rdelaage
/
postgresql
mirror of https://git.postgresql.org/git/postgresql.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Explicitly require MIT Kerberos for GSSAPI 

WHen building with GSSAPI support, explicitly require MIT Kerberos and
check for gssapi_ext.h in configure.ac and meson.build.  Also add
documentation explicitly stating that we now require MIT Kerberos when
building with GSSAPI support.

Reveiwed by: Johnathan Katz
Discussion: https://postgr.es/m/abcc73d0-acf7-6896-e0dc-f5bc12a61bb1@postgresql.org
This commit is contained in:
Stephen Frost 2023-04-13 08:55:13 -04:00
parent 6633cfb216
commit f7431bca8b
7 changed files with 57 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
configure vendored
View File

@ -14104,6 +14104,33 @@ done
fi fi
done
for ac_header in gssapi/gssapi_ext.h
do :
ac_fn_c_check_header_mongrel "$LINENO" "gssapi/gssapi_ext.h" "ac_cv_header_gssapi_gssapi_ext_h" "$ac_includes_default"
if test "x$ac_cv_header_gssapi_gssapi_ext_h" = xyes; then :
cat >>confdefs.h <<_ACEOF
#define HAVE_GSSAPI_GSSAPI_EXT_H 1
_ACEOF
else
for ac_header in gssapi_ext.h
do :
ac_fn_c_check_header_mongrel "$LINENO" "gssapi_ext.h" "ac_cv_header_gssapi_ext_h" "$ac_includes_default"
if test "x$ac_cv_header_gssapi_ext_h" = xyes; then :
cat >>confdefs.h <<_ACEOF
#define HAVE_GSSAPI_EXT_H 1
_ACEOF
else
as_fn_error $? "gssapi_ext.h header file is required for GSSAPI" "$LINENO" 5
fi
done
fi
done done
fi fi

2
configure.ac
View File

@ -1562,6 +1562,8 @@ fi
if test "$with_gssapi" = yes ; then if test "$with_gssapi" = yes ; then
AC_CHECK_HEADERS(gssapi/gssapi.h, [], AC_CHECK_HEADERS(gssapi/gssapi.h, [],
[AC_CHECK_HEADERS(gssapi.h, [], [AC_MSG_ERROR([gssapi.h header file is required for GSSAPI])])]) [AC_CHECK_HEADERS(gssapi.h, [], [AC_MSG_ERROR([gssapi.h header file is required for GSSAPI])])])
AC_CHECK_HEADERS(gssapi/gssapi_ext.h, [],
[AC_CHECK_HEADERS(gssapi_ext.h, [], [AC_MSG_ERROR([gssapi_ext.h header file is required for GSSAPI])])])
fi fi
PGAC_PATH_PROGS(OPENSSL, openssl) PGAC_PATH_PROGS(OPENSSL, openssl)

2
doc/src/sgml/client-auth.sgml
View File

@ -1426,7 +1426,7 @@ omicron bryanh guest1
The keytab file is generated using the Kerberos software; see the The keytab file is generated using the Kerberos software; see the
Kerberos documentation for details. The following example shows Kerberos documentation for details. The following example shows
doing this using the <application>kadmin</application> tool of doing this using the <application>kadmin</application> tool of
MIT-compatible Kerberos 5 implementations: MIT Kerberos:
<screen> <screen>
<prompt>kadmin% </prompt><userinput>addprinc -randkey postgres/server.my.domain.org</userinput> <prompt>kadmin% </prompt><userinput>addprinc -randkey postgres/server.my.domain.org</userinput>
<prompt>kadmin% </prompt><userinput>ktadd -k krb5.keytab postgres/server.my.domain.org</userinput> <prompt>kadmin% </prompt><userinput>ktadd -k krb5.keytab postgres/server.my.domain.org</userinput>

21
doc/src/sgml/installation.sgml
View File

@ -252,9 +252,9 @@ documentation. See standalone-profile.xsl for details.
<listitem> <listitem>
<para> <para>
You need <application>Kerberos</application>, <productname>OpenLDAP</productname>, You need <application>MIT Kerberos</application> (for GSSAPI),
and/or <application>PAM</application>, if you want to support authentication <productname>OpenLDAP</productname>, and/or <application>PAM</application>,
using those services. if you want to support authentication using those services.
</para> </para>
</listitem> </listitem>
@ -1048,9 +1048,9 @@ build-postgresql:
<term><option>--with-gssapi</option></term> <term><option>--with-gssapi</option></term>
<listitem> <listitem>
<para> <para>
Build with support for GSSAPI authentication. On many systems, the Build with support for GSSAPI authentication. MIT Kerberos is required
GSSAPI system (usually a part of the Kerberos installation) is not to be installed for GSSAPI. On many systems, the GSSAPI system (a part
installed in a location of the MIT Kerberos installation) is not installed in a location
that is searched by default (e.g., <filename>/usr/include</filename>, that is searched by default (e.g., <filename>/usr/include</filename>,
<filename>/usr/lib</filename>), so you must use the options <filename>/usr/lib</filename>), so you must use the options
<option>--with-includes</option> and <option>--with-libraries</option> in <option>--with-includes</option> and <option>--with-libraries</option> in
@ -2497,10 +2497,11 @@ ninja install
<term><option>-Dgssapi={ auto | enabled | disabled }</option></term> <term><option>-Dgssapi={ auto | enabled | disabled }</option></term>
<listitem> <listitem>
<para> <para>
Build with support for GSSAPI authentication. On many systems, the Build with support for GSSAPI authentication. MIT Kerberos is required
GSSAPI system (usually a part of the Kerberos installation) is not to be installed for GSSAPI. On many systems, the GSSAPI system (a part
installed in a location that is searched by default (e.g., of the MIT Kerberos installation) is not installed in a location
<filename>/usr/include</filename>, <filename>/usr/lib</filename>). In that is searched by default (e.g., <filename>/usr/include</filename>,
<filename>/usr/lib</filename>). In
those cases, PostgreSQL will query <command>pkg-config</command> to those cases, PostgreSQL will query <command>pkg-config</command> to
detect the required compiler and linker options. Defaults to auto. detect the required compiler and linker options. Defaults to auto.
<filename>meson configure</filename> will check for the required <filename>meson configure</filename> will check for the required

10
meson.build
View File

@ -623,6 +623,16 @@ if not gssapiopt.disabled()
have_gssapi = false have_gssapi = false
endif endif
if not have_gssapi
elif cc.check_header('gssapi/gssapi_ext.h', dependencies: gssapi, required: false,
args: test_c_args, include_directories: postgres_inc)
cdata.set('HAVE_GSSAPI_GSSAPI_EXT_H', 1)
elif cc.check_header('gssapi_ext.h', args: test_c_args, dependencies: gssapi, required: gssapiopt)
cdata.set('HAVE_GSSAPI_EXT_H', 1)
else
have_gssapi = false
endif
if not have_gssapi if not have_gssapi
elif cc.has_function('gss_init_sec_context', dependencies: gssapi, elif cc.has_function('gss_init_sec_context', dependencies: gssapi,
args: test_c_args, include_directories: postgres_inc) args: test_c_args, include_directories: postgres_inc)

5
src/backend/libpq/auth.c
View File

@ -922,8 +922,9 @@ pg_GSS_recvauth(Port *port)
gss_cred_id_t delegated_creds; gss_cred_id_t delegated_creds;
/* /*
* Use the configured keytab, if there is one. Unfortunately, Heimdal * Use the configured keytab, if there is one. As we now require MIT
* doesn't support the cred store extensions, so use the env var. * Kerberos, we might consider using the credential store extensions in
* the future instead of the environment variable.
*/ */
if (pg_krb_server_keyfile != NULL && pg_krb_server_keyfile[0] != '\0') if (pg_krb_server_keyfile != NULL && pg_krb_server_keyfile[0] != '\0')
{ {

5
src/backend/libpq/be-secure-gssapi.c
View File

@ -526,8 +526,9 @@ secure_open_gssapi(Port *port)
PqGSSRecvLength = PqGSSResultLength = PqGSSResultNext = 0; PqGSSRecvLength = PqGSSResultLength = PqGSSResultNext = 0;
/* /*
* Use the configured keytab, if there is one. Unfortunately, Heimdal * Use the configured keytab, if there is one. As we now require MIT
* doesn't support the cred store extensions, so use the env var. * Kerberos, we might consider using the credential store extensions in the
* future instead of the environment variable.
*/ */
if (pg_krb_server_keyfile != NULL && pg_krb_server_keyfile[0] != '\0') if (pg_krb_server_keyfile != NULL && pg_krb_server_keyfile[0] != '\0')
{ {