Skip to content
GitLab
Explore
Sign in
Register
Primary navigation
Search or go to…
Project
P
postgres-lambda-diff
Manage
Activity
Members
Labels
Plan
Issues
Issue boards
Milestones
Wiki
Code
Merge requests
Repository
Branches
Commits
Tags
Repository graph
Compare revisions
Snippets
Build
Pipelines
Jobs
Pipeline schedules
Artifacts
Deploy
Releases
Container registry
Model registry
Operate
Environments
Monitor
Incidents
Analyze
Value stream analytics
Contributor analytics
CI/CD analytics
Repository analytics
Model experiments
Help
Help
Support
GitLab documentation
Compare GitLab plans
Community forum
Contribute to GitLab
Provide feedback
Keyboard shortcuts
?
Snippets
Groups
Projects
Show more breadcrumbs
Jakob Huber
postgres-lambda-diff
Commits
4f326011
Commit
4f326011
authored
25 years ago
by
Bruce Momjian
Browse files
Options
Downloads
Patches
Plain Diff
Update readme.kerberos
parent
632a7ed7
No related branches found
No related tags found
No related merge requests found
Changes
1
Show whitespace changes
Inline
Side-by-side
Showing
1 changed file
doc/README.kerberos
+710
-9
710 additions, 9 deletions
doc/README.kerberos
with
710 additions
and
9 deletions
doc/README.kerberos
+
710
−
9
View file @
4f326011
Edit postgresql-7.0RC5/src/Makefile.global.in. Change PG_KRB_SRVTAB to
somewhere useful for you, and PG_KRB_SRVNAM to whatever you want your
postgres kerberos service called.
From pgsql-patches-owner@hub.org Mon May 8 13:28:54 2000
Received: from walter.doc.ic.ac.uk (IDENT:VjgMrPQKQlAhOUagIW0/IaLLtzgPtWaj@walter.doc.ic.ac.uk [146.169.2.50])
by hub.org (8.9.3/8.9.3) with ESMTP id NAA78580
for <pgsql-patches@postgresql.org>; Mon, 8 May 2000 13:27:41 -0400 (EDT)
(envelope-from mw@doc.ic.ac.uk)
Received: from [146.169.51.42] (helo=kungfu.doc.ic.ac.uk ident=mw)
by walter.doc.ic.ac.uk with esmtp (Exim 1.890 #1)
for pgsql-patches@postgresql.org
id 12orKe-0000J8-00; Mon, 8 May 2000 18:28:36 +0100
Date: Mon, 8 May 2000 18:27:40 +0100 (BST)
From: Mike Wyer <mw@doc.ic.ac.uk>
To: pgsql-patches@postgresql.org
Subject: kerberos 5 patch against 7.0RC5
Message-ID: <Pine.LNX.4.21.0005081804430.1265-100000@kungfu.doc.ic.ac.uk>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-Archive-Number: 200005/24
Status: ORr
You can find it after my sig. Hideous abuse of netiquette, but needs
must ...
Most (nearly all) of the work was done by David Wragg <dpw@doc.ic.ac.uk>
He patched 6.5.3. I've updated it for 7.0RC5.
It works for MIT kerberos 1.1.1 (and previously for 1.0.6 as well).
I've got the patch against 6.5.3, plus kerberized RPMS.
Install:
Assuming postgresql-7.0RC5 is in /usr/local/src
cd /usr/local/src
patch -p0 < krb5-patch
Edit postgresql-7.0RC5/src/Makefile.global.in
Change PG_KRB_SRVTAB to somewhere useful for you, and PG_KRB_SRVNAM to
whatever you want your postgres kerberos service called.
make and install PostgreSQL.
Generate the keytab (PG_KRB_SRVTAB):
kadmin% ank -randkey
postgres/server.my.domain.org
kadmin% ktadd -k krb5.keytab
postgres/server.my.domain.org
Generate the keytab (PG_KRB_SRVTAB):
kadmin% ank -randkey
postgres/server.my.domain.org
kadmin% ktadd -k krb5.keytab
postgres/server.my.domain.org
Make sure the keytab is read-only to the postgres user.
Make sure your
client binaries can see the new libraries.
Make sure the keytab is read-only to the postgres user.
Make sure your
client binaries can see the new libraries.
edit pg_hba.conf and change the authentication method to krb5.
...
...
@@ -18,4 +55,668 @@ your web server, you can use AuthType KerberosV5SaveCredentials with a
mod_perl script. This gives secure database access over the web. No
extra passwords required.
Mike Wyer <mw@doc.ic.ac.uk>
Cheers,
Mike Wyer,
Department of Computing, Imperial College
--
Mike Wyer <mw@doc.ic.ac.uk> || "Woof?"
http://www.doc.ic.ac.uk/~mw || Gaspode the Wonder Dog
Work: 020 7594 8440 || from "Moving Pictures"
Mobile: 07879 697119 || by Terry Pratchett
===========================8<----------------------------------------------
diff -u -r postgresql-7.0RC5/src/Makefile.global.in postgresql-7.0RC5.krb5/src/Makefile.global.in
--- postgresql-7.0RC5/src/Makefile.global.in Mon May 8 17:22:40 2000
+++ postgresql-7.0RC5.krb5/src/Makefile.global.in Sat May 6 17:23:49 2000
@@ -120,7 +120,7 @@
# Set KRBVERS to "4" for Kerberos v4, "5" for Kerberos v5.
# XXX Edit the default Kerberos variables below!
#
-#KRBVERS= 5
+KRBVERS=5
# Globally pass Kerberos file locations.
# these are used in the postmaster and all libpq applications.
@@ -132,9 +132,9 @@
# PG_KRB_SRVTAB is the location of the server's keytab file.
#
ifdef KRBVERS
-KRBINCS= -I/usr/athena/include
-KRBLIBS= -L/usr/athena/lib
-KRBFLAGS+= $(KRBINCS) -DPG_KRB_SRVNAM='"postgres_dbms"'
+KRBINCS= -I/usr/krb5/include
+KRBLIBS= -L/usr/krb5/lib
+KRBFLAGS+= $(KRBINCS) -DPG_KRB_SRVNAM='"postgres"'
ifeq ($(KRBVERS), 4)
KRBFLAGS+= -DKRB4
KRBFLAGS+= -DPG_KRB_SRVTAB='"/etc/srvtab"'
@@ -142,8 +142,8 @@
else
ifeq ($(KRBVERS), 5)
KRBFLAGS+= -DKRB5
-KRBFLAGS+= -DPG_KRB_SRVTAB='"FILE:/krb5/srvtab.postgres"'
-KRBLIBS+= -lkrb5 -lcrypto -lcom_err -lisode
+KRBFLAGS+= -DPG_KRB_SRVTAB='"FILE:/usr/local/postgres/krb5.keytab"'
+KRBLIBS+= -lkrb5 -lcrypto -lcom_err
endif
endif
endif
diff -u -r postgresql-7.0RC5/src/backend/libpq/auth.c postgresql-7.0RC5.krb5/src/backend/libpq/auth.c
--- postgresql-7.0RC5/src/backend/libpq/auth.c Mon May 8 17:22:40 2000
+++ postgresql-7.0RC5.krb5/src/backend/libpq/auth.c Sat May 6 17:17:13 2000
@@ -149,7 +149,8 @@
*----------------------------------------------------------------
*/
-#include "krb5/krb5.h"
+#include <krb5.h>
+#include <com_err.h>
/*
* pg_an_to_ln -- return the local name corresponding to an authentication
@@ -174,130 +175,134 @@
return aname;
}
+
/*
- * pg_krb5_recvauth -- server routine to receive authentication information
- * from the client
- *
- * We still need to compare the username obtained from the client's setup
- * packet to the authenticated name, as described in pg_krb4_recvauth. This
- * is a bit more problematic in v5, as described above in pg_an_to_ln.
- *
- * In addition, as described above in pg_krb5_sendauth, we still need to
- * canonicalize the server name v4-style before constructing a principal
- * from it. Again, this is kind of iffy.
- *
- * Finally, we need to tangle with the fact that v5 doesn't let you explicitly
- * set server keytab file names -- you have to feed lower-level routines a
- * function to retrieve the contents of a keytab, along with a single argument
- * that allows them to open the keytab. We assume that a server keytab is
- * always a real file so we can allow people to specify their own filenames.
- * (This is important because the POSTGRES keytab needs to be readable by
- * non-root users/groups; the v4 tools used to force you do dump a whole
- * host's worth of keys into a file, effectively forcing you to use one file,
- * but kdb5_edit allows you to select which principals to dump. Yay!)
+ * Various krb5 state which is not connection specfic, and a flag to
+ * indicate whether we have initialised it yet.
*/
+static int pg_krb5_initialised;
+static krb5_context pg_krb5_context;
+static krb5_keytab pg_krb5_keytab;
+static krb5_principal pg_krb5_server;
+
+
static int
-pg_krb5_recvauth(Port *port)
+pg_krb5_init(void)
{
- char servbuf[MAXHOSTNAMELEN + 1 +
- sizeof(PG_KRB_SRVNAM)];
- char *hostp,
- *kusername = (char *) NULL;
- krb5_error_code code;
- krb5_principal client,
- server;
- krb5_address sender_addr;
- krb5_rdreq_key_proc keyproc = (krb5_rdreq_key_proc) NULL;
- krb5_pointer keyprocarg = (krb5_pointer) NULL;
+ krb5_error_code retval;
- /*
- * Set up server side -- since we have no ticket file to make this
- * easy, we construct our own name and parse it. See note on
- * canonicalization above.
- */
- strcpy(servbuf, PG_KRB_SRVNAM);
- *(hostp = servbuf + (sizeof(PG_KRB_SRVNAM) - 1)) = '/';
- if (gethostname(++hostp, MAXHOSTNAMELEN) < 0)
- strcpy(hostp, "localhost");
- if (hostp = strchr(hostp, '.'))
- *hostp = '\0';
- if (code = krb5_parse_name(servbuf, &server))
- {
+ if (pg_krb5_initialised)
+ return STATUS_OK;
+
+ retval = krb5_init_context(&pg_krb5_context);
+ if (retval) {
snprintf(PQerrormsg, PQERRORMSG_LENGTH,
- "pg_krb5_recvauth: Kerberos error %d in krb5_parse_name\n", code);
- com_err("pg_krb5_recvauth", code, "in krb5_parse_name");
+ "pg_krb5_init: krb5_init_context returned"
+ " Kerberos error %d\n", retval);
+ com_err("postgres", retval, "while initializing krb5");
return STATUS_ERROR;
}
- /*
- * krb5_sendauth needs this to verify the address in the client
- * authenticator.
- */
- sender_addr.addrtype = port->raddr.in.sin_family;
- sender_addr.length = sizeof(port->raddr.in.sin_addr);
- sender_addr.contents = (krb5_octet *) & (port->raddr.in.sin_addr);
-
- if (strcmp(PG_KRB_SRVTAB, ""))
- {
- keyproc = krb5_kt_read_service_key;
- keyprocarg = PG_KRB_SRVTAB;
+ retval = krb5_kt_resolve(pg_krb5_context, PG_KRB_SRVTAB, &pg_krb5_keytab);
+ if (retval) {
+ snprintf(PQerrormsg, PQERRORMSG_LENGTH,
+ "pg_krb5_init: krb5_kt_resolve returned"
+ " Kerberos error %d\n", retval);
+ com_err("postgres", retval, "while resolving keytab file %s",
+ PG_KRB_SRVTAB);
+ krb5_free_context(pg_krb5_context);
+ return STATUS_ERROR;
}
- if (code = krb5_recvauth((krb5_pointer) & port->sock,
- PG_KRB5_VERSION,
- server,
- &sender_addr,
- (krb5_pointer) NULL,
- keyproc,
- keyprocarg,
- (char *) NULL,
- (krb5_int32 *) NULL,
- &client,
- (krb5_ticket **) NULL,
- (krb5_authenticator **) NULL))
- {
+ retval = krb5_sname_to_principal(pg_krb5_context, NULL, PG_KRB_SRVNAM,
+ KRB5_NT_SRV_HST, &pg_krb5_server);
+ if (retval) {
snprintf(PQerrormsg, PQERRORMSG_LENGTH,
- "pg_krb5_recvauth: Kerberos error %d in krb5_recvauth\n", code);
- com_err("pg_krb5_recvauth", code, "in krb5_recvauth");
- krb5_free_principal(server);
+ "pg_krb5_init: krb5_sname_to_principal returned"
+ " Kerberos error %d\n", retval);
+ com_err("postgres", retval,
+ "while getting server principal for service %s",
+ PG_KRB_SRVTAB);
+ krb5_kt_close(pg_krb5_context, pg_krb5_keytab);
+ krb5_free_context(pg_krb5_context);
return STATUS_ERROR;
}
- krb5_free_principal(server);
+
+ pg_krb5_initialised = 1;
+ return STATUS_OK;
+}
+
+
+/*
+ * pg_krb5_recvauth -- server routine to receive authentication information
+ * from the client
+ *
+ * We still need to compare the username obtained from the client's setup
+ * packet to the authenticated name, as described in pg_krb4_recvauth. This
+ * is a bit more problematic in v5, as described above in pg_an_to_ln.
+ *
+ * We have our own keytab file because postgres is unlikely to run as root,
+ * and so cannot read the default keytab.
+ */
+static int
+pg_krb5_recvauth(Port *port)
+{
+ krb5_error_code retval;
+ int ret;
+ krb5_auth_context auth_context = NULL;
+ krb5_ticket *ticket;
+ char *kusername;
+
+ ret = pg_krb5_init();
+ if (ret != STATUS_OK)
+ return ret;
+
+ retval = krb5_recvauth(pg_krb5_context, &auth_context,
+ (krb5_pointer)&port->sock, PG_KRB_SRVNAM,
+ pg_krb5_server, 0, pg_krb5_keytab, &ticket);
+ if (retval) {
+ snprintf(PQerrormsg, PQERRORMSG_LENGTH,
+ "pg_krb5_recvauth: krb5_recvauth returned"
+ " Kerberos error %d\n", retval);
+ com_err("postgres", retval, "from krb5_recvauth");
+ return STATUS_ERROR;
+ }
/*
* The "client" structure comes out of the ticket and is therefore
* authenticated. Use it to check the username obtained from the
* postmaster startup packet.
+ *
+ * I have no idea why this is considered necessary.
*/
- if ((code = krb5_unparse_name(client, &kusername)))
- {
+ retval = krb5_unparse_name(pg_krb5_context,
+ ticket->enc_part2->client, &kusername);
+ if (retval) {
snprintf(PQerrormsg, PQERRORMSG_LENGTH,
- "pg_krb5_recvauth: Kerberos error %d in krb5_unparse_name\n", code);
- com_err("pg_krb5_recvauth", code, "in krb5_unparse_name");
- krb5_free_principal(client);
- return STATUS_ERROR;
- }
- krb5_free_principal(client);
- if (!kusername)
- {
- snprintf(PQerrormsg, PQERRORMSG_LENGTH,
- "pg_krb5_recvauth: could not decode username\n");
- fputs(PQerrormsg, stderr);
- pqdebug("%s", PQerrormsg);
+ "pg_krb5_recvauth: krb5_unparse_name returned"
+ " Kerberos error %d\n", retval);
+ com_err("postgres", retval, "while unparsing client name");
+ krb5_free_ticket(pg_krb5_context, ticket);
+ krb5_auth_con_free(pg_krb5_context, auth_context);
return STATUS_ERROR;
}
+
kusername = pg_an_to_ln(kusername);
- if (strncmp(username, kusername, SM_USER))
+ if (strncmp(port->user, kusername, SM_USER))
{
snprintf(PQerrormsg, PQERRORMSG_LENGTH,
- "pg_krb5_recvauth: name \"%s\" != \"%s\"\n", port->user, kusername);
- fputs(PQerrormsg, stderr);
- pqdebug("%s", PQerrormsg);
- pfree(kusername);
- return STATUS_ERROR;
- }
- pfree(kusername);
- return STATUS_OK;
+ "pg_krb5_recvauth: user name \"%s\" != krb5 name \"%s\"\n",
+ port->user, kusername);
+ ret = STATUS_ERROR;
+ }
+ else
+ ret = STATUS_OK;
+
+ krb5_free_ticket(pg_krb5_context, ticket);
+ krb5_auth_con_free(pg_krb5_context, auth_context);
+ free(kusername);
+
+ return ret;
}
#else
diff -u -r postgresql-7.0RC5/src/interfaces/libpq/Makefile.in postgresql-7.0RC5.krb5/src/interfaces/libpq/Makefile.in
--- postgresql-7.0RC5/src/interfaces/libpq/Makefile.in Mon May 8 17:22:40 2000
+++ postgresql-7.0RC5.krb5/src/interfaces/libpq/Makefile.in Sat May 6 17:17:13 2000
@@ -21,6 +21,7 @@
ifdef KRBVERS
CFLAGS+= $(KRBFLAGS)
+SHLIB_LINK += $(KRBLIBS)
endif
OBJS= fe-auth.o fe-connect.o fe-exec.o fe-misc.o fe-print.o fe-lobj.o \
diff -u -r postgresql-7.0RC5/src/interfaces/libpq/fe-auth.c postgresql-7.0RC5.krb5/src/interfaces/libpq/fe-auth.c
--- postgresql-7.0RC5/src/interfaces/libpq/fe-auth.c Mon May 8 17:22:40 2000
+++ postgresql-7.0RC5.krb5/src/interfaces/libpq/fe-auth.c Sat May 6 17:17:13 2000
@@ -39,6 +39,7 @@
#include "win32.h"
#else
#include <unistd.h>
+#include <fcntl.h>
#include <sys/param.h> /* for MAXHOSTNAMELEN on most */
#ifndef MAXHOSTNAMELEN
#include <netdb.h> /* for MAXHOSTNAMELEN on some */
@@ -234,7 +235,8 @@
*----------------------------------------------------------------
*/
-#include "krb5/krb5.h"
+#include <krb5.h>
+#include <com_err.h>
/*
* pg_an_to_ln -- return the local name corresponding to an authentication
@@ -250,7 +252,7 @@
* and we can't afford to punt.
*/
static char *
-pg_an_to_ln(const char *aname)
+pg_an_to_ln(char *aname)
{
char *p;
@@ -261,197 +263,160 @@
/*
- * pg_krb5_init -- initialization performed before any Kerberos calls are made
- *
- * With v5, we can no longer set the ticket (credential cache) file name;
- * we now have to provide a file handle for the open (well, "resolved")
- * ticket file everywhere.
- *
+ * Various krb5 state which is not connection specfic, and a flag to
+ * indicate whether we have initialised it yet.
*/
+static int pg_krb5_initialised;
+static krb5_context pg_krb5_context;
+static krb5_ccache pg_krb5_ccache;
+static krb5_principal pg_krb5_client;
+static char *pg_krb5_name;
+
+
static int
- krb5_ccache
-pg_krb5_init(void)
+pg_krb5_init(char *PQerrormsg)
{
- krb5_error_code code;
- char *realm,
- *defname;
- char tktbuf[MAXPGPATH];
- static krb5_ccache ccache = (krb5_ccache) NULL;
+ krb5_error_code retval;
- if (ccache)
- return ccache;
+ if (pg_krb5_initialised)
+ return STATUS_OK;
- /*
- * If the user set PGREALM, then we use a ticket file with a special
- * name: <usual-ticket-file-name>@<PGREALM-value>
- */
- if (!(defname = krb5_cc_default_name()))
- {
- (void) sprintf(PQerrormsg,
- "pg_krb5_init: krb5_cc_default_name failed\n");
- return (krb5_ccache) NULL;
- }
- strcpy(tktbuf, defname);
- if (realm = getenv("PGREALM"))
- {
- strcat(tktbuf, "@");
- strcat(tktbuf, realm);
+ retval = krb5_init_context(&pg_krb5_context);
+ if (retval) {
+ snprintf(PQerrormsg, PQERRORMSG_LENGTH,
+ "pg_krb5_init: krb5_init_context: %s",
+ error_message(retval));
+ return STATUS_ERROR;
}
- if (code = krb5_cc_resolve(tktbuf, &ccache))
- {
- (void) sprintf(PQerrormsg,
- "pg_krb5_init: Kerberos error %d in krb5_cc_resolve\n", code);
- com_err("pg_krb5_init", code, "in krb5_cc_resolve");
- return (krb5_ccache) NULL;
- }
- return ccache;
+ retval = krb5_cc_default(pg_krb5_context, &pg_krb5_ccache);
+ if (retval) {
+ snprintf(PQerrormsg, PQERRORMSG_LENGTH,
+ "pg_krb5_init: krb5_cc_default: %s",
+ error_message(retval));
+ krb5_free_context(pg_krb5_context);
+ return STATUS_ERROR;
+ }
+
+ retval = krb5_cc_get_principal(pg_krb5_context, pg_krb5_ccache,
+ &pg_krb5_client);
+ if (retval) {
+ snprintf(PQerrormsg, PQERRORMSG_LENGTH,
+ "pg_krb5_init: krb5_cc_get_principal: %s",
+ error_message(retval));
+ krb5_cc_close(pg_krb5_context, pg_krb5_ccache);
+ krb5_free_context(pg_krb5_context);
+ return STATUS_ERROR;
+ }
+
+ retval = krb5_unparse_name(pg_krb5_context, pg_krb5_client, &pg_krb5_name);
+ if (retval) {
+ snprintf(PQerrormsg, PQERRORMSG_LENGTH,
+ "pg_krb5_init: krb5_unparse_name: %s",
+ error_message(retval));
+ krb5_free_principal(pg_krb5_context, pg_krb5_client);
+ krb5_cc_close(pg_krb5_context, pg_krb5_ccache);
+ krb5_free_context(pg_krb5_context);
+ return STATUS_ERROR;
+ }
+
+ pg_krb5_name = pg_an_to_ln(pg_krb5_name);
+
+ pg_krb5_initialised = 1;
+ return STATUS_OK;
}
+
/*
* pg_krb5_authname -- returns a pointer to static space containing whatever
* name the user has authenticated to the system
- *
- * We obtain this information by digging around in the ticket file.
- */
+ */
static const char *
-pg_krb5_authname(const char *PQerrormsg)
+pg_krb5_authname(char *PQerrormsg)
{
- krb5_ccache ccache;
- krb5_principal principal;
- krb5_error_code code;
- static char *authname = (char *) NULL;
-
- if (authname)
- return authname;
+ if (pg_krb5_init(PQerrormsg) != STATUS_OK)
+ return NULL;
- ccache = pg_krb5_init(); /* don't free this */
-
- if (code = krb5_cc_get_principal(ccache, &principal))
- {
- (void) sprintf(PQerrormsg,
- "pg_krb5_authname: Kerberos error %d in krb5_cc_get_principal\n", code);
- com_err("pg_krb5_authname", code, "in krb5_cc_get_principal");
- return (char *) NULL;
- }
- if (code = krb5_unparse_name(principal, &authname))
- {
- (void) sprintf(PQerrormsg,
- "pg_krb5_authname: Kerberos error %d in krb5_unparse_name\n", code);
- com_err("pg_krb5_authname", code, "in krb5_unparse_name");
- krb5_free_principal(principal);
- return (char *) NULL;
- }
- krb5_free_principal(principal);
- return pg_an_to_ln(authname);
+ return pg_krb5_name;
}
+
/*
* pg_krb5_sendauth -- client routine to send authentication information to
* the server
- *
- * This routine does not do mutual authentication, nor does it return enough
- * information to do encrypted connections. But then, if we want to do
- * encrypted connections, we'll have to redesign the whole RPC mechanism
- * anyway.
- *
- * Server hostnames are canonicalized v4-style, i.e., all domain suffixes
- * are simply chopped off. Hence, we are assuming that you've entered your
- * server instances as
- * <value-of-PG_KRB_SRVNAM>/<canonicalized-hostname>
- * in the PGREALM (or local) database. This is probably a bad assumption.
*/
static int
-pg_krb5_sendauth(const char *PQerrormsg, int sock,
+pg_krb5_sendauth(char *PQerrormsg, int sock,
struct sockaddr_in * laddr,
struct sockaddr_in * raddr,
const char *hostname)
{
- char servbuf[MAXHOSTNAMELEN + 1 +
- sizeof(PG_KRB_SRVNAM)];
- const char *hostp;
- const char *realm;
- krb5_error_code code;
- krb5_principal client,
- server;
- krb5_ccache ccache;
- krb5_error *error = (krb5_error *) NULL;
-
- ccache = pg_krb5_init(); /* don't free this */
-
- /*
- * set up client -- this is easy, we can get it out of the ticket
- * file.
- */
- if (code = krb5_cc_get_principal(ccache, &client))
- {
- (void) sprintf(PQerrormsg,
- "pg_krb5_sendauth: Kerberos error %d in krb5_cc_get_principal\n", code);
- com_err("pg_krb5_sendauth", code, "in krb5_cc_get_principal");
+ krb5_error_code retval;
+ int ret;
+ krb5_principal server;
+ krb5_auth_context auth_context = NULL;
+ krb5_error *err_ret = NULL;
+ int flags;
+
+ ret = pg_krb5_init(PQerrormsg);
+ if (ret != STATUS_OK)
+ return ret;
+
+ retval = krb5_sname_to_principal(pg_krb5_context, hostname, PG_KRB_SRVNAM,
+ KRB5_NT_SRV_HST, &server);
+ if (retval) {
+ snprintf(PQerrormsg, PQERRORMSG_LENGTH,
+ "pg_krb5_sendauth: krb5_sname_to_principal: %s",
+ error_message(retval));
return STATUS_ERROR;
}
- /*
- * set up server -- canonicalize as described above
+ /*
+ * libpq uses a non-blocking socket. But kerberos needs a blocking
+ * socket, and we have to block somehow to do mutual authentication
+ * anyway. So we temporarily make it blocking.
*/
- strcpy(servbuf, PG_KRB_SRVNAM);
- *(hostp = servbuf + (sizeof(PG_KRB_SRVNAM) - 1)) = '/';
- if (hostname || *hostname)
- strncpy(++hostp, hostname, MAXHOSTNAMELEN);
- else
- {
- if (gethostname(++hostp, MAXHOSTNAMELEN) < 0)
- strcpy(hostp, "localhost");
- }
- if (hostp = strchr(hostp, '.'))
- *hostp = '\0';
- if (realm = getenv("PGREALM"))
- {
- strcat(servbuf, "@");
- strcat(servbuf, realm);
- }
- if (code = krb5_parse_name(servbuf, &server))
- {
- (void) sprintf(PQerrormsg,
- "pg_krb5_sendauth: Kerberos error %d in krb5_parse_name\n", code);
- com_err("pg_krb5_sendauth", code, "in krb5_parse_name");
- krb5_free_principal(client);
+ flags = fcntl(sock, F_GETFL);
+ if (flags < 0 || fcntl(sock, F_SETFL, (long)(flags & ~O_NONBLOCK))) {
+ snprintf(PQerrormsg, PQERRORMSG_LENGTH,
+ "pg_krb5_sendauth: fcntl: %s", strerror(errno));
+ krb5_free_principal(pg_krb5_context, server);
return STATUS_ERROR;
}
- /*
- * The only thing we want back from krb5_sendauth is an error status
- * and any error messages.
- */
- if (code = krb5_sendauth((krb5_pointer) & sock,
- PG_KRB5_VERSION,
- client,
- server,
- (krb5_flags) 0,
- (krb5_checksum *) NULL,
- (krb5_creds *) NULL,
- ccache,
- (krb5_int32 *) NULL,
- (krb5_keyblock **) NULL,
- &error,
- (krb5_ap_rep_enc_part **) NULL))
- {
- if ((code == KRB5_SENDAUTH_REJECTED) && error)
- {
- (void) sprintf(PQerrormsg,
- "pg_krb5_sendauth: authentication rejected: \"%*s\"\n",
- error->text.length, error->text.data);
+ retval = krb5_sendauth(pg_krb5_context, &auth_context,
+ (krb5_pointer) &sock, PG_KRB_SRVNAM,
+ pg_krb5_client, server,
+ AP_OPTS_MUTUAL_REQUIRED,
+ NULL, 0, /* no creds, use ccache instead */
+ pg_krb5_ccache, &err_ret, NULL, NULL);
+ if (retval) {
+ if (retval == KRB5_SENDAUTH_REJECTED && err_ret) {
+ snprintf(PQerrormsg, PQERRORMSG_LENGTH,
+ "pg_krb5_sendauth: authentication rejected: \"%*s\"",
+ err_ret->text.length, err_ret->text.data);
}
- else
- {
- (void) sprintf(PQerrormsg,
- "pg_krb5_sendauth: Kerberos error %d in krb5_sendauth\n", code);
- com_err("pg_krb5_sendauth", code, "in krb5_sendauth");
+ else {
+ snprintf(PQerrormsg, PQERRORMSG_LENGTH,
+ "pg_krb5_sendauth: krb5_sendauth: %s",
+ error_message(retval));
}
+
+ if (err_ret)
+ krb5_free_error(pg_krb5_context, err_ret);
+
+ ret = STATUS_ERROR;
+ }
+
+ krb5_free_principal(pg_krb5_context, server);
+
+ if (fcntl(sock, F_SETFL, (long)flags)) {
+ snprintf(PQerrormsg, PQERRORMSG_LENGTH,
+ "pg_krb5_sendauth: fcntl: %s", strerror(errno));
+ ret = STATUS_ERROR;
}
- krb5_free_principal(client);
- krb5_free_principal(server);
- return code ? STATUS_ERROR : STATUS_OK;
+
+ return ret;
}
#endif /* KRB5 */
diff -u -r postgresql-7.0RC5/src/interfaces/libpq/libpq-int.h postgresql-7.0RC5.krb5/src/interfaces/libpq/libpq-int.h
--- postgresql-7.0RC5/src/interfaces/libpq/libpq-int.h Mon May 8 17:22:40 2000
+++ postgresql-7.0RC5.krb5/src/interfaces/libpq/libpq-int.h Sat May 6 17:49:38 2000
@@ -50,6 +50,7 @@
* POSTGRES backend dependent Constants.
*/
+#define PQERRORMSG_LENGTH 1024
#define CMDSTATUS_LEN 40
/*
This diff is collapsed.
Click to expand it.
Preview
0%
Loading
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Save comment
Cancel
Please
register
or
sign in
to comment
