From a159ad30489acb7aeb35d95de805f81c64d07966 Mon Sep 17 00:00:00 2001 From: Neil Conway Date: Mon, 27 Jun 2005 02:04:26 +0000 Subject: [PATCH] Remove support for Kerberos V4. It seems no one is using this, it has some security issues, and upstream has declared it "dead". Patch from Magnus Hagander, minor editorialization from Neil Conway. --- configure | 387 +-------------------------- configure.in | 30 +-- doc/src/sgml/client-auth.sgml | 26 +- doc/src/sgml/installation.sgml | 6 +- doc/src/sgml/libpq.sgml | 6 +- doc/src/sgml/protocol.sgml | 59 +--- src/backend/libpq/auth.c | 100 +------ src/backend/libpq/hba.c | 7 +- src/backend/libpq/pg_hba.conf.sample | 2 +- src/include/libpq/auth.h | 5 +- src/include/libpq/hba.h | 3 +- src/include/libpq/pqcomm.h | 4 +- src/include/pg_config.h.in | 3 - src/include/port.h | 6 +- src/interfaces/libpq/Makefile | 4 +- src/interfaces/libpq/fe-auth.c | 169 +----------- src/interfaces/libpq/fe-auth.h | 11 +- src/interfaces/libpq/fe-connect.c | 8 +- src/interfaces/libpq/libpq-int.h | 4 +- 19 files changed, 46 insertions(+), 794 deletions(-) diff --git a/configure b/configure index 3d33f8c796..d09f26db54 100755 --- a/configure +++ b/configure @@ -867,7 +867,6 @@ Optional Packages: --with-tclconfig=DIR tclConfig.sh is in DIR --with-perl build Perl modules (PL/Perl) --with-python build Python modules (PL/Python) - --with-krb4 build with Kerberos 4 support --with-krb5 build with Kerberos 5 support --with-krb-srvnam=NAME name of the default service principal in Kerberos [postgres] --with-pam build with PAM support @@ -3257,49 +3256,6 @@ echo "$as_me:$LINENO: result: $with_python" >&5 echo "${ECHO_T}$with_python" >&6 -# -# Kerberos 4 -# -echo "$as_me:$LINENO: checking whether to build with Kerberos 4 support" >&5 -echo $ECHO_N "checking whether to build with Kerberos 4 support... $ECHO_C" >&6 - - - -# Check whether --with-krb4 or --without-krb4 was given. -if test "${with_krb4+set}" = set; then - withval="$with_krb4" - - case $withval in - yes) - - -cat >>confdefs.h <<\_ACEOF -#define KRB4 1 -_ACEOF - - krb_srvtab="/etc/srvtab" - - ;; - no) - : - ;; - *) - { { echo "$as_me:$LINENO: error: no argument expected for --with-krb4 option" >&5 -echo "$as_me: error: no argument expected for --with-krb4 option" >&2;} - { (exit 1); exit 1; }; } - ;; - esac - -else - with_krb4=no - -fi; - -echo "$as_me:$LINENO: result: $with_krb4" >&5 -echo "${ECHO_T}$with_krb4" >&6 - - - # # Kerberos 5 # @@ -3343,13 +3299,6 @@ echo "${ECHO_T}$with_krb5" >&6 -# Using both Kerberos 4 and Kerberos 5 at the same time isn't going to work. -if test "$with_krb4" = yes && test "$with_krb5" = yes ; then - { { echo "$as_me:$LINENO: error: Kerberos 4 and Kerberos 5 support cannot be combined" >&5 -echo "$as_me: error: Kerberos 4 and Kerberos 5 support cannot be combined" >&2;} - { (exit 1); exit 1; }; } -fi - @@ -6137,226 +6086,6 @@ echo "$as_me: WARNING: *** Not using spinlocks will cause poor performance." >&2;} fi -if test "$with_krb4" = yes ; then - -echo "$as_me:$LINENO: checking for des_encrypt in -ldes" >&5 -echo $ECHO_N "checking for des_encrypt in -ldes... $ECHO_C" >&6 -if test "${ac_cv_lib_des_des_encrypt+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - ac_check_lib_save_LIBS=$LIBS -LIBS="-ldes $LIBS" -cat >conftest.$ac_ext <<_ACEOF -#line $LINENO "configure" -#include "confdefs.h" - -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char des_encrypt (); -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -des_encrypt (); - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_lib_des_des_encrypt=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_lib_des_des_encrypt=no -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -LIBS=$ac_check_lib_save_LIBS -fi -echo "$as_me:$LINENO: result: $ac_cv_lib_des_des_encrypt" >&5 -echo "${ECHO_T}$ac_cv_lib_des_des_encrypt" >&6 -if test $ac_cv_lib_des_des_encrypt = yes; then - cat >>confdefs.h <<_ACEOF -#define HAVE_LIBDES 1 -_ACEOF - - LIBS="-ldes $LIBS" - -else - { { echo "$as_me:$LINENO: error: library 'des' is required for Kerberos 4" >&5 -echo "$as_me: error: library 'des' is required for Kerberos 4" >&2;} - { (exit 1); exit 1; }; } -fi - - -echo "$as_me:$LINENO: checking for krb_sendauth in -lkrb" >&5 -echo $ECHO_N "checking for krb_sendauth in -lkrb... $ECHO_C" >&6 -if test "${ac_cv_lib_krb_krb_sendauth+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - ac_check_lib_save_LIBS=$LIBS -LIBS="-lkrb $LIBS" -cat >conftest.$ac_ext <<_ACEOF -#line $LINENO "configure" -#include "confdefs.h" - -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char krb_sendauth (); -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -krb_sendauth (); - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_cv_lib_krb_krb_sendauth=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_cv_lib_krb_krb_sendauth=no -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -LIBS=$ac_check_lib_save_LIBS -fi -echo "$as_me:$LINENO: result: $ac_cv_lib_krb_krb_sendauth" >&5 -echo "${ECHO_T}$ac_cv_lib_krb_krb_sendauth" >&6 -if test $ac_cv_lib_krb_krb_sendauth = yes; then - cat >>confdefs.h <<_ACEOF -#define HAVE_LIBKRB 1 -_ACEOF - - LIBS="-lkrb $LIBS" - -else - { { echo "$as_me:$LINENO: error: library 'krb' is required for Kerberos 4" >&5 -echo "$as_me: error: library 'krb' is required for Kerberos 4" >&2;} - { (exit 1); exit 1; }; } -fi - - -for ac_func in gethostname -do -as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh` -echo "$as_me:$LINENO: checking for $ac_func" >&5 -echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6 -if eval "test \"\${$as_ac_var+set}\" = set"; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - cat >conftest.$ac_ext <<_ACEOF -#line $LINENO "configure" -#include "confdefs.h" -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char $ac_func (); below. */ -#include -/* Override any gcc2 internal prototype to avoid an error. */ -#ifdef __cplusplus -extern "C" -#endif -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char $ac_func (); -char (*f) (); - -#ifdef F77_DUMMY_MAIN -# ifdef __cplusplus - extern "C" -# endif - int F77_DUMMY_MAIN() { return 1; } -#endif -int -main () -{ -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_$ac_func) || defined (__stub___$ac_func) -choke me -#else -f = $ac_func; -#endif - - ; - return 0; -} -_ACEOF -rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5 - (eval $ac_link) 2>&5 - ac_status=$? - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - eval "$as_ac_var=yes" -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -eval "$as_ac_var=no" -fi -rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext -fi -echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_var'}'`" >&5 -echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6 -if test `eval echo '${'$as_ac_var'}'` = yes; then - cat >>confdefs.h <<_ACEOF -#define `echo "HAVE_$ac_func" | $as_tr_cpp` 1 -_ACEOF - -else - LIBOBJS="$LIBOBJS $ac_func.$ac_objext" -fi -done - - -fi - if test "$with_krb5" = yes ; then if test "$PORTNAME" != "win32"; then echo "$as_me:$LINENO: checking for library containing com_err" >&5 @@ -8987,119 +8716,6 @@ Use --without-zlib to disable zlib support." >&2;} fi -fi - -if test "$with_krb4" = yes ; then - if test "${ac_cv_header_krb_h+set}" = set; then - echo "$as_me:$LINENO: checking for krb.h" >&5 -echo $ECHO_N "checking for krb.h... $ECHO_C" >&6 -if test "${ac_cv_header_krb_h+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -fi -echo "$as_me:$LINENO: result: $ac_cv_header_krb_h" >&5 -echo "${ECHO_T}$ac_cv_header_krb_h" >&6 -else - # Is the header compilable? -echo "$as_me:$LINENO: checking krb.h usability" >&5 -echo $ECHO_N "checking krb.h usability... $ECHO_C" >&6 -cat >conftest.$ac_ext <<_ACEOF -#line $LINENO "configure" -#include "confdefs.h" -$ac_includes_default -#include -_ACEOF -rm -f conftest.$ac_objext -if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } && - { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 - (eval $ac_try) 2>&5 - ac_status=$? - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); }; }; then - ac_header_compiler=yes -else - echo "$as_me: failed program was:" >&5 -cat conftest.$ac_ext >&5 -ac_header_compiler=no -fi -rm -f conftest.$ac_objext conftest.$ac_ext -echo "$as_me:$LINENO: result: $ac_header_compiler" >&5 -echo "${ECHO_T}$ac_header_compiler" >&6 - -# Is the header present? -echo "$as_me:$LINENO: checking krb.h presence" >&5 -echo $ECHO_N "checking krb.h presence... $ECHO_C" >&6 -cat >conftest.$ac_ext <<_ACEOF -#line $LINENO "configure" -#include "confdefs.h" -#include -_ACEOF -if { (eval echo "$as_me:$LINENO: \"$ac_cpp conftest.$ac_ext\"") >&5 - (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1 - ac_status=$? - egrep -v '^ *\+' conftest.er1 >conftest.err - rm -f conftest.er1 - cat conftest.err >&5 - echo "$as_me:$LINENO: \$? = $ac_status" >&5 - (exit $ac_status); } >/dev/null; then - if test -s conftest.err; then - ac_cpp_err=$ac_c_preproc_warn_flag - else - ac_cpp_err= - fi -else - ac_cpp_err=yes -fi -if test -z "$ac_cpp_err"; then - ac_header_preproc=yes -else - echo "$as_me: failed program was:" >&5 - cat conftest.$ac_ext >&5 - ac_header_preproc=no -fi -rm -f conftest.err conftest.$ac_ext -echo "$as_me:$LINENO: result: $ac_header_preproc" >&5 -echo "${ECHO_T}$ac_header_preproc" >&6 - -# So? What about this header? -case $ac_header_compiler:$ac_header_preproc in - yes:no ) - { echo "$as_me:$LINENO: WARNING: krb.h: accepted by the compiler, rejected by the preprocessor!" >&5 -echo "$as_me: WARNING: krb.h: accepted by the compiler, rejected by the preprocessor!" >&2;} - { echo "$as_me:$LINENO: WARNING: krb.h: proceeding with the preprocessor's result" >&5 -echo "$as_me: WARNING: krb.h: proceeding with the preprocessor's result" >&2;};; - no:yes ) - { echo "$as_me:$LINENO: WARNING: krb.h: present but cannot be compiled" >&5 -echo "$as_me: WARNING: krb.h: present but cannot be compiled" >&2;} - { echo "$as_me:$LINENO: WARNING: krb.h: check for missing prerequisite headers?" >&5 -echo "$as_me: WARNING: krb.h: check for missing prerequisite headers?" >&2;} - { echo "$as_me:$LINENO: WARNING: krb.h: proceeding with the preprocessor's result" >&5 -echo "$as_me: WARNING: krb.h: proceeding with the preprocessor's result" >&2;};; -esac -echo "$as_me:$LINENO: checking for krb.h" >&5 -echo $ECHO_N "checking for krb.h... $ECHO_C" >&6 -if test "${ac_cv_header_krb_h+set}" = set; then - echo $ECHO_N "(cached) $ECHO_C" >&6 -else - ac_cv_header_krb_h=$ac_header_preproc -fi -echo "$as_me:$LINENO: result: $ac_cv_header_krb_h" >&5 -echo "${ECHO_T}$ac_cv_header_krb_h" >&6 - -fi -if test $ac_cv_header_krb_h = yes; then - : -else - { { echo "$as_me:$LINENO: error: header file is required for Kerberos 4" >&5 -echo "$as_me: error: header file is required for Kerberos 4" >&2;} - { (exit 1); exit 1; }; } -fi - - fi if test "$with_krb5" = yes ; then @@ -19706,7 +19322,6 @@ s,@enable_thread_safety@,$enable_thread_safety,;t t s,@with_tcl@,$with_tcl,;t t s,@with_perl@,$with_perl,;t t s,@with_python@,$with_python,;t t -s,@with_krb4@,$with_krb4,;t t s,@with_krb5@,$with_krb5,;t t s,@krb_srvtab@,$krb_srvtab,;t t s,@with_pam@,$with_pam,;t t @@ -19743,8 +19358,8 @@ s,@python_includespec@,$python_includespec,;t t s,@python_libdir@,$python_libdir,;t t s,@python_libspec@,$python_libspec,;t t s,@python_additional_libs@,$python_additional_libs,;t t -s,@LIBOBJS@,$LIBOBJS,;t t s,@HAVE_IPV6@,$HAVE_IPV6,;t t +s,@LIBOBJS@,$LIBOBJS,;t t s,@acx_pthread_config@,$acx_pthread_config,;t t s,@PTHREAD_CC@,$PTHREAD_CC,;t t s,@PTHREAD_LIBS@,$PTHREAD_LIBS,;t t diff --git a/configure.in b/configure.in index 2494a706de..8d81a3789e 100644 --- a/configure.in +++ b/configure.in @@ -1,5 +1,5 @@ dnl Process this file with autoconf to produce a configure script. -dnl $PostgreSQL: pgsql/configure.in,v 1.412 2005/06/04 20:42:41 momjian Exp $ +dnl $PostgreSQL: pgsql/configure.in,v 1.413 2005/06/27 02:04:23 neilc Exp $ dnl dnl Developers, please strive to achieve this order: dnl @@ -409,19 +409,6 @@ PGAC_ARG_BOOL(with, python, no, [ --with-python build Python modules AC_MSG_RESULT([$with_python]) AC_SUBST(with_python) -# -# Kerberos 4 -# -AC_MSG_CHECKING([whether to build with Kerberos 4 support]) -PGAC_ARG_BOOL(with, krb4, no, [ --with-krb4 build with Kerberos 4 support], -[ - AC_DEFINE(KRB4, 1, [Define to build with Kerberos 4 support. (--with-krb4)]) - krb_srvtab="/etc/srvtab" -]) -AC_MSG_RESULT([$with_krb4]) -AC_SUBST(with_krb4) - - # # Kerberos 5 # @@ -435,11 +422,6 @@ AC_MSG_RESULT([$with_krb5]) AC_SUBST(with_krb5) -# Using both Kerberos 4 and Kerberos 5 at the same time isn't going to work. -if test "$with_krb4" = yes && test "$with_krb5" = yes ; then - AC_MSG_ERROR([Kerberos 4 and Kerberos 5 support cannot be combined]) -fi - AC_SUBST(krb_srvtab) @@ -666,12 +648,6 @@ else *** Not using spinlocks will cause poor performance.]) fi -if test "$with_krb4" = yes ; then - AC_CHECK_LIB(des, des_encrypt, [], [AC_MSG_ERROR([library 'des' is required for Kerberos 4])]) - AC_CHECK_LIB(krb, krb_sendauth, [], [AC_MSG_ERROR([library 'krb' is required for Kerberos 4])]) - AC_REPLACE_FUNCS([gethostname]) -fi - if test "$with_krb5" = yes ; then if test "$PORTNAME" != "win32"; then AC_SEARCH_LIBS(com_err, [krb5 'krb5 -ldes -lasn1 -lroken' com_err], [], @@ -762,10 +738,6 @@ failure. It is possible the compiler isn't looking in the proper directory. Use --without-zlib to disable zlib support.])]) fi -if test "$with_krb4" = yes ; then - AC_CHECK_HEADER(krb.h, [], [AC_MSG_ERROR([header file is required for Kerberos 4])]) -fi - if test "$with_krb5" = yes ; then AC_CHECK_HEADER(krb5.h, [], [AC_MSG_ERROR([header file is required for Kerberos 5])]) fi diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml index 83611d25ff..d2585e3a94 100644 --- a/doc/src/sgml/client-auth.sgml +++ b/doc/src/sgml/client-auth.sgml @@ -1,5 +1,5 @@ @@ -326,17 +326,6 @@ hostnossl database user - - krb4 - - - Use Kerberos V4 to authenticate the user. This is only - available for TCP/IP connections. See for details. - - - - krb5 @@ -623,11 +612,8 @@ local db1,db2,@demodbs all md5 - While PostgreSQL supports both Kerberos 4 and - Kerberos 5, only Kerberos 5 is recommended. Kerberos 4 is - considered insecure and no longer recommended for general - use. Only one version of Kerberos can be supported in any one - build, and support must be enabled at build time. See + PostgreSQL supports Kerberos version 5, and it has + to be enabled at build time. See for more information. @@ -669,11 +655,9 @@ local db1,db2,@demodbs all md5 account. (See also .) The location of the key file is specified by the configuration - parameter. The default - is /etc/srvtab if you are using Kerberos 4 and + parameter. The default is /usr/local/pgsql/etc/krb5.keytab (or whichever - directory was specified as sysconfdir at build time) - with Kerberos 5. + directory was specified as sysconfdir at build time). diff --git a/doc/src/sgml/installation.sgml b/doc/src/sgml/installation.sgml index 547dd6436d..2f240a917b 100644 --- a/doc/src/sgml/installation.sgml +++ b/doc/src/sgml/installation.sgml @@ -1,4 +1,4 @@ - + <![%standalone-include[<productname>PostgreSQL</>]]> @@ -787,12 +787,10 @@ su - postgres </varlistentry> <varlistentry> - <term><option>--with-krb4</option></term> <term><option>--with-krb5</option></term> <listitem> <para> - Build with support for Kerberos authentication. You can use - either Kerberos version 4 or 5, but not both. On many + Build with support for Kerberos 5 authentication. On many systems, the Kerberos system is not installed in a location that is searched by default (e.g., <filename>/usr/include</>, <filename>/usr/lib</>), so you must use the options diff --git a/doc/src/sgml/libpq.sgml b/doc/src/sgml/libpq.sgml index a5bde7fc76..74219f368b 100644 --- a/doc/src/sgml/libpq.sgml +++ b/doc/src/sgml/libpq.sgml @@ -1,5 +1,5 @@ <!-- -$PostgreSQL: pgsql/doc/src/sgml/libpq.sgml,v 1.187 2005/06/26 19:16:04 tgl Exp $ +$PostgreSQL: pgsql/doc/src/sgml/libpq.sgml,v 1.188 2005/06/27 02:04:24 neilc Exp $ --> <chapter id="libpq"> @@ -283,7 +283,7 @@ PGconn *PQconnectdb(const char *conninfo); <term><literal>krbsrvname</literal></term> <listitem> <para> - Kerberos service name to use when authenticating with Kerberos 4 or 5. + Kerberos service name to use when authenticating with Kerberos 5. This must match the service name specified in the server configuration for Kerberos authentication to succeed. (See also <xref linkend="kerberos-auth">.) @@ -3813,7 +3813,7 @@ setting, and is only available if <primary><envar>PGKRBSRVNAME</envar></primary> </indexterm> <envar>PGKRBSRVNAME</envar> sets the Kerberos service name to use when -authenticating with Kerberos 4 or 5. +authenticating with Kerberos 5. </para> </listitem> <listitem> diff --git a/doc/src/sgml/protocol.sgml b/doc/src/sgml/protocol.sgml index 7ebcfc63a3..9663c7c08c 100644 --- a/doc/src/sgml/protocol.sgml +++ b/doc/src/sgml/protocol.sgml @@ -1,4 +1,4 @@ -<!-- $PostgreSQL: pgsql/doc/src/sgml/protocol.sgml,v 1.60 2005/06/26 19:16:04 tgl Exp $ --> +<!-- $PostgreSQL: pgsql/doc/src/sgml/protocol.sgml,v 1.61 2005/06/27 02:04:24 neilc Exp $ --> <chapter id="protocol"> <title>Frontend/Backend Protocol @@ -264,19 +264,6 @@ - - AuthenticationKerberosV4 - - - The frontend must now take part in a Kerberos V4 - authentication dialog (not described here, part of the - Kerberos specification) with the server. If this is - successful, the server responds with an AuthenticationOk, - otherwise it responds with an ErrorResponse. - - - - AuthenticationKerberosV5 @@ -1411,50 +1398,6 @@ AuthenticationOk (B) - - -AuthenticationKerberosV4 (B) - - - - - - - - Byte1('R') - - - - Identifies the message as an authentication request. - - - - - - Int32(8) - - - - Length of message contents in bytes, including self. - - - - - - Int32(1) - - - - Specifies that Kerberos V4 authentication is required. - - - - - - - - - AuthenticationKerberosV5 (B) diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c index a50227068b..6ca9212c88 100644 --- a/src/backend/libpq/auth.c +++ b/src/backend/libpq/auth.c @@ -8,7 +8,7 @@ * * * IDENTIFICATION - * $PostgreSQL: pgsql/src/backend/libpq/auth.c,v 1.125 2005/06/14 17:43:13 momjian Exp $ + * $PostgreSQL: pgsql/src/backend/libpq/auth.c,v 1.126 2005/06/27 02:04:24 neilc Exp $ * *------------------------------------------------------------------------- */ @@ -69,83 +69,6 @@ static Port *pam_port_cludge; /* Workaround for passing "Port *port" * into pam_passwd_conv_proc */ #endif /* USE_PAM */ -#ifdef KRB4 -/*---------------------------------------------------------------- - * MIT Kerberos authentication system - protocol version 4 - *---------------------------------------------------------------- - */ - -#include "krb.h" - -/* - * pg_krb4_recvauth -- server routine to receive authentication information - * from the client - * - * Nothing unusual here, except that we compare the username obtained from - * the client's setup packet to the authenticated name. (We have to retain - * the name in the setup packet since we have to retain the ability to handle - * unauthenticated connections.) - */ -static int -pg_krb4_recvauth(Port *port) -{ - long krbopts = 0; /* one-way authentication */ - KTEXT_ST clttkt; - char instance[INST_SZ + 1], - version[KRB_SENDAUTH_VLEN + 1]; - AUTH_DAT auth_data; - Key_schedule key_sched; - int status; - - strcpy(instance, "*"); /* don't care, but arg gets expanded - * anyway */ - status = krb_recvauth(krbopts, - port->sock, - &clttkt, - pg_krb_srvnam, - instance, - &port->raddr.in, - &port->laddr.in, - &auth_data, - pg_krb_server_keyfile, - key_sched, - version); - if (status != KSUCCESS) - { - ereport(LOG, - (errmsg("Kerberos error: %s", krb_err_txt[status]))); - return STATUS_ERROR; - } - if (strncmp(version, PG_KRB4_VERSION, KRB_SENDAUTH_VLEN) != 0) - { - ereport(LOG, - (errmsg("unexpected Kerberos protocol version received from client (received \"%s\", expected \"%s\")", - version, PG_KRB4_VERSION))); - return STATUS_ERROR; - } - if (strncmp(port->user_name, auth_data.pname, SM_DATABASE_USER) != 0) - { - ereport(LOG, - (errmsg("unexpected Kerberos user name received from client (received \"%s\", expected \"%s\")", - port->user_name, auth_data.pname))); - return STATUS_ERROR; - } - return STATUS_OK; -} - -#else - -static int -pg_krb4_recvauth(Port *port) -{ - ereport(LOG, - (errcode(ERRCODE_FEATURE_NOT_SUPPORTED), - errmsg("Kerberos 4 not implemented on this server"))); - return STATUS_ERROR; -} -#endif /* KRB4 */ - - #ifdef KRB5 /*---------------------------------------------------------------- * MIT Kerberos authentication system - protocol version 5 @@ -252,8 +175,7 @@ pg_krb5_init(void) * from the client * * We still need to compare the username obtained from the client's setup - * packet to the authenticated name, as described in pg_krb4_recvauth. This - * is a bit more problematic in v5, as described above in pg_an_to_ln. + * packet to the authenticated name. * * We have our own keytab file because postgres is unlikely to run as root, * and so cannot read the default keytab. @@ -380,9 +302,6 @@ auth_failed(Port *port, int status) case uaReject: errstr = gettext_noop("authentication failed for user \"%s\": host rejected"); break; - case uaKrb4: - errstr = gettext_noop("Kerberos 4 authentication failed for user \"%s\""); - break; case uaKrb5: errstr = gettext_noop("Kerberos 5 authentication failed for user \"%s\""); break; @@ -461,27 +380,16 @@ ClientAuthentication(Port *port) (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION), errmsg("no pg_hba.conf entry for host \"%s\", user \"%s\", database \"%s\", %s", hostinfo, port->user_name, port->database_name, - port->ssl ? _("SSL on") : _("SSL off")))); + port->ssl ? _("SSL on") : _("SSL off")))); #else ereport(FATAL, (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION), errmsg("no pg_hba.conf entry for host \"%s\", user \"%s\", database \"%s\"", - hostinfo, port->user_name, port->database_name))); + hostinfo, port->user_name, port->database_name))); #endif break; } - case uaKrb4: - /* Kerberos 4 only seems to work with AF_INET. */ - if (port->raddr.addr.ss_family != AF_INET - || port->laddr.addr.ss_family != AF_INET) - ereport(FATAL, - (errcode(ERRCODE_FEATURE_NOT_SUPPORTED), - errmsg("Kerberos 4 only supports IPv4 connections"))); - sendAuthRequest(port, AUTH_REQ_KRB4); - status = pg_krb4_recvauth(port); - break; - case uaKrb5: sendAuthRequest(port, AUTH_REQ_KRB5); status = pg_krb5_recvauth(port); diff --git a/src/backend/libpq/hba.c b/src/backend/libpq/hba.c index bd9b84cffe..ab5d7e4167 100644 --- a/src/backend/libpq/hba.c +++ b/src/backend/libpq/hba.c @@ -10,7 +10,7 @@ * * * IDENTIFICATION - * $PostgreSQL: pgsql/src/backend/libpq/hba.c,v 1.141 2005/06/21 01:20:09 neilc Exp $ + * $PostgreSQL: pgsql/src/backend/libpq/hba.c,v 1.142 2005/06/27 02:04:25 neilc Exp $ * *------------------------------------------------------------------------- */ @@ -607,8 +607,6 @@ parse_hba_auth(ListCell **line_item, UserAuth *userauth_p, *userauth_p = uaIdent; else if (strcmp(token, "password") == 0) *userauth_p = uaPassword; - else if (strcmp(token, "krb4") == 0) - *userauth_p = uaKrb4; else if (strcmp(token, "krb5") == 0) *userauth_p = uaKrb5; else if (strcmp(token, "reject") == 0) @@ -694,8 +692,7 @@ parse_hba(List *line, int line_num, hbaPort *port, goto hba_syntax; /* Disallow auth methods that always need TCP/IP sockets to work */ - if (port->auth_method == uaKrb4 || - port->auth_method == uaKrb5) + if (port->auth_method == uaKrb5) goto hba_syntax; /* Does not match if connection isn't AF_UNIX */ diff --git a/src/backend/libpq/pg_hba.conf.sample b/src/backend/libpq/pg_hba.conf.sample index e13c78c522..b47ca578ae 100644 --- a/src/backend/libpq/pg_hba.conf.sample +++ b/src/backend/libpq/pg_hba.conf.sample @@ -35,7 +35,7 @@ # an IP address and netmask in separate columns to specify the set of hosts. # # METHOD can be "trust", "reject", "md5", "crypt", "password", -# "krb4", "krb5", "ident", or "pam". Note that "password" sends passwords +# "krb5", "ident", or "pam". Note that "password" sends passwords # in clear text; "md5" is preferred since it sends encrypted passwords. # # OPTION is the ident map or the name of the PAM service, depending on METHOD. diff --git a/src/include/libpq/auth.h b/src/include/libpq/auth.h index 94b0976e11..9f93b7fdf8 100644 --- a/src/include/libpq/auth.h +++ b/src/include/libpq/auth.h @@ -7,7 +7,7 @@ * Portions Copyright (c) 1996-2005, PostgreSQL Global Development Group * Portions Copyright (c) 1994, Regents of the University of California * - * $PostgreSQL: pgsql/src/include/libpq/auth.h,v 1.28 2005/06/14 17:43:14 momjian Exp $ + * $PostgreSQL: pgsql/src/include/libpq/auth.h,v 1.29 2005/06/27 02:04:25 neilc Exp $ * *------------------------------------------------------------------------- */ @@ -23,8 +23,7 @@ extern void ClientAuthentication(Port *port); -#define PG_KRB4_VERSION "PGVER4.1" /* at most KRB_SENDAUTH_VLEN chars */ -#define PG_KRB5_VERSION "PGVER5.1" +#define PG_KRB5_VERSION "PGVER5.1" /* at most KRB_SENDAUTH_VLEN chars */ extern char *pg_krb_server_keyfile; extern char *pg_krb_srvnam; diff --git a/src/include/libpq/hba.h b/src/include/libpq/hba.h index 0656e6a4e8..6798a09ad9 100644 --- a/src/include/libpq/hba.h +++ b/src/include/libpq/hba.h @@ -4,7 +4,7 @@ * Interface to hba.c * * - * $PostgreSQL: pgsql/src/include/libpq/hba.h,v 1.36 2005/02/26 18:43:34 tgl Exp $ + * $PostgreSQL: pgsql/src/include/libpq/hba.h,v 1.37 2005/06/27 02:04:25 neilc Exp $ * *------------------------------------------------------------------------- */ @@ -17,7 +17,6 @@ typedef enum UserAuth { uaReject, - uaKrb4, uaKrb5, uaTrust, uaIdent, diff --git a/src/include/libpq/pqcomm.h b/src/include/libpq/pqcomm.h index 4357b25d47..830237d001 100644 --- a/src/include/libpq/pqcomm.h +++ b/src/include/libpq/pqcomm.h @@ -9,7 +9,7 @@ * Portions Copyright (c) 1996-2005, PostgreSQL Global Development Group * Portions Copyright (c) 1994, Regents of the University of California * - * $PostgreSQL: pgsql/src/include/libpq/pqcomm.h,v 1.96 2004/12/31 22:03:32 pgsql Exp $ + * $PostgreSQL: pgsql/src/include/libpq/pqcomm.h,v 1.97 2005/06/27 02:04:26 neilc Exp $ * *------------------------------------------------------------------------- */ @@ -160,7 +160,7 @@ extern bool Db_user_namespace; /* These are the authentication request codes sent by the backend. */ #define AUTH_REQ_OK 0 /* User is authenticated */ -#define AUTH_REQ_KRB4 1 /* Kerberos V4 */ +#define AUTH_REQ_KRB4 1 /* Kerberos V4. Not supported any more. */ #define AUTH_REQ_KRB5 2 /* Kerberos V5 */ #define AUTH_REQ_PASSWORD 3 /* Password */ #define AUTH_REQ_CRYPT 4 /* crypt password */ diff --git a/src/include/pg_config.h.in b/src/include/pg_config.h.in index da29557e92..8e4543fb62 100644 --- a/src/include/pg_config.h.in +++ b/src/include/pg_config.h.in @@ -575,9 +575,6 @@ /* Define to the appropriate snprintf format for 64-bit ints, if any. */ #undef INT64_FORMAT -/* Define to build with Kerberos 4 support. (--with-krb4) */ -#undef KRB4 - /* Define to build with Kerberos 5 support. (--with-krb5) */ #undef KRB5 diff --git a/src/include/port.h b/src/include/port.h index f3120932c9..61b566d402 100644 --- a/src/include/port.h +++ b/src/include/port.h @@ -6,7 +6,7 @@ * Portions Copyright (c) 1996-2005, PostgreSQL Global Development Group * Portions Copyright (c) 1994, Regents of the University of California * - * $PostgreSQL: pgsql/src/include/port.h,v 1.75 2005/05/25 21:40:41 momjian Exp $ + * $PostgreSQL: pgsql/src/include/port.h,v 1.76 2005/06/27 02:04:25 neilc Exp $ * *------------------------------------------------------------------------- */ @@ -267,10 +267,6 @@ extern int getopt(int nargc, char *const * nargv, const char *ostr); extern int isinf(double x); #endif -#if !defined(HAVE_GETHOSTNAME) && defined(KRB4) -extern int gethostname(char *name, int namelen); -#endif - #ifndef HAVE_RINT extern double rint(double x); #endif diff --git a/src/interfaces/libpq/Makefile b/src/interfaces/libpq/Makefile index 911bc975bb..84ac0e1372 100644 --- a/src/interfaces/libpq/Makefile +++ b/src/interfaces/libpq/Makefile @@ -5,7 +5,7 @@ # Portions Copyright (c) 1996-2005, PostgreSQL Global Development Group # Portions Copyright (c) 1994, Regents of the University of California # -# $PostgreSQL: pgsql/src/interfaces/libpq/Makefile,v 1.133 2005/04/29 14:07:27 momjian Exp $ +# $PostgreSQL: pgsql/src/interfaces/libpq/Makefile,v 1.134 2005/06/27 02:04:26 neilc Exp $ # #------------------------------------------------------------------------- @@ -53,7 +53,7 @@ endif # Add libraries that libpq depends (or might depend) on into the # shared library link. (The order in which you list them here doesn't # matter.) -SHLIB_LINK += $(filter -lcrypt -ldes -lkrb -lcom_err -lcrypto -lk5crypto -lkrb5 -lssl -lsocket -lnsl -lresolv -lintl, $(LIBS)) $(PTHREAD_LIBS) +SHLIB_LINK += $(filter -lcrypt -ldes -lcom_err -lcrypto -lk5crypto -lkrb5 -lssl -lsocket -lnsl -lresolv -lintl, $(LIBS)) $(PTHREAD_LIBS) ifeq ($(PORTNAME), win32) SHLIB_LINK += -lshfolder -lwsock32 -lws2_32 $(filter -leay32 -lssleay32 -lcomerr32 -lkrb5_32, $(LIBS)) endif diff --git a/src/interfaces/libpq/fe-auth.c b/src/interfaces/libpq/fe-auth.c index 6624df1ad0..d9865f2a5f 100644 --- a/src/interfaces/libpq/fe-auth.c +++ b/src/interfaces/libpq/fe-auth.c @@ -10,7 +10,7 @@ * exceed INITIAL_EXPBUFFER_SIZE (currently 256 bytes). * * IDENTIFICATION - * $PostgreSQL: pgsql/src/interfaces/libpq/fe-auth.c,v 1.101 2005/06/04 20:42:43 momjian Exp $ + * $PostgreSQL: pgsql/src/interfaces/libpq/fe-auth.c,v 1.102 2005/06/27 02:04:26 neilc Exp $ * *------------------------------------------------------------------------- */ @@ -64,7 +64,7 @@ */ #define STARTUP_MSG 7 /* Initialise a connection */ -#define STARTUP_KRB4_MSG 10 /* krb4 session follows */ +#define STARTUP_KRB4_MSG 10 /* krb4 session follows. Not supported any more. */ #define STARTUP_KRB5_MSG 11 /* krb5 session follows */ #define STARTUP_PASSWORD_MSG 14 /* Password follows */ @@ -87,157 +87,22 @@ struct authsvc * isn't any authentication system. */ static const struct authsvc authsvcs[] = { -#ifdef KRB4 - {"krb4", STARTUP_KRB4_MSG, 1}, - {"kerberos", STARTUP_KRB4_MSG, 1}, -#endif /* KRB4 */ #ifdef KRB5 {"krb5", STARTUP_KRB5_MSG, 1}, {"kerberos", STARTUP_KRB5_MSG, 1}, #endif /* KRB5 */ {UNAUTHNAME, STARTUP_MSG, -#if defined(KRB4) || defined(KRB5) +#ifdef KRB5 0 -#else /* !(KRB4 || KRB5) */ +#else /* !KRB5 */ 1 -#endif /* !(KRB4 || KRB5) */ +#endif /* !KRB5 */ }, {"password", STARTUP_PASSWORD_MSG, 0} }; static const int n_authsvcs = sizeof(authsvcs) / sizeof(struct authsvc); -#ifdef KRB4 -/* - * MIT Kerberos authentication system - protocol version 4 - */ - -#include "krb.h" - -/* for some reason, this is not defined in krb.h ... */ -extern char *tkt_string(void); - -/* - * pg_krb4_init -- initialization performed before any Kerberos calls are made - * - * For v4, all we need to do is make sure the library routines get the right - * ticket file if we want them to see a special one. (They will open the file - * themselves.) - */ -static void -pg_krb4_init() -{ - char *realm; - static int init_done = 0; - - if (init_done) - return; - init_done = 1; - - /* - * If the user set PGREALM, then we use a ticket file with a special - * name: @ - */ - if ((realm = getenv("PGREALM"))) - { - char tktbuf[MAXPGPATH]; - - (void) snprintf(tktbuf, sizeof(tktbuf), "%s@%s", tkt_string(), realm); - krb_set_tkt_string(tktbuf); - } -} - -/* - * pg_krb4_authname -- returns a pointer to static space containing whatever - * name the user has authenticated to the system - * - * We obtain this information by digging around in the ticket file. - */ -static char * -pg_krb4_authname(char *PQerrormsg) -{ - char instance[INST_SZ + 1]; - char realm[REALM_SZ + 1]; - int status; - static char name[SNAME_SZ + 1] = ""; - - if (name[0]) - return name; - - pg_krb4_init(); - - name[SNAME_SZ] = '\0'; - status = krb_get_tf_fullname(tkt_string(), name, instance, realm); - if (status != KSUCCESS) - { - snprintf(PQerrormsg, PQERRORMSG_LENGTH, - "pg_krb4_authname: krb_get_tf_fullname: %s\n", - krb_err_txt[status]); - return NULL; - } - return name; -} - -/* - * pg_krb4_sendauth -- client routine to send authentication information to - * the server - * - * This routine does not do mutual authentication, nor does it return enough - * information to do encrypted connections. But then, if we want to do - * encrypted connections, we'll have to redesign the whole RPC mechanism - * anyway. - * - * If the user is too lazy to feed us a hostname, we try to come up with - * something other than "localhost" since the hostname is used as an - * instance and instance names in v4 databases are usually actual hostnames - * (canonicalized to omit all domain suffixes). - */ -static int -pg_krb4_sendauth(char *PQerrormsg, int sock, - struct sockaddr_in * laddr, - struct sockaddr_in * raddr, - const char *hostname, - const char *servicename) -{ - long krbopts = 0; /* one-way authentication */ - KTEXT_ST clttkt; - int status; - char hostbuf[MAXHOSTNAMELEN]; - const char *realm = getenv("PGREALM"); /* NULL == current realm */ - - if (!hostname || !(*hostname)) - { - if (gethostname(hostbuf, MAXHOSTNAMELEN) < 0) - strcpy(hostbuf, "localhost"); - hostname = hostbuf; - } - - pg_krb4_init(); - - status = krb_sendauth(krbopts, - sock, - &clttkt, - servicename, - hostname, - realm, - (u_long) 0, - NULL, - NULL, - NULL, - laddr, - raddr, - PG_KRB4_VERSION); - if (status != KSUCCESS) - { - snprintf(PQerrormsg, PQERRORMSG_LENGTH, - libpq_gettext("Kerberos 4 error: %s\n"), - krb_err_txt[status]); - return STATUS_ERROR; - } - return STATUS_OK; -} -#endif /* KRB4 */ - #ifdef KRB5 /* * MIT Kerberos authentication system - protocol version 5 @@ -597,7 +462,7 @@ int fe_sendauth(AuthRequest areq, PGconn *conn, const char *hostname, const char *password, char *PQerrormsg) { -#if !defined(KRB4) && !defined(KRB5) +#ifndef KRB5 (void) hostname; /* not used */ #endif @@ -607,24 +472,9 @@ fe_sendauth(AuthRequest areq, PGconn *conn, const char *hostname, break; case AUTH_REQ_KRB4: -#ifdef KRB4 - pglock_thread(); - if (pg_krb4_sendauth(PQerrormsg, conn->sock, - (struct sockaddr_in *) & conn->laddr.addr, - (struct sockaddr_in *) & conn->raddr.addr, - hostname, conn->krbsrvname) != STATUS_OK) - { - /* PQerrormsg already filled in */ - pgunlock_thread(); - return STATUS_ERROR; - } - pgunlock_thread(); - break; -#else snprintf(PQerrormsg, PQERRORMSG_LENGTH, libpq_gettext("Kerberos 4 authentication not supported\n")); return STATUS_ERROR; -#endif case AUTH_REQ_KRB5: #ifdef KRB5 @@ -754,17 +604,12 @@ fe_getauthname(char *PQerrormsg) pglock_thread(); -#ifdef KRB4 - if (authsvc == STARTUP_KRB4_MSG) - name = pg_krb4_authname(PQerrormsg); -#endif #ifdef KRB5 if (authsvc == STARTUP_KRB5_MSG) name = pg_krb5_authname(PQerrormsg); #endif if (authsvc == STARTUP_MSG - || (authsvc == STARTUP_KRB4_MSG && !name) || (authsvc == STARTUP_KRB5_MSG && !name)) { #ifdef WIN32 @@ -776,7 +621,7 @@ fe_getauthname(char *PQerrormsg) #endif } - if (authsvc != STARTUP_MSG && authsvc != STARTUP_KRB4_MSG && authsvc != STARTUP_KRB5_MSG) + if (authsvc != STARTUP_MSG && authsvc != STARTUP_KRB5_MSG) snprintf(PQerrormsg, PQERRORMSG_LENGTH, libpq_gettext("fe_getauthname: invalid authentication system: %d\n"), authsvc); diff --git a/src/interfaces/libpq/fe-auth.h b/src/interfaces/libpq/fe-auth.h index f0a98a5966..024107564b 100644 --- a/src/interfaces/libpq/fe-auth.h +++ b/src/interfaces/libpq/fe-auth.h @@ -7,7 +7,7 @@ * Portions Copyright (c) 1996-2005, PostgreSQL Global Development Group * Portions Copyright (c) 1994, Regents of the University of California * - * $PostgreSQL: pgsql/src/interfaces/libpq/fe-auth.h,v 1.20 2004/12/31 22:03:50 pgsql Exp $ + * $PostgreSQL: pgsql/src/interfaces/libpq/fe-auth.h,v 1.21 2005/06/27 02:04:26 neilc Exp $ * *------------------------------------------------------------------------- */ @@ -27,11 +27,11 @@ #define UNAUTHNAME "unauth" /* what a frontend uses by default */ -#if !defined(KRB4) && !defined(KRB5) +#ifndef KRB5 #define DEFAULT_CLIENT_AUTHSVC UNAUTHNAME -#else /* KRB4 || KRB5 */ +#else #define DEFAULT_CLIENT_AUTHSVC "kerberos" -#endif /* KRB4 || KRB5 */ +#endif /* KRB5 */ extern int fe_sendauth(AuthRequest areq, PGconn *conn, const char *hostname, const char *password, char *PQerrormsg); @@ -39,7 +39,6 @@ extern MsgType fe_getauthsvc(char *PQerrormsg); extern void fe_setauthsvc(const char *name, char *PQerrormsg); extern char *fe_getauthname(char *PQerrormsg); -#define PG_KRB4_VERSION "PGVER4.1" /* at most KRB_SENDAUTH_VLEN chars */ -#define PG_KRB5_VERSION "PGVER5.1" +#define PG_KRB5_VERSION "PGVER5.1" /* at most KRB_SENDAUTH_VLEN chars */ #endif /* FE_AUTH_H */ diff --git a/src/interfaces/libpq/fe-connect.c b/src/interfaces/libpq/fe-connect.c index 3524bb9385..1ededb23e2 100644 --- a/src/interfaces/libpq/fe-connect.c +++ b/src/interfaces/libpq/fe-connect.c @@ -8,7 +8,7 @@ * * * IDENTIFICATION - * $PostgreSQL: pgsql/src/interfaces/libpq/fe-connect.c,v 1.312 2005/06/19 13:10:55 momjian Exp $ + * $PostgreSQL: pgsql/src/interfaces/libpq/fe-connect.c,v 1.313 2005/06/27 02:04:26 neilc Exp $ * *------------------------------------------------------------------------- */ @@ -170,7 +170,7 @@ static const PQconninfoOption PQconninfoOptions[] = { {"sslmode", "PGSSLMODE", DefaultSSLMode, NULL, "SSL-Mode", "", 8}, /* sizeof("disable") == 8 */ -#if defined(KRB4) || defined(KRB5) +#ifdef KRB5 /* Kerberos authentication supports specifying the service name */ {"krbsrvname", "PGKRBSRVNAME", PG_KRB_SRVNAM, NULL, "Kerberos-service-name", "", 20}, @@ -401,7 +401,7 @@ connectOptions1(PGconn *conn, const char *conninfo) conn->sslmode = strdup("require"); } #endif -#if defined(KRB4) || defined(KRB5) +#ifdef KRB5 tmp = conninfo_getval(connOptions, "krbsrvname"); conn->krbsrvname = tmp ? strdup(tmp) : NULL; #endif @@ -1916,7 +1916,7 @@ freePGconn(PGconn *conn) free(conn->pgpass); if (conn->sslmode) free(conn->sslmode); -#if defined(KRB4) || defined(KRB5) +#ifdef KRB5 if (conn->krbsrvname) free(conn->krbsrvname); #endif diff --git a/src/interfaces/libpq/libpq-int.h b/src/interfaces/libpq/libpq-int.h index 2274efbfb5..d9cc783237 100644 --- a/src/interfaces/libpq/libpq-int.h +++ b/src/interfaces/libpq/libpq-int.h @@ -12,7 +12,7 @@ * Portions Copyright (c) 1996-2005, PostgreSQL Global Development Group * Portions Copyright (c) 1994, Regents of the University of California * - * $PostgreSQL: pgsql/src/interfaces/libpq/libpq-int.h,v 1.103 2005/06/13 02:26:53 tgl Exp $ + * $PostgreSQL: pgsql/src/interfaces/libpq/libpq-int.h,v 1.104 2005/06/27 02:04:26 neilc Exp $ * *------------------------------------------------------------------------- */ @@ -262,7 +262,7 @@ struct pg_conn char *pguser; /* Postgres username and password, if any */ char *pgpass; char *sslmode; /* SSL mode (require,prefer,allow,disable) */ -#if defined(KRB5) || defined(KRB4) +#ifdef KRB5 char *krbsrvname; /* Kerberos service name */ #endif