From c4213aede1a3ba1e63203358d52587550badfda8 Mon Sep 17 00:00:00 2001 From: "Marc G. Fournier" Date: Tue, 27 Jan 1998 03:25:14 +0000 Subject: [PATCH] From: Phil Thompson Cleanup patches for previous protocol changes patch --- src/Makefile.global.in | 6 +- src/backend/libpq/auth.c | 4 +- src/backend/libpq/hba.c | 11 ++- src/backend/libpq/pg_hba.conf.sample | 5 ++ src/backend/libpq/pqcomm.c | 4 +- src/backend/parser/scan.c | 4 +- src/man/pg_hba.conf.5 | 116 ++++++++++++++++++++++++--- 7 files changed, 128 insertions(+), 22 deletions(-) diff --git a/src/Makefile.global.in b/src/Makefile.global.in index c909fe9e70..452a5a0af8 100644 --- a/src/Makefile.global.in +++ b/src/Makefile.global.in @@ -7,7 +7,7 @@ # # # IDENTIFICATION -# $Header: /cvsroot/pgsql/src/Makefile.global.in,v 1.32 1998/01/15 19:41:35 pgsql Exp $ +# $Header: /cvsroot/pgsql/src/Makefile.global.in,v 1.33 1998/01/27 03:24:51 scrappy Exp $ # # NOTES # Essentially all Postgres make files include this file and use the @@ -157,10 +157,10 @@ USE_TCL= @USE_TCL@ # TCL_INCDIR= /usr/local/include TCL_LIBDIR= /usr/local/lib -TCL_LIB= -ltcl80 +TCL_LIB= -ltcl8.0 TK_INCDIR= /usr/local/include TK_LIBDIR= /usr/local/lib -TK_LIB= -ltk80 +TK_LIB= -ltk8.0 USE_PERL= @USE_PERL@ diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c index 430b2e2240..58c60112e1 100644 --- a/src/backend/libpq/auth.c +++ b/src/backend/libpq/auth.c @@ -7,7 +7,7 @@ * * * IDENTIFICATION - * $Header: /cvsroot/pgsql/src/backend/libpq/auth.c,v 1.22 1998/01/27 03:11:41 momjian Exp $ + * $Header: /cvsroot/pgsql/src/backend/libpq/auth.c,v 1.23 1998/01/27 03:24:54 scrappy Exp $ * *------------------------------------------------------------------------- */ @@ -401,7 +401,7 @@ void be_recvauth(Port *port) if (hba_getauthmethod(&port->raddr, port->database, port->auth_arg, &port->auth_method) != STATUS_OK) { - PacketSendError(&port->pktInfo, "Error getting authentication method"); + PacketSendError(&port->pktInfo, "Missing or mis-configured pg_hba.conf file"); return; } diff --git a/src/backend/libpq/hba.c b/src/backend/libpq/hba.c index 048add7771..857f324a0e 100644 --- a/src/backend/libpq/hba.c +++ b/src/backend/libpq/hba.c @@ -7,7 +7,7 @@ * * * IDENTIFICATION - * $Header: /cvsroot/pgsql/src/backend/libpq/hba.c,v 1.26 1998/01/26 01:41:08 scrappy Exp $ + * $Header: /cvsroot/pgsql/src/backend/libpq/hba.c,v 1.27 1998/01/27 03:24:56 scrappy Exp $ * *------------------------------------------------------------------------- */ @@ -337,8 +337,15 @@ process_open_config_file(FILE *file, SockAddr *raddr, const char database[], } } - if (found_entry && !error) + if (!error) + { + /* If no entry was found then force a rejection. */ + + if (!found_entry) + *userauth_p = uaReject; + *host_ok_p = true; + } } diff --git a/src/backend/libpq/pg_hba.conf.sample b/src/backend/libpq/pg_hba.conf.sample index c746c752e4..2fc47dab97 100644 --- a/src/backend/libpq/pg_hba.conf.sample +++ b/src/backend/libpq/pg_hba.conf.sample @@ -122,3 +122,8 @@ # connect as Postgres user "guest1", the connection is only allowed if # there is an entry for map "omicron" in pg_ident.conf that says "bryanh" is # allowed to connect as "guest1". + +# By default, allow anything over UNIX domain sockets and localhost. + +local all trust +host all 127.0.0.1 255.255.255.255 trust diff --git a/src/backend/libpq/pqcomm.c b/src/backend/libpq/pqcomm.c index 2b4e25f873..baff76f991 100644 --- a/src/backend/libpq/pqcomm.c +++ b/src/backend/libpq/pqcomm.c @@ -7,7 +7,7 @@ * * * IDENTIFICATION - * $Header: /cvsroot/pgsql/src/backend/libpq/pqcomm.c,v 1.35 1998/01/26 01:41:11 scrappy Exp $ + * $Header: /cvsroot/pgsql/src/backend/libpq/pqcomm.c,v 1.36 1998/01/27 03:25:01 scrappy Exp $ * *------------------------------------------------------------------------- */ @@ -619,7 +619,7 @@ StreamServerPort(char *hostName, short portName, int *fdP) errno); pqdebug("%s", PQerrormsg); strcat(PQerrormsg, "\tIs another postmaster already running on that port?\n"); - if (family == AF_UNIX) + if (family == AF_UNIX) strcat(PQerrormsg, "\tIf not, remove socket node (/tmp/.s.PGSQL.)and retry.\n"); else strcat(PQerrormsg, "\tIf not, wait a few seconds and retry.\n"); diff --git a/src/backend/parser/scan.c b/src/backend/parser/scan.c index ed5b4e2f39..8b29019c7f 100644 --- a/src/backend/parser/scan.c +++ b/src/backend/parser/scan.c @@ -1,7 +1,7 @@ /* A lexical scanner generated by flex */ /* Scanner skeleton version: - * $Header: /cvsroot/pgsql/src/backend/parser/Attic/scan.c,v 1.9 1998/01/24 19:40:56 scrappy Exp $ + * $Header: /cvsroot/pgsql/src/backend/parser/Attic/scan.c,v 1.10 1998/01/27 03:25:07 scrappy Exp $ */ #define FLEX_SCANNER @@ -539,7 +539,7 @@ char *yytext; * * * IDENTIFICATION - * $Header: /cvsroot/pgsql/src/backend/parser/Attic/scan.c,v 1.9 1998/01/24 19:40:56 scrappy Exp $ + * $Header: /cvsroot/pgsql/src/backend/parser/Attic/scan.c,v 1.10 1998/01/27 03:25:07 scrappy Exp $ * *------------------------------------------------------------------------- */ diff --git a/src/man/pg_hba.conf.5 b/src/man/pg_hba.conf.5 index 30183bb7ef..4d14aa7346 100644 --- a/src/man/pg_hba.conf.5 +++ b/src/man/pg_hba.conf.5 @@ -1,20 +1,114 @@ .\" This is -*-nroff-*- -.\" $Header: /cvsroot/pgsql/src/man/Attic/pg_hba.conf.5,v 1.3 1997/08/26 17:30:03 momjian Exp $ -.TH pg_hba.conf 5 11/04/96 Postgres Postgres +.\" $Header: /cvsroot/pgsql/src/man/Attic/pg_hba.conf.5,v 1.4 1998/01/27 03:25:14 scrappy Exp $ +.TH pg_hba.conf 5 1/26/98 PostgreSQL PostgreSQL .SH NAME $PGDATA/pg_hba.conf .SH DESCRIPTION -"Host-based access control" is the name for the basic controls Postgres -exercises on what clients are allowed to access a database system. -It is called that because one of the factors that can control access is -from what host the client is connecting. +"Host-based access control" is the name for the basic controls PostgreSQL +exercises on what clients are allowed to access a database and how +the users on those clients must authenticate themselves. .PP -Each database system contains a file named "pg_hba.conf", in its PGDATA -directory, that controls who can connect to that database system. +Each database system contains a file named "pg_hba.conf", in its $PGDATA +directory, that controls who can connect to each database. .PP -The exact format of the pg_hba.conf file is described in the comments at -the top of the sample file pg_hba.conf.sample, which resides in the -the PostgreSQL "lib" sub-directory of the main postgres directory. +Every client that wants to access to a database +.IR must +be covered by one of +the entries in pg_hba.conf. Otherwise all attempted connections from that +client will be rejected with a "User authentication failed" error message. +.PP +The general format of the pg_hba.conf file is of a set of records, one per +line. Blank lines and lines beginning with '#' are ignored. A record is +made up of a number of fields which are separated by spaces and/or tabs. +.PP +Connections from clients can be made using UNIX domain sockets or Internet +domain sockets (ie. TCP/IP). Connections made using UNIX domain sockets +are controlled using records of the following format. +.PP +local +.PP + specifies the database that this record applies to. The value +.IR all +specifies that it applies to all databases. +specifies the method a user must use to authenticate themselves when +connecting to that database using UNIX domain sockets. The different methods +are described below. +.PP +Connections made using Internet domain sockets are controlled using records +of the following format. +.PP +host +.PP +The is logically anded to both the specified +and the TCP/IP address +of the connecting client. If the two values that result are equal then the +record is used for this connection. If a connection matches more than one +record then the earliest one in the file is used. Both the +and the are specified in dotted decimal notation. +.PP +If a connection fails to match any record then the +.IR reject +authentication method is applied (see below). +.SH "AUTHENTICATION METHODS" +The following authentication methods are supported for both UNIX and TCP/IP +domain sockets. +.PP +.IR trust +- the connection is allowed unconditionally. +.PP +.IR reject +- the connection is rejected unconditionally. +.PP +.IR crypt +- the client is asked for a password for the user. This is sent encrypted +(using crypt(3)) and compared against the password held in the pg_user table. +If the passwords match, the connection is allowed. +.PP +.IR password +- the client is asked for a password for the user. This is sent in clear +and compared against the password held in the pg_user table. +If the passwords match, the connection is allowed. An optional password file +may be specified after the +.IR password +keyword which is used to match the supplied password rather than the pg_user +table. See pg_passwd(1). +.PP +The following authentication methods are supported for TCP/IP +domain sockets only. +.PP +.IR krb4 +- Kerberos V4 is used to authenticate the user. +.PP +.IR krb5 +- Kerberos V5 is used to authenticate the user. +.PP +.IR ident +- the ident server on the client is used to authenticate the user (RFC 1413). +An optional map name may be specified after the +.IR ident +keyword which allows ident user names to be mapped onto PostgreSQL user names. +Maps are held in the file $PGDATA/pg_ident.conf. +.SH EXAMPLES + +# Trust any connection via UNIX domain sockets. + +local trust + +# Trust any connection via TCP/IP from this machine. + +host all 127.0.0.1 255.255.255.255 trust + +# We don't like this machine. + +host all 192.168.0.10 255.255.255.0 reject + +# This machine can't encrypt so we ask for passwords in clear. + +host all 192.168.0.3 255.255.255.0 password + +# The rest of this group of machines should provide encrypted passwords. + +host all 192.168.0.0 255.255.255.0 crypt .SH "SEE ALSO" pgintro(1).