequest(Port *port, AuthRequest areq)
|
1996-07-09 08:22:35 +02:00
|
|
|
{
|
2001-06-20 20:07:56 +02:00
|
|
|
StringInfoData buf;
|
1997-09-07 07:04:48 +02:00
|
|
|
|
2003-04-22 02:08:07 +02:00
|
|
|
pq_beginmessage(&buf, 'R');
|
2001-06-20 20:07:56 +02:00
|
|
|
pq_sendint(&buf, (int32) areq, sizeof(int32));
|
1998-01-26 02:42:53 +01:00
|
|
|
|
|
|
|
|
/* Add the salt for encrypted passwords. */
|
2001-08-17 04:59:20 +02:00
|
|
|
if (areq == AUTH_REQ_MD5)
|
2001-09-21 22:31:49 +02:00
|
|
|
pq_sendbytes(&buf, port->md5Salt, 4);
|
|
|
|
|
else if (areq == AUTH_REQ_CRYPT)
|
|
|
|
|
pq_sendbytes(&buf, port->cryptSalt, 2);
|
1998-01-26 02:42:53 +01:00
|
|
|
|
2007-07-10 15:14:22 +02:00
|
|
|
#ifdef ENABLE_GSS
|
|
|
|
|
/* Add the authentication data for the next step of
|
|
|
|
|
* the GSSAPI negotiation. */
|
|
|
|
|
else if (areq == AUTH_REQ_GSS_CONT)
|
|
|
|
|
{
|
|
|
|
|
if (port->gss->outbuf.length > 0)
|
|
|
|
|
{
|
|
|
|
|
OM_uint32 lmin_s;
|
|
|
|
|
|
2007-07-11 10:27:33 +02:00
|
|
|
elog(DEBUG4, "sending GSS token of length %u",
|
2007-07-12 22:36:11 +02:00
|
|
|
(unsigned int) port->gss->outbuf.length);
|
2007-07-11 10:27:33 +02:00
|
|
|
|
2007-07-10 15:14:22 +02:00
|
|
|
pq_sendbytes(&buf, port->gss->outbuf.value, port->gss->outbuf.length);
|
|
|
|
|
gss_release_buffer(&lmin_s, &port->gss->outbuf);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
#endif
|
|
|
|
|
|
2001-06-20 20:07:56 +02:00
|
|
|
pq_endmessage(&buf);
|
2002-02-19 20:49:09 +01:00
|
|
|
|
|
|
|
|
/*
|
2005-10-15 04:49:52 +02:00
|
|
|
* Flush message so client will see it, except for AUTH_REQ_OK, which need
|
|
|
|
|
* not be sent until we are ready for queries.
|
2002-02-19 20:49:09 +01:00
|
|
|
*/
|
|
|
|
|
if (areq != AUTH_REQ_OK)
|
|
|
|
|
pq_flush();
|
1998-01-26 02:42:53 +01:00
|
|
|
}
|
|
|
|
|
|
2002-02-19 20:49:09 +01:00
|
|
|
|
2001-09-06 05:23:38 +02:00
|
|
|
#ifdef USE_PAM
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* PAM conversation function
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
static int
|
2003-04-19 02:02:30 +02:00
|
|
|
pam_passwd_conv_proc(int num_msg, const struct pam_message ** msg,
|
|
|
|
|
struct pam_response ** resp, void *appdata_ptr)
|
2001-09-06 05:23:38 +02:00
|
|
|
{
|
2001-10-25 07:50:21 +02:00
|
|
|
if (num_msg != 1 || msg[0]->msg_style != PAM_PROMPT_ECHO_OFF)
|
|
|
|
|
{
|
|
|
|
|
switch (msg[0]->msg_style)
|
|
|
|
|
{
|
2001-09-06 05:23:38 +02:00
|
|
|
case PAM_ERROR_MSG:
|
2003-07-22 21:00:12 +02:00
|
|
|
ereport(LOG,
|
|
|
|
|
(errmsg("error from underlying PAM layer: %s",
|
|
|
|
|
msg[0]->msg)));
|
2001-09-06 05:23:38 +02:00
|
|
|
return PAM_CONV_ERR;
|
|
|
|
|
default:
|
2003-07-22 21:00:12 +02:00
|
|
|
ereport(LOG,
|
|
|
|
|
(errmsg("unsupported PAM conversation %d/%s",
|
|
|
|
|
msg[0]->msg_style, msg[0]->msg)));
|
2001-09-06 05:23:38 +02:00
|
|
|
return PAM_CONV_ERR;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2001-10-25 07:50:21 +02:00
|
|
|
if (!appdata_ptr)
|
|
|
|
|
{
|
|
|
|
|
/*
|
2005-10-15 04:49:52 +02:00
|
|
|
* Workaround for Solaris 2.6 where the PAM library is broken and does
|
|
|
|
|
* not pass appdata_ptr to the conversation routine
|
2001-09-06 05:23:38 +02:00
|
|
|
*/
|
|
|
|
|
appdata_ptr = pam_passwd;
|
|
|
|
|
}
|
|
|
|
|
|
2001-10-25 07:50:21 +02:00
|
|
|
/*
|
2005-10-15 04:49:52 +02:00
|
|
|
* Password wasn't passed to PAM the first time around - let's go ask the
|
|
|
|
|
* client to send a password, which we then stuff into PAM.
|
2001-09-06 05:23:38 +02:00
|
|
|
*/
|
2001-10-25 07:50:21 +02:00
|
|
|
if (strlen(appdata_ptr) == 0)
|
|
|
|
|
{
|
2003-04-19 02:02:30 +02:00
|
|
|
char *passwd;
|
2001-09-06 05:23:38 +02:00
|
|
|
|
2003-04-19 02:02:30 +02:00
|
|
|
sendAuthRequest(pam_port_cludge, AUTH_REQ_PASSWORD);
|
|
|
|
|
passwd = recv_password_packet(pam_port_cludge);
|
2002-04-04 06:25:54 +02:00
|
|
|
|
2003-04-19 02:02:30 +02:00
|
|
|
if (passwd == NULL)
|
|
|
|
|
return PAM_CONV_ERR; /* client didn't want to send password */
|
2001-09-06 05:23:38 +02:00
|
|
|
|
2003-04-19 02:02:30 +02:00
|
|
|
if (strlen(passwd) == 0)
|
2001-10-25 07:50:21 +02:00
|
|
|
{
|
2003-07-22 21:00:12 +02:00
|
|
|
ereport(LOG,
|
|
|
|
|
(errmsg("empty password returned by client")));
|
2001-09-06 05:23:38 +02:00
|
|
|
return PAM_CONV_ERR;
|
|
|
|
|
}
|
2003-04-19 02:02:30 +02:00
|
|
|
appdata_ptr = passwd;
|
2001-09-06 05:23:38 +02:00
|
|
|
}
|
|
|
|
|
|
2001-10-25 07:50:21 +02:00
|
|
|
/*
|
|
|
|
|
* Explicitly not using palloc here - PAM will free this memory in
|
2001-09-06 05:23:38 +02:00
|
|
|
* pam_end()
|
|
|
|
|
*/
|
|
|
|
|
*resp = calloc(num_msg, sizeof(struct pam_response));
|
2001-10-25 07:50:21 +02:00
|
|
|
if (!*resp)
|
|
|
|
|
{
|
2003-07-22 21:00:12 +02:00
|
|
|
ereport(LOG,
|
|
|
|
|
(errcode(ERRCODE_OUT_OF_MEMORY),
|
|
|
|
|
errmsg("out of memory")));
|
2001-10-25 07:50:21 +02:00
|
|
|
return PAM_CONV_ERR;
|
2001-09-06 05:23:38 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
(*resp)[0].resp = strdup((char *) appdata_ptr);
|
|
|
|
|
(*resp)[0].resp_retcode = 0;
|
|
|
|
|
|
|
|
|
|
return ((*resp)[0].resp ? PAM_SUCCESS : PAM_CONV_ERR);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Check authentication against PAM.
|
|
|
|
|
*/
|
|
|
|
|
static int
|
|
|
|
|
CheckPAMAuth(Port *port, char *user, char *password)
|
|
|
|
|
{
|
2001-10-25 07:50:21 +02:00
|
|
|
int retval;
|
2001-09-06 05:23:38 +02:00
|
|
|
pam_handle_t *pamh = NULL;
|
|
|
|
|
|
|
|
|
|
/*
|
2001-10-25 07:50:21 +02:00
|
|
|
* Apparently, Solaris 2.6 is broken, and needs ugly static variable
|
|
|
|
|
* workaround
|
2001-09-06 05:23:38 +02:00
|
|
|
*/
|
|
|
|
|
pam_passwd = password;
|
|
|
|
|
|
2001-10-25 07:50:21 +02:00
|
|
|
/*
|
|
|
|
|
* Set the application data portion of the conversation struct This is
|
|
|
|
|
* later used inside the PAM conversation to pass the password to the
|
|
|
|
|
* authentication module.
|
2001-09-06 05:23:38 +02:00
|
|
|
*/
|
2001-10-25 07:50:21 +02:00
|
|
|
pam_passw_conv.appdata_ptr = (char *) password; /* from password above,
|
|
|
|
|
* not allocated */
|
2001-09-06 05:23:38 +02:00
|
|
|
|
|
|
|
|
/* Optionally, one can set the service name in pg_hba.conf */
|
2003-04-18 00:26:02 +02:00
|
|
|
if (port->auth_arg && port->auth_arg[0] != '\0')
|
|
|
|
|
retval = pam_start(port->auth_arg, "pgsql@",
|
|
|
|
|
&pam_passw_conv, &pamh);
|
2001-10-25 07:50:21 +02:00
|
|
|
else
|
2003-04-18 00:26:02 +02:00
|
|
|
retval = pam_start(PGSQL_PAM_SERVICE, "pgsql@",
|
|
|
|
|
&pam_passw_conv, &pamh);
|
2001-09-06 05:23:38 +02:00
|
|
|
|
2001-10-25 07:50:21 +02:00
|
|
|
if (retval != PAM_SUCCESS)
|
|
|
|
|
{
|
2003-07-22 21:00:12 +02:00
|
|
|
ereport(LOG,
|
2003-09-25 08:58:07 +02:00
|
|
|
(errmsg("could not create PAM authenticator: %s",
|
2003-07-22 21:00:12 +02:00
|
|
|
pam_strerror(pamh, retval))));
|
2001-10-25 07:50:21 +02:00
|
|
|
pam_passwd = NULL; /* Unset pam_passwd */
|
2001-09-06 05:23:38 +02:00
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
|
|
|
|
|
2002-02-25 21:07:02 +01:00
|
|
|
retval = pam_set_item(pamh, PAM_USER, user);
|
|
|
|
|
|
|
|
|
|
if (retval != PAM_SUCCESS)
|
2001-10-25 07:50:21 +02:00
|
|
|
{
|
2003-07-22 21:00:12 +02:00
|
|
|
ereport(LOG,
|
|
|
|
|
(errmsg("pam_set_item(PAM_USER) failed: %s",
|
|
|
|
|
pam_strerror(pamh, retval))));
|
2001-10-25 07:50:21 +02:00
|
|
|
pam_passwd = NULL; /* Unset pam_passwd */
|
2001-09-06 05:23:38 +02:00
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
2002-02-25 21:07:02 +01:00
|
|
|
|
|
|
|
|
retval = pam_set_item(pamh, PAM_CONV, &pam_passw_conv);
|
|
|
|
|
|
|
|
|
|
if (retval != PAM_SUCCESS)
|
2001-10-25 07:50:21 +02:00
|
|
|
{
|
2003-07-22 21:00:12 +02:00
|
|
|
ereport(LOG,
|
|
|
|
|
(errmsg("pam_set_item(PAM_CONV) failed: %s",
|
|
|
|
|
pam_strerror(pamh, retval))));
|
2001-10-25 07:50:21 +02:00
|
|
|
pam_passwd = NULL; /* Unset pam_passwd */
|
2001-09-06 05:23:38 +02:00
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
2002-02-25 21:07:02 +01:00
|
|
|
|
|
|
|
|
retval = pam_authenticate(pamh, 0);
|
|
|
|
|
|
|
|
|
|
if (retval != PAM_SUCCESS)
|
2001-10-25 07:50:21 +02:00
|
|
|
{
|
2003-07-22 21:00:12 +02:00
|
|
|
ereport(LOG,
|
|
|
|
|
(errmsg("pam_authenticate failed: %s",
|
|
|
|
|
pam_strerror(pamh, retval))));
|
2001-10-25 07:50:21 +02:00
|
|
|
pam_passwd = NULL; /* Unset pam_passwd */
|
2001-09-06 05:23:38 +02:00
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
2002-02-25 21:07:02 +01:00
|
|
|
|
|
|
|
|
retval = pam_acct_mgmt(pamh, 0);
|
|
|
|
|
|
|
|
|
|
if (retval != PAM_SUCCESS)
|
2001-10-25 07:50:21 +02:00
|
|
|
{
|
2003-07-22 21:00:12 +02:00
|
|
|
ereport(LOG,
|
|
|
|
|
(errmsg("pam_acct_mgmt failed: %s",
|
|
|
|
|
pam_strerror(pamh, retval))));
|
2001-10-25 07:50:21 +02:00
|
|
|
pam_passwd = NULL; /* Unset pam_passwd */
|
2001-09-06 05:23:38 +02:00
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
|
|
|
|
|
2002-02-25 21:07:02 +01:00
|
|
|
retval = pam_end(pamh, retval);
|
2001-09-06 05:23:38 +02:00
|
|
|
|
2002-02-25 21:07:02 +01:00
|
|
|
if (retval != PAM_SUCCESS)
|
|
|
|
|
{
|
2003-07-22 21:00:12 +02:00
|
|
|
ereport(LOG,
|
2003-09-25 08:58:07 +02:00
|
|
|
(errmsg("could not release PAM authenticator: %s",
|
2003-07-22 21:00:12 +02:00
|
|
|
pam_strerror(pamh, retval))));
|
2001-09-06 05:23:38 +02:00
|
|
|
}
|
2002-02-25 21:07:02 +01:00
|
|
|
|
2002-09-04 22:31:48 +02:00
|
|
|
pam_passwd = NULL; /* Unset pam_passwd */
|
2002-02-25 21:07:02 +01:00
|
|
|
|
|
|
|
|
return (retval == PAM_SUCCESS ? STATUS_OK : STATUS_ERROR);
|
2001-09-06 05:23:38 +02:00
|
|
|
}
|
2001-11-05 18:46:40 +01:00
|
|
|
#endif /* USE_PAM */
|
1998-01-26 02:42:53 +01:00
|
|
|
|
2001-10-19 00:44:37 +02:00
|
|
|
|
2006-03-06 18:41:44 +01:00
|
|
|
#ifdef USE_LDAP
|
2006-03-16 19:11:17 +01:00
|
|
|
|
2006-03-06 18:41:44 +01:00
|
|
|
static int
|
|
|
|
|
CheckLDAPAuth(Port *port)
|
|
|
|
|
{
|
2006-10-04 02:30:14 +02:00
|
|
|
char *passwd;
|
|
|
|
|
char server[128];
|
|
|
|
|
char basedn[128];
|
|
|
|
|
char prefix[128];
|
|
|
|
|
char suffix[128];
|
|
|
|
|
LDAP *ldap;
|
2006-11-06 02:27:52 +01:00
|
|
|
bool ssl = false;
|
2006-10-04 02:30:14 +02:00
|
|
|
int r;
|
|
|
|
|
int ldapversion = LDAP_VERSION3;
|
|
|
|
|
int ldapport = LDAP_PORT;
|
2006-11-06 02:27:52 +01:00
|
|
|
char fulluser[NAMEDATALEN + 256 + 1];
|
2006-10-04 02:30:14 +02:00
|
|
|
|
|
|
|
|
if (!port->auth_arg || port->auth_arg[0] == '\0')
|
|
|
|
|
{
|
|
|
|
|
ereport(LOG,
|
|
|
|
|
(errmsg("LDAP configuration URL not specified")));
|
|
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Crack the LDAP url. We do a very trivial parse..
|
|
|
|
|
* ldap[s]://<server>[:<port>]/<basedn>[;prefix[;suffix]]
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
server[0] = '\0';
|
|
|
|
|
basedn[0] = '\0';
|
|
|
|
|
prefix[0] = '\0';
|
|
|
|
|
suffix[0] = '\0';
|
|
|
|
|
|
|
|
|
|
/* ldap, including port number */
|
|
|
|
|
r = sscanf(port->auth_arg,
|
2007-07-12 22:36:11 +02:00
|
|
|
"ldap://%127[^:]:%d/%127[^;];%127[^;];%127s",
|
2006-10-04 02:30:14 +02:00
|
|
|
server, &ldapport, basedn, prefix, suffix);
|
|
|
|
|
if (r < 3)
|
|
|
|
|
{
|
|
|
|
|
/* ldaps, including port number */
|
|
|
|
|
r = sscanf(port->auth_arg,
|
2007-07-12 22:36:11 +02:00
|
|
|
"ldaps://%127[^:]:%d/%127[^;];%127[^;];%127s",
|
2006-10-04 02:30:14 +02:00
|
|
|
server, &ldapport, basedn, prefix, suffix);
|
|
|
|
|
if (r >= 3)
|
2006-11-06 02:27:52 +01:00
|
|
|
ssl = true;
|
2006-10-04 02:30:14 +02:00
|
|
|
}
|
|
|
|
|
if (r < 3)
|
|
|
|
|
{
|
|
|
|
|
/* ldap, no port number */
|
|
|
|
|
r = sscanf(port->auth_arg,
|
|
|
|
|
"ldap://%127[^/]/%127[^;];%127[^;];%127s",
|
|
|
|
|
server, basedn, prefix, suffix);
|
|
|
|
|
}
|
|
|
|
|
if (r < 2)
|
|
|
|
|
{
|
|
|
|
|
/* ldaps, no port number */
|
|
|
|
|
r = sscanf(port->auth_arg,
|
|
|
|
|
"ldaps://%127[^/]/%127[^;];%127[^;];%127s",
|
|
|
|
|
server, basedn, prefix, suffix);
|
|
|
|
|
if (r >= 2)
|
2006-11-06 02:27:52 +01:00
|
|
|
ssl = true;
|
2006-10-04 02:30:14 +02:00
|
|
|
}
|
|
|
|
|
if (r < 2)
|
|
|
|
|
{
|
|
|
|
|
ereport(LOG,
|
|
|
|
|
(errmsg("invalid LDAP URL: \"%s\"",
|
2006-03-16 19:11:17 +01:00
|
|
|
port->auth_arg)));
|
2006-10-04 02:30:14 +02:00
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
sendAuthRequest(port, AUTH_REQ_PASSWORD);
|
|
|
|
|
|
|
|
|
|
passwd = recv_password_packet(port);
|
|
|
|
|
if (passwd == NULL)
|
|
|
|
|
return STATUS_EOF; /* client wouldn't send password */
|
|
|
|
|
|
|
|
|
|
ldap = ldap_init(server, ldapport);
|
|
|
|
|
if (!ldap)
|
|
|
|
|
{
|
2006-03-06 18:41:44 +01:00
|
|
|
#ifndef WIN32
|
2006-10-04 02:30:14 +02:00
|
|
|
ereport(LOG,
|
|
|
|
|
(errmsg("could not initialize LDAP: error code %d",
|
|
|
|
|
errno)));
|
2006-03-06 18:41:44 +01:00
|
|
|
#else
|
2006-10-04 02:30:14 +02:00
|
|
|
ereport(LOG,
|
|
|
|
|
(errmsg("could not initialize LDAP: error code %d",
|
|
|
|
|
(int) LdapGetLastError())));
|
2006-03-06 18:41:44 +01:00
|
|
|
#endif
|
2006-10-04 02:30:14 +02:00
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if ((r = ldap_set_option(ldap, LDAP_OPT_PROTOCOL_VERSION, &ldapversion)) != LDAP_SUCCESS)
|
|
|
|
|
{
|
2006-11-06 02:27:52 +01:00
|
|
|
ldap_unbind(ldap);
|
2006-10-04 02:30:14 +02:00
|
|
|
ereport(LOG,
|
2006-11-06 02:27:52 +01:00
|
|
|
(errmsg("could not set LDAP protocol version: error code %d", r)));
|
2006-10-04 02:30:14 +02:00
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (ssl)
|
|
|
|
|
{
|
2006-03-06 18:41:44 +01:00
|
|
|
#ifndef WIN32
|
2006-08-22 04:23:45 +02:00
|
|
|
if ((r = ldap_start_tls_s(ldap, NULL, NULL)) != LDAP_SUCCESS)
|
2006-03-06 18:41:44 +01:00
|
|
|
#else
|
2006-08-22 04:23:45 +02:00
|
|
|
static __ldap_start_tls_sA _ldap_start_tls_sA = NULL;
|
|
|
|
|
|
2006-08-21 21:21:38 +02:00
|
|
|
if (_ldap_start_tls_sA == NULL)
|
|
|
|
|
{
|
|
|
|
|
/*
|
|
|
|
|
* Need to load this function dynamically because it does not
|
|
|
|
|
* exist on Windows 2000, and causes a load error for the whole
|
|
|
|
|
* exe if referenced.
|
|
|
|
|
*/
|
2006-10-04 02:30:14 +02:00
|
|
|
HANDLE ldaphandle;
|
|
|
|
|
|
2006-08-21 21:21:38 +02:00
|
|
|
ldaphandle = LoadLibrary("WLDAP32.DLL");
|
|
|
|
|
if (ldaphandle == NULL)
|
|
|
|
|
{
|
2006-10-04 02:30:14 +02:00
|
|
|
/*
|
|
|
|
|
* should never happen since we import other files from
|
|
|
|
|
* wldap32, but check anyway
|
|
|
|
|
*/
|
2006-11-06 02:27:52 +01:00
|
|
|
ldap_unbind(ldap);
|
2006-08-21 21:21:38 +02:00
|
|
|
ereport(LOG,
|
|
|
|
|
(errmsg("could not load wldap32.dll")));
|
|
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
2006-10-04 02:30:14 +02:00
|
|
|
_ldap_start_tls_sA = (__ldap_start_tls_sA) GetProcAddress(ldaphandle, "ldap_start_tls_sA");
|
2006-08-21 21:21:38 +02:00
|
|
|
if (_ldap_start_tls_sA == NULL)
|
|
|
|
|
{
|
2006-11-06 02:27:52 +01:00
|
|
|
ldap_unbind(ldap);
|
2006-08-21 21:21:38 +02:00
|
|
|
ereport(LOG,
|
2006-10-06 19:14:01 +02:00
|
|
|
(errmsg("could not load function _ldap_start_tls_sA in wldap32.dll"),
|
|
|
|
|
errdetail("LDAP over SSL is not supported on this platform.")));
|
2006-08-21 21:21:38 +02:00
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
2006-11-06 02:27:52 +01:00
|
|
|
* Leak LDAP handle on purpose, because we need the library to stay
|
2006-08-21 21:21:38 +02:00
|
|
|
* open. This is ok because it will only ever be leaked once per
|
|
|
|
|
* process and is automatically cleaned up on process exit.
|
|
|
|
|
*/
|
|
|
|
|
}
|
2006-10-04 02:30:14 +02:00
|
|
|
if ((r = _ldap_start_tls_sA(ldap, NULL, NULL, NULL, NULL)) != LDAP_SUCCESS)
|
2006-03-06 18:41:44 +01:00
|
|
|
#endif
|
2006-10-04 02:30:14 +02:00
|
|
|
{
|
2006-11-06 02:27:52 +01:00
|
|
|
ldap_unbind(ldap);
|
2006-10-04 02:30:14 +02:00
|
|
|
ereport(LOG,
|
2006-11-06 02:27:52 +01:00
|
|
|
(errmsg("could not start LDAP TLS session: error code %d", r)));
|
2006-10-04 02:30:14 +02:00
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2006-11-06 02:27:52 +01:00
|
|
|
snprintf(fulluser, sizeof(fulluser), "%s%s%s",
|
2006-03-16 19:11:17 +01:00
|
|
|
prefix, port->user_name, suffix);
|
2006-10-04 02:30:14 +02:00
|
|
|
fulluser[sizeof(fulluser) - 1] = '\0';
|
2006-03-06 18:41:44 +01:00
|
|
|
|
2006-10-04 02:30:14 +02:00
|
|
|
r = ldap_simple_bind_s(ldap, fulluser, passwd);
|
|
|
|
|
ldap_unbind(ldap);
|
2006-03-06 18:41:44 +01:00
|
|
|
|
2006-10-04 02:30:14 +02:00
|
|
|
if (r != LDAP_SUCCESS)
|
|
|
|
|
{
|
|
|
|
|
ereport(LOG,
|
|
|
|
|
(errmsg("LDAP login failed for user \"%s\" on server \"%s\": error code %d",
|
2006-03-16 19:11:17 +01:00
|
|
|
fulluser, server, r)));
|
2006-10-04 02:30:14 +02:00
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
2006-03-16 19:11:17 +01:00
|
|
|
|
2006-10-04 02:30:14 +02:00
|
|
|
return STATUS_OK;
|
|
|
|
|
}
|
2006-03-06 18:41:44 +01:00
|
|
|
#endif /* USE_LDAP */
|
|
|
|
|
|
1998-01-26 02:42:53 +01:00
|
|
|
/*
|
2003-04-19 02:02:30 +02:00
|
|
|
* Collect password response packet from frontend.
|
|
|
|
|
*
|
|
|
|
|
* Returns NULL if couldn't get password, else palloc'd string.
|
1998-01-26 02:42:53 +01:00
|
|
|
*/
|
2003-04-19 02:02:30 +02:00
|
|
|
static char *
|
|
|
|
|
recv_password_packet(Port *port)
|
1998-01-26 02:42:53 +01:00
|
|
|
{
|
2001-06-20 20:07:56 +02:00
|
|
|
StringInfoData buf;
|
|
|
|
|
|
2003-04-19 02:02:30 +02:00
|
|
|
if (PG_PROTOCOL_MAJOR(port->proto) >= 3)
|
|
|
|
|
{
|
|
|
|
|
/* Expect 'p' message type */
|
2003-08-04 02:43:34 +02:00
|
|
|
int mtype;
|
2003-04-19 02:02:30 +02:00
|
|
|
|
|
|
|
|
mtype = pq_getbyte();
|
|
|
|
|
if (mtype != 'p')
|
|
|
|
|
{
|
|
|
|
|
/*
|
|
|
|
|
* If the client just disconnects without offering a password,
|
2005-10-15 04:49:52 +02:00
|
|
|
* don't make a log entry. This is legal per protocol spec and in
|
|
|
|
|
* fact commonly done by psql, so complaining just clutters the
|
|
|
|
|
* log.
|
2003-04-19 02:02:30 +02:00
|
|
|
*/
|
|
|
|
|
if (mtype != EOF)
|
2003-07-22 21:00:12 +02:00
|
|
|
ereport(COMMERROR,
|
|
|
|
|
(errcode(ERRCODE_PROTOCOL_VIOLATION),
|
2005-10-15 04:49:52 +02:00
|
|
|
errmsg("expected password response, got message type %d",
|
|
|
|
|
mtype)));
|
2003-04-19 02:02:30 +02:00
|
|
|
return NULL; /* EOF or bad message type */
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
/* For pre-3.0 clients, avoid log entry if they just disconnect */
|
|
|
|
|
if (pq_peekbyte() == EOF)
|
|
|
|
|
return NULL; /* EOF */
|
|
|
|
|
}
|
2001-10-19 00:44:37 +02:00
|
|
|
|
2001-06-20 20:07:56 +02:00
|
|
|
initStringInfo(&buf);
|
2003-08-04 02:43:34 +02:00
|
|
|
if (pq_getmessage(&buf, 1000)) /* receive password */
|
2001-10-19 00:44:37 +02:00
|
|
|
{
|
2003-04-19 02:02:30 +02:00
|
|
|
/* EOF - pq_getmessage already logged a suitable message */
|
2001-10-19 00:44:37 +02:00
|
|
|
pfree(buf.data);
|
2003-04-19 02:02:30 +02:00
|
|
|
return NULL;
|
2001-10-19 00:44:37 +02:00
|
|
|
}
|
2002-09-04 22:31:48 +02:00
|
|
|
|
2002-08-27 18:21:51 +02:00
|
|
|
/*
|
2005-10-15 04:49:52 +02:00
|
|
|
* Apply sanity check: password packet length should agree with length of
|
|
|
|
|
* contained string. Note it is safe to use strlen here because
|
2003-04-19 02:02:30 +02:00
|
|
|
* StringInfo is guaranteed to have an appended '\0'.
|
2002-08-27 18:21:51 +02:00
|
|
|
*/
|
2003-04-19 02:02:30 +02:00
|
|
|
if (strlen(buf.data) + 1 != buf.len)
|
2003-07-22 21:00:12 +02:00
|
|
|
ereport(COMMERROR,
|
|
|
|
|
(errcode(ERRCODE_PROTOCOL_VIOLATION),
|
|
|
|
|
errmsg("invalid password packet size")));
|
2001-06-20 20:07:56 +02:00
|
|
|
|
2002-08-27 17:15:23 +02:00
|
|
|
/* Do not echo password to logs, for security. */
|
2003-07-22 21:00:12 +02:00
|
|
|
ereport(DEBUG5,
|
|
|
|
|
(errmsg("received password packet")));
|
2001-06-20 20:07:56 +02:00
|
|
|
|
2003-04-19 02:02:30 +02:00
|
|
|
/*
|
2003-08-04 02:43:34 +02:00
|
|
|
* Return the received string. Note we do not attempt to do any
|
2005-10-15 04:49:52 +02:00
|
|
|
* character-set conversion on it; since we don't yet know the client's
|
|
|
|
|
* encoding, there wouldn't be much point.
|
2003-04-19 02:02:30 +02:00
|
|
|
*/
|
|
|
|
|
return buf.data;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Called when we have sent an authorization request for a password.
|
|
|
|
|
* Get the response and check it.
|
|
|
|
|
*/
|
|
|
|
|
static int
|
|
|
|
|
recv_and_check_password_packet(Port *port)
|
|
|
|
|
{
|
|
|
|
|
char *passwd;
|
|
|
|
|
int result;
|
|
|
|
|
|
|
|
|
|
passwd = recv_password_packet(port);
|
|
|
|
|
|
|
|
|
|
if (passwd == NULL)
|
|
|
|
|
return STATUS_EOF; /* client wouldn't send password */
|
|
|
|
|
|
|
|
|
|
result = md5_crypt_verify(port, port->user_name, passwd);
|
|
|
|
|
|
|
|
|
|
pfree(passwd);
|
2002-04-04 06:25:54 +02:00
|
|
|
|
2001-06-20 20:07:56 +02:00
|
|
|
return result;
|
1996-07-09 08:22:35 +02:00
|
|
|
}
|
