mirrors/postgres
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Make krb_realm and krb_server_hostname be pg_hba options only, and remove

Browse Source 
their GUCs.

In passing, noted that the pg_hba options for krb5 authentication weren't
listed at all - so add this.
This commit is contained in:
Magnus Hagander 2009-01-09 10:13:19 +00:00
parent 32e1265dd9
commit 1b4e729eaa
5 changed files with 72 additions and 112 deletions

71
doc/src/sgml/client-auth.sgml

@ -1,4 +1,4 @@
<!-- $PostgreSQL: pgsql/doc/src/sgml/client-auth.sgml,v 1.117 2009/01/07 13:09:21 mha Exp $ -->
<!-- $PostgreSQL: pgsql/doc/src/sgml/client-auth.sgml,v 1.118 2009/01/09 10:13:18 mha Exp $ -->
<chapter id="client-authentication">
<title>Client Authentication</title>
@ -801,18 +801,8 @@ omicron bryanh guest1
<term>krb_realm</term>
<listitem>
<para>
Overrides the <xref linkend="guc-krb-realm"> parameter, setting which realm
to verify the authenticated user principal against.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>krb_server_hostname</term>
<listitem>
<para>
Overrides the <xref linkend="guc-krb-server-hostname"> parameter, setting which
hostname will be used for the server principal when using Kerberos.
Sets the realm to match user principal names against. If this parameter
is not set, the realm of the user will be ignored.
</para>
</listitem>
</varlistentry>
@ -874,8 +864,8 @@ omicron bryanh guest1
<term>krb_realm</term>
<listitem>
<para>
Overrides the <xref linkend="guc-krb-realm"> parameter, setting which realm
to verify the authenticated user principal against.
Sets the realm to match user principal names against. If this parameter
is not set, the realm of the user will be ignored.
</para>
</listitem>
</varlistentry>
@ -953,7 +943,7 @@ omicron bryanh guest1
<literal>pgusername@realm</>. By default, the realm of the client is
not checked by <productname>PostgreSQL</>. If you have cross-realm
authentication enabled and need to verify the realm, use the
<xref linkend="guc-krb-realm"> parameter.
krb_realm parameter in <filename>pg_hba.conf</>.
</para>
<para>
@ -996,6 +986,55 @@ omicron bryanh guest1
database access over the web, no extra passwords required.
</para>
<para>
The following configuration options are supported for <productname>Kerberos</productname>:
<variablelist>
<varlistentry>
<term>map</term>
<listitem>
<para>
Allows for mapping between system and database usernames. See
<xref linkend="auth-username-maps"> for details.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>include_realm</term>
<listitem>
<para>
Include the realm name from the authenticated user principal. This is useful
in combination with Username maps (See <xref linkend="auth-username-maps">
for details), especially with regular expressions, to map users from
multiple realms.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>krb_realm</term>
<listitem>
<para>
Sets the realm to match user principal names against. If this parameter
is not set, the realm of the user will be ignored.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>krb_server_hostname</term>
<listitem>
<para>
Sets the host name part of the service principal.
This, combined with <varname>krb_srvname</>, is used to generate
the complete service principal, that is
<varname>krb_srvname</><literal>/</><varname>krb_server_hostname</><literal>@</>REALM.
If not set, the default is the server host name.
</para>
</listitem>
</varlistentry>
</variablelist>
</para>
</sect2>
<sect2 id="auth-ident">

36
doc/src/sgml/config.sgml

@ -1,4 +1,4 @@
<!-- $PostgreSQL: pgsql/doc/src/sgml/config.sgml,v 1.203 2009/01/07 22:40:48 tgl Exp $ -->
<!-- $PostgreSQL: pgsql/doc/src/sgml/config.sgml,v 1.204 2009/01/09 10:13:18 mha Exp $ -->
<chapter Id="runtime-config">
<title>Server Configuration</title>
@ -612,22 +612,6 @@ SET ENABLE_SEQSCAN TO OFF;
</listitem>
</varlistentry>
<varlistentry id="guc-krb-realm" xreflabel="krb_realm">
<term><varname>krb_realm</varname> (<type>string</type>)</term>
<indexterm>
<primary><varname>krb_realm</> configuration parameter</primary>
</indexterm>
<listitem>
<para>
Sets the realm to match Kerberos, GSSAPI and SSPI user names against.
See <xref linkend="kerberos-auth">, <xref linkend="gssapi-auth"> or
<xref linkend="sspi-auth"> for details. This parameter can only be
set in the <filename>postgresql.conf</> file or on the server
command line.
</para>
</listitem>
</varlistentry>
<varlistentry id="guc-krb-server-keyfile" xreflabel="krb_server_keyfile">
<term><varname>krb_server_keyfile</varname> (<type>string</type>)</term>
<indexterm>
@ -657,24 +641,6 @@ SET ENABLE_SEQSCAN TO OFF;
</listitem>
</varlistentry>
<varlistentry id="guc-krb-server-hostname" xreflabel="krb_server_hostname">
<term><varname>krb_server_hostname</varname> (<type>string</type>)</term>
<indexterm>
<primary><varname>krb_server_hostname</> configuration parameter</primary>
</indexterm>
<listitem>
<para>
Sets the host name part of the service principal.
This, combined with <varname>krb_srvname</>, is used to generate
the complete service principal, that is
<varname>krb_srvname</><literal>/</><varname>krb_server_hostname</><literal>@</>REALM.
If not set, the default is the server host name. See <xref linkend="kerberos-auth">
for details. This parameter can only be set in the <filename>postgresql.conf</>
file or on the server command line.
</para>
</listitem>
</varlistentry>
<varlistentry id="guc-krb-caseins-users" xreflabel="krb_caseins_users">
<term><varname>krb_caseins_users</varname> (<type>boolean</type>)</term>
<indexterm>

53
src/backend/libpq/auth.c

@ -8,7 +8,7 @@
*
*
* IDENTIFICATION
* $PostgreSQL: pgsql/src/backend/libpq/auth.c,v 1.177 2009/01/07 13:09:21 mha Exp $
* $PostgreSQL: pgsql/src/backend/libpq/auth.c,v 1.178 2009/01/09 10:13:18 mha Exp $
*
*-------------------------------------------------------------------------
*/
@ -129,8 +129,6 @@ static int CheckCertAuth(Port *port);
char *pg_krb_server_keyfile;
char *pg_krb_srvnam;
bool pg_krb_caseins_users;
char *pg_krb_server_hostname = NULL;
char *pg_krb_realm = NULL;
/*----------------------------------------------------------------
@ -645,10 +643,7 @@ pg_krb5_init(Port *port)
* If no hostname was specified, pg_krb_server_hostname is already NULL.
* If it's set to blank, force it to NULL.
*/
if (port->hba->krb_server_hostname)
khostname = port->hba->krb_server_hostname;
else
khostname = pg_krb_server_hostname;
khostname = port->hba->krb_server_hostname;
if (khostname && khostname[0] == '\0')
khostname = NULL;
@ -694,7 +689,6 @@ pg_krb5_recvauth(Port *port)
krb5_ticket *ticket;
char *kusername;
char *cp;
char *realmmatch;
if (get_role_line(port->user_name) == NULL)
return STATUS_ERROR;
@ -740,11 +734,6 @@ pg_krb5_recvauth(Port *port)
return STATUS_ERROR;
}
if (port->hba->krb_realm)
realmmatch = port->hba->krb_realm;
else
realmmatch = pg_krb_realm;
cp = strchr(kusername, '@');
if (cp)
{
@ -757,19 +746,19 @@ pg_krb5_recvauth(Port *port)
*cp = '\0';
cp++;
if (realmmatch != NULL && strlen(realmmatch))
if (port->hba->krb_realm != NULL && strlen(port->hba->krb_realm))
{
/* Match realm against configured */
if (pg_krb_caseins_users)
ret = pg_strcasecmp(realmmatch, cp);
ret = pg_strcasecmp(port->hba->krb_realm, cp);
else
ret = strcmp(realmmatch, cp);
ret = strcmp(port->hba->krb_realm, cp);
if (ret)
{
elog(DEBUG2,
"krb5 realm (%s) and configured realm (%s) don't match",
cp, realmmatch);
cp, port->hba->krb_realm);
krb5_free_ticket(pg_krb5_context, ticket);
krb5_auth_con_free(pg_krb5_context, auth_context);
@ -777,7 +766,7 @@ pg_krb5_recvauth(Port *port)
}
}
}
else if (realmmatch && strlen(realmmatch))
else if (port->hba->krb_realm&& strlen(port->hba->krb_realm))
{
elog(DEBUG2,
"krb5 did not return realm but realm matching was requested");
@ -874,7 +863,6 @@ pg_GSS_recvauth(Port *port)
int ret;
StringInfoData buf;
gss_buffer_desc gbuf;
char *realmmatch;
/*
* GSS auth is not supported for protocol versions before 3, because it
@ -1034,11 +1022,6 @@ pg_GSS_recvauth(Port *port)
gettext_noop("retrieving GSS user name failed"),
maj_stat, min_stat);
if (port->hba->krb_realm)
realmmatch = port->hba->krb_realm;
else
realmmatch = pg_krb_realm;
/*
* Split the username at the realm separator
*/
@ -1055,28 +1038,28 @@ pg_GSS_recvauth(Port *port)
*cp = '\0';
cp++;
if (realmmatch != NULL && strlen(realmmatch))
if (port->hba->krb_realm != NULL && strlen(port->hba->krb_realm))
{
/*
* Match the realm part of the name first
*/
if (pg_krb_caseins_users)
ret = pg_strcasecmp(realmmatch, cp);
ret = pg_strcasecmp(port->hba->krb_realm, cp);
else
ret = strcmp(realmmatch, cp);
ret = strcmp(port->hba->krb_realm, cp);
if (ret)
{
/* GSS realm does not match */
elog(DEBUG2,
"GSSAPI realm (%s) and configured realm (%s) don't match",
cp, realmmatch);
cp, port->hba->krb_realm);
gss_release_buffer(&lmin_s, &gbuf);
return STATUS_ERROR;
}
}
}
else if (realmmatch && strlen(realmmatch))
else if (port->hba->krb_realm && strlen(port->hba->krb_realm))
{
elog(DEBUG2,
"GSSAPI did not return realm but realm matching was requested");
@ -1140,7 +1123,6 @@ pg_SSPI_recvauth(Port *port)
SID_NAME_USE accountnameuse;
HMODULE secur32;
QUERY_SECURITY_CONTEXT_TOKEN_FN _QuerySecurityContextToken;
char *realmmatch;
/*
* SSPI auth is not supported for protocol versions before 3, because it
@ -1353,18 +1335,13 @@ pg_SSPI_recvauth(Port *port)
* Compare realm/domain if requested. In SSPI, always compare case
* insensitive.
*/
if (port->hba->krb_realm)
realmmatch = port->hba->krb_realm;
else
realmmatch = pg_krb_realm;
if (realmmatch && strlen(realmmatch))
if (port->hba->krb_realm && strlen(port->hba->krb_realm))
{
if (pg_strcasecmp(realmmatch, domainname))
if (pg_strcasecmp(port->hba->krb_realm, domainname))
{
elog(DEBUG2,
"SSPI domain (%s) and configured domain (%s) don't match",
domainname, realmmatch);
domainname, port->hba->krb_realm);
return STATUS_ERROR;
}

21
src/backend/utils/misc/guc.c

@ -10,7 +10,7 @@
* Written by Peter Eisentraut <peter_e@gmx.net>.
*
* IDENTIFICATION
* $PostgreSQL: pgsql/src/backend/utils/misc/guc.c,v 1.491 2009/01/07 22:40:49 tgl Exp $
* $PostgreSQL: pgsql/src/backend/utils/misc/guc.c,v 1.492 2009/01/09 10:13:18 mha Exp $
*
*--------------------------------------------------------------------
*/
@ -2130,16 +2130,6 @@ static struct config_string ConfigureNamesString[] =
"$libdir", NULL, NULL
},
{
{"krb_realm", PGC_SIGHUP, CONN_AUTH_SECURITY,
gettext_noop("Sets realm to match Kerberos and GSSAPI users against."),
NULL,
GUC_SUPERUSER_ONLY
},
&pg_krb_realm,
NULL, NULL, NULL
},
{
{"krb_server_keyfile", PGC_SIGHUP, CONN_AUTH_SECURITY,
gettext_noop("Sets the location of the Kerberos server key file."),
@ -2159,15 +2149,6 @@ static struct config_string ConfigureNamesString[] =
PG_KRB_SRVNAM, NULL, NULL
},
{
{"krb_server_hostname", PGC_SIGHUP, CONN_AUTH_SECURITY,
gettext_noop("Sets the hostname of the Kerberos server."),
NULL
},
&pg_krb_server_hostname,
NULL, NULL, NULL
},
{
{"bonjour_name", PGC_POSTMASTER, CONN_AUTH_SETTINGS,
gettext_noop("Sets the Bonjour broadcast service name."),

3
src/backend/utils/misc/postgresql.conf.sample

@ -81,10 +81,7 @@
# Kerberos and GSSAPI
#krb_server_keyfile = ''
#krb_srvname = 'postgres' # (Kerberos only)
#krb_server_hostname = '' # empty string matches any keytab entry
# (Kerberos only)
#krb_caseins_users = off
#krb_realm = ''
# - TCP Keepalives -
# see "man 7 tcp" for details