From be83aac6d26ecca0bd27801132b9606ffda480f2 Mon Sep 17 00:00:00 2001
From: Bruce Momjian <bruce@momjian.us>
Date: Wed, 26 Sep 2001 19:54:12 +0000
Subject: [PATCH] Disable local creds on OpenBSD because it doesn't support it.
Document supported platforms in pg_hba.conf.
---
src/backend/libpq/auth.c | 4 ++--
src/backend/libpq/hba.c | 4 ++--
src/backend/libpq/pg_hba.conf.sample | 27 +++++++++++++++------------
src/interfaces/libpq/fe-auth.c | 16 +++++++---------
4 files changed, 26 insertions(+), 25 deletions(-)
diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c
index 96bb8f0c572..78bff875ad1 100644
--- a/src/backend/libpq/auth.c
+++ b/src/backend/libpq/auth.c
@@ -8,7 +8,7 @@
*
*
* IDENTIFICATION
- * $Header: /cvsroot/pgsql/src/backend/libpq/auth.c,v 1.67 2001/09/21 20:31:45 tgl Exp $
+ * $Header: /cvsroot/pgsql/src/backend/libpq/auth.c,v 1.68 2001/09/26 19:54:12 momjian Exp $
*
*-------------------------------------------------------------------------
*/
@@ -520,7 +520,7 @@ ClientAuthentication(Port *port)
break;
case uaIdent:
-#if !defined(SO_PEERCRED) && (defined(HAVE_STRUCT_CMSGCRED) || defined(HAVE_STRUCT_FCRED) || defined(HAVE_STRUCT_SOCKCRED))
+#if !defined(SO_PEERCRED) && (defined(HAVE_STRUCT_CMSGCRED) || defined(HAVE_STRUCT_FCRED) || (defined(HAVE_STRUCT_SOCKCRED) && defined(LOCAL_CREDS)))
/*
* If we are doing ident on unix-domain sockets,
* use SCM_CREDS only if it is defined and SO_PEERCRED isn't.
diff --git a/src/backend/libpq/hba.c b/src/backend/libpq/hba.c
index 891fcb4317f..c674da678ba 100644
--- a/src/backend/libpq/hba.c
+++ b/src/backend/libpq/hba.c
@@ -10,7 +10,7 @@
*
*
* IDENTIFICATION
- * $Header: /cvsroot/pgsql/src/backend/libpq/hba.c,v 1.72 2001/09/21 20:31:46 tgl Exp $
+ * $Header: /cvsroot/pgsql/src/backend/libpq/hba.c,v 1.73 2001/09/26 19:54:12 momjian Exp $
*
*-------------------------------------------------------------------------
*/
@@ -904,7 +904,7 @@ ident_unix(int sock, char *ident_user)
return true;
-#elif defined(HAVE_STRUCT_CMSGCRED) || defined(HAVE_STRUCT_FCRED) || defined(HAVE_STRUCT_SOCKCRED)
+#elif defined(HAVE_STRUCT_CMSGCRED) || defined(HAVE_STRUCT_FCRED) || (defined(HAVE_STRUCT_SOCKCRED) && defined(LOCAL_CREDS))
struct msghdr msg;
/* Credentials structure */
diff --git a/src/backend/libpq/pg_hba.conf.sample b/src/backend/libpq/pg_hba.conf.sample
index 0aff0f43fcc..c61915bd31f 100644
--- a/src/backend/libpq/pg_hba.conf.sample
+++ b/src/backend/libpq/pg_hba.conf.sample
@@ -125,18 +125,21 @@
# not store encrypted passwords if you use this option.
#
# ident: For TCP/IP connections, authentication is done by contacting
-# the ident server on the client host. (CAUTION: this is only
-# as secure as the client machine!) On machines that support
-# SO_PEERCRED or SCM_CREDS socket requests, this method also
-# works for local Unix-domain connections. AUTH_ARGUMENT is
-# required: it determines how to map remote user names to
-# Postgres user names. The AUTH_ARGUMENT is a map name found
-# in the $PGDATA/pg_ident.conf file. The connection is accepted
-# if that file contains an entry for this map name with the
-# ident-supplied username and the requested Postgres username.
-# The special map name "sameuser" indicates an implied map
-# (not in pg_ident.conf) that maps each ident username to the
-# identical PostgreSQL username.
+# the ident server on the client host. (CAUTION: this is
+# only as secure as the client machine!) On machines that
+# support unix-domain socket credentials (currently Linux,
+# FreeBSD, NetBSD, and BSD/OS), this method also works for
+# "local" connections.
+#
+# AUTH_ARGUMENT is required: it determines how to map
+# remote user names to Postgres user names. The
+# AUTH_ARGUMENT is a map name found in the
+# $PGDATA/pg_ident.conf file. The connection is accepted
+# if that file contains an entry for this map name with
+# the ident-supplied username and the requested Postgres
+# username. The special map name "sameuser" indicates an
+# implied map (not in pg_ident.conf) that maps each ident
+# username to the identical PostgreSQL username.
#
# krb4: Kerberos V4 authentication is used. Allowed only for
# TCP/IP connections, not for local UNIX-domain sockets.
diff --git a/src/interfaces/libpq/fe-auth.c b/src/interfaces/libpq/fe-auth.c
index bb60bb1ceb9..4b4b0399107 100644
--- a/src/interfaces/libpq/fe-auth.c
+++ b/src/interfaces/libpq/fe-auth.c
@@ -10,7 +10,7 @@
* exceed INITIAL_EXPBUFFER_SIZE (currently 256 bytes).
*
* IDENTIFICATION
- * $Header: /cvsroot/pgsql/src/interfaces/libpq/fe-auth.c,v 1.60 2001/09/21 20:31:49 tgl Exp $
+ * $Header: /cvsroot/pgsql/src/interfaces/libpq/fe-auth.c,v 1.61 2001/09/26 19:54:12 momjian Exp $
*
*-------------------------------------------------------------------------
*/
@@ -435,10 +435,10 @@ pg_krb5_sendauth(char *PQerrormsg, int sock,
#endif /* KRB5 */
-#if defined(HAVE_STRUCT_CMSGCRED) || defined(HAVE_STRUCT_FCRED) || defined(HAVE_STRUCT_SOCKCRED)
static int
pg_local_sendauth(char *PQerrormsg, PGconn *conn)
{
+#if defined(HAVE_STRUCT_CMSGCRED) || defined(HAVE_STRUCT_FCRED) || (defined(HAVE_STRUCT_SOCKCRED) && defined(LOCAL_CREDS))
char buf;
struct iovec iov;
struct msghdr msg;
@@ -485,8 +485,12 @@ pg_local_sendauth(char *PQerrormsg, PGconn *conn)
return STATUS_ERROR;
}
return STATUS_OK;
-}
+#else
+ snprintf(PQerrormsg, PQERRORMSG_LENGTH,
+ libpq_gettext("SCM_CRED authentication method not supported\n"));
+ return STATUS_ERROR;
#endif
+}
static int
pg_password_sendauth(PGconn *conn, const char *password, AuthRequest areq)
@@ -614,14 +618,8 @@ fe_sendauth(AuthRequest areq, PGconn *conn, const char *hostname,
break;
case AUTH_REQ_SCM_CREDS:
-#if defined(HAVE_STRUCT_CMSGCRED) || defined(HAVE_STRUCT_FCRED) || defined(HAVE_STRUCT_SOCKCRED)
if (pg_local_sendauth(PQerrormsg, conn) != STATUS_OK)
return STATUS_ERROR;
-#else
- snprintf(PQerrormsg, PQERRORMSG_LENGTH,
- libpq_gettext("SCM_CRED authentication method not supported\n"));
- return STATUS_ERROR;
-#endif
break;
default:
--
GitLab