Make the location of the Kerberos server key file run time configurable

(rather than compile time). For libpq, even when Kerberos support is
compiled in, the default user name should still fall back to geteuid()
if it can't be determined via the Kerberos system.

A couple of fixes for string type configuration parameters, now that there
is one.
This commit is contained in:
Peter Eisentraut 2000-08-25 10:00:35 +00:00
parent 69cf335687
commit 996832caee
11 changed files with 490 additions and 514 deletions

811
configure vendored

File diff suppressed because it is too large Load diff

View file

@ -477,6 +477,8 @@ if test "$with_krb4" = yes ; then
fi
dnl Test for these libraries is below
KRB_LIBS="$krb_libdir -lkrb -ldes"
krb_srvtab='/etc/srvtab'
fi
@ -513,6 +515,8 @@ if test "$with_krb5" = yes ; then
dnl Test for these libraries is below
KRB_LIBS="$krb_libdir -lkrb5 -lcrypto -lcom_err"
krb_srvtab='FILE:$(sysconfdir)/krb5.keytab'
fi
@ -521,6 +525,8 @@ if test "$with_krb4" = yes && test "$with_krb5" = yes ; then
AC_MSG_ERROR([Kerberos 4 and Kerberos 5 support cannot be combined])
fi
AC_SUBST(krb_srvtab)
dnl Necessary for special libpq link
AC_SUBST(KRB_LIBS)
@ -537,20 +543,6 @@ fi],
[krb_srvnam="postgres"])
AC_DEFINE_UNQUOTED(PG_KRB_SRVNAM, ["$krb_srvnam"], [The name of the Postgres service principal])
AC_ARG_WITH(krb-srvtab, [ --with-krb-srvtab=FILE location of Kerberos server's keytab file],
[if test x"$withval" = x"yes"; then
AC_MSG_ERROR([argument required for --with-krb-srvtab])
else
krb_srvtab=$withval
fi],
[if test "$with_krb5" = yes ; then
krb_srvtab='FILE:${sysconfdir}/krb5.keytab'
elif test "$with_krb4" = yes ; then
krb_srvtab='/etc/srvtab'
else
krb_srvtab=
fi])
AC_SUBST(krb_srvtab)
#

View file

@ -1,4 +1,4 @@
<!-- $Header: /cvsroot/pgsql/doc/src/sgml/client-auth.sgml,v 1.3 2000/07/15 21:35:47 petere Exp $ -->
<!-- $Header: /cvsroot/pgsql/doc/src/sgml/client-auth.sgml,v 1.4 2000/08/25 10:00:29 petere Exp $ -->
<chapter id="client-authentication">
<title>Client Authentication</title>
@ -341,7 +341,7 @@ host all 192.168.2.0 255.255.255.0 ident othermap
</sect2>
<sect2>
<sect2 id="kerberos-auth">
<title>Kerberos authentication</title>
<para>
@ -369,13 +369,15 @@ host all 192.168.2.0 255.255.255.0 ident othermap
<productname>Postgres</> should operate like a normal Kerberos
service. The name of the service principal is normally
<literal>postgres</literal>, unless it was changed during the
build. Make sure that your server keytab file is readable (and
build. Make sure that your server key file is readable (and
preferrably only readable) by the Postgres server account (see
<xref linkend="postgres-user">). The location of the keytab file
is specified at build time; by default it is
<filename>/etc/srvtab</filename> in Kerberos 4 and
<filename>FILE:/usr/local/pgsql/etc/krb5.keytab</filename> in
Kerberos 5.
<xref linkend="postgres-user">). The location of the key file
is specified with the <varname>krb_server_keyfile</> run time
configuration parameter. (See also <xref linkend="runtime-config">.)
The default is <filename>/etc/srvtab</> if you are using Kerberos 4
and <filename>FILE:/usr/local/pgsql/etc/krb5.keytab</> (or whichever
directory was specified as <varname>sysconfdir</> at build time)
with Kerberos 5.
</para>
<para>

View file

@ -1,4 +1,4 @@
<!-- $Header: /cvsroot/pgsql/doc/src/sgml/installation.sgml,v 1.13 2000/07/22 14:48:01 petere Exp $ -->
<!-- $Header: /cvsroot/pgsql/doc/src/sgml/installation.sgml,v 1.14 2000/08/25 10:00:29 petere Exp $ -->
<chapter id="installation">
<title><![%flattext-install-include[<productname>PostgreSQL</> ]]>Installation Instructions</title>
@ -577,27 +577,13 @@ su - postgres
</listitem>
</varlistentry>
<varlistentry>
<term>--with-krb-srvtab=<replaceable>FILE</></term>
<listitem>
<para>
Specifies the location of the Kerberos server shared key file
(<quote>srvtab</>). If you are using Kerberos 4, this
defaults to <filename>/etc/srvtab</>, with Kerberos 5 to
<filename>FILE:/usr/local/pgsql/etc/krb5.keytab</>, or
equivalent, depending on what you set <option>--sysconfdir</>
to above.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>--enable-syslog</term>
<listitem>
<para>
Enables the <productname>PostgreSQL</> server to use the
syslog logging facility. (Using this option does not mean
that you have to log with syslog or even that it will be done
that you will have to log with syslog or even that it will be done
by default, it simply makes it possible to turn this option
on at run time.)
</para>

View file

@ -1,5 +1,5 @@
<!--
$Header: /cvsroot/pgsql/doc/src/sgml/runtime.sgml,v 1.18 2000/08/11 18:31:06 tgl Exp $
$Header: /cvsroot/pgsql/doc/src/sgml/runtime.sgml,v 1.19 2000/08/25 10:00:29 petere Exp $
-->
<Chapter Id="runtime">
@ -898,6 +898,16 @@ env PGOPTIONS='--geqo=off' psql
</listitem>
</varlistentry>
<varlistentry>
<term>KRB_SERVER_KEYFILE</>
<listitem>
<para>
Sets the location of the Kerberos server key file. See
<xref linkend="kerberos-auth"> for details.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>MAX_CONNECTIONS (<type>integer</type>)</term>
<listitem>

View file

@ -4,13 +4,13 @@
# Makefile for libpq subsystem (backend half of libpq interface)
#
# IDENTIFICATION
# $Header: /cvsroot/pgsql/src/backend/libpq/Makefile,v 1.23 2000/07/09 13:48:45 petere Exp $
# $Header: /cvsroot/pgsql/src/backend/libpq/Makefile,v 1.24 2000/08/25 10:00:30 petere Exp $
#
#-------------------------------------------------------------------------
subdir = src/backend/libpq
top_builddir = ../../..
include ../../Makefile.global
include $(top_builddir)/src/Makefile.global
# be-fsstubs is here for historical reasons, probably belongs elsewhere
@ -18,12 +18,6 @@ OBJS = be-fsstubs.o \
auth.o crypt.o hba.o password.o \
pqcomm.o pqformat.o pqpacket.o pqsignal.o util.o
# This location might depend on the installation directories. Therefore
# we can't subsitute it into config.h.
ifdef krb_srvtab
CPPFLAGS += -DPG_KRB_SRVTAB='"$(krb_srvtab)"'
endif
all: SUBSYS.o
@ -39,4 +33,3 @@ clean:
ifeq (depend,$(wildcard depend))
include depend
endif

View file

@ -8,7 +8,7 @@
*
*
* IDENTIFICATION
* $Header: /cvsroot/pgsql/src/backend/libpq/auth.c,v 1.48 2000/07/04 16:31:53 petere Exp $
* $Header: /cvsroot/pgsql/src/backend/libpq/auth.c,v 1.49 2000/08/25 10:00:30 petere Exp $
*
*-------------------------------------------------------------------------
*/
@ -51,6 +51,9 @@ static int map_old_to_new(Port *port, UserAuth old, int status);
static void auth_failed(Port *port);
char * pg_krb_server_keyfile;
#ifdef KRB4
/*----------------------------------------------------------------
* MIT Kerberos authentication system - protocol version 4
@ -89,7 +92,7 @@ pg_krb4_recvauth(Port *port)
&port->raddr.in,
&port->laddr.in,
&auth_data,
PG_KRB_SRVTAB,
pg_krb_server_keyfile,
key_sched,
version);
if (status != KSUCCESS)
@ -197,13 +200,13 @@ pg_krb5_init(void)
return STATUS_ERROR;
}
retval = krb5_kt_resolve(pg_krb5_context, PG_KRB_SRVTAB, &pg_krb5_keytab);
retval = krb5_kt_resolve(pg_krb5_context, pg_krb_server_keyfile, &pg_krb5_keytab);
if (retval) {
snprintf(PQerrormsg, PQERRORMSG_LENGTH,
"pg_krb5_init: krb5_kt_resolve returned"
" Kerberos error %d\n", retval);
com_err("postgres", retval, "while resolving keytab file %s",
PG_KRB_SRVTAB);
pg_krb_server_keyfile);
krb5_free_context(pg_krb5_context);
return STATUS_ERROR;
}
@ -216,7 +219,7 @@ pg_krb5_init(void)
" Kerberos error %d\n", retval);
com_err("postgres", retval,
"while getting server principal for service %s",
PG_KRB_SRVTAB);
pg_krb_server_keyfile);
krb5_kt_close(pg_krb5_context, pg_krb5_keytab);
krb5_free_context(pg_krb5_context);
return STATUS_ERROR;

View file

@ -1,18 +1,18 @@
#-------------------------------------------------------------------------
#
# Makefile--
# Makefile for utils/misc
#
# IDENTIFICATION
# $Header: /cvsroot/pgsql/src/backend/utils/misc/Makefile,v 1.16 2000/06/04 01:44:34 petere Exp $
#
#-------------------------------------------------------------------------
# $Header: /cvsroot/pgsql/src/backend/utils/misc/Makefile,v 1.17 2000/08/25 10:00:31 petere Exp $
SRCDIR = ../../..
include $(SRCDIR)/Makefile.global
subdir = src/backend/utils/misc
top_builddir = ../../../..
include $(top_builddir)/src/Makefile.global
OBJS = database.o superuser.o guc.o guc-file.o ps_status.o
# This location might depend on the installation directories. Therefore
# we can't subsitute it into config.h.
ifdef krb_srvtab
CPPFLAGS += -DPG_KRB_SRVTAB='"$(krb_srvtab)"'
endif
all: SUBSYS.o
SUBSYS.o: $(OBJS)

View file

@ -4,7 +4,7 @@
* Support for grand unified configuration scheme, including SET
* command, configuration file, and command line options.
*
* $Header: /cvsroot/pgsql/src/backend/utils/misc/guc.c,v 1.8 2000/08/11 18:31:10 tgl Exp $
* $Header: /cvsroot/pgsql/src/backend/utils/misc/guc.c,v 1.9 2000/08/25 10:00:31 petere Exp $
*
* Copyright 2000 by PostgreSQL Global Development Group
* Written by Peter Eisentraut <peter_e@gmx.net>.
@ -21,6 +21,7 @@
#include "utils/guc.h"
#include "commands/async.h"
#include "libpq/auth.h"
#include "miscadmin.h"
#include "optimizer/cost.h"
#include "optimizer/geqo.h"
@ -54,6 +55,11 @@ bool Show_btree_build_stats = false;
bool SQL_inheritance = true;
#ifndef PG_KRB_SRVTAB
# define PG_KRB_SRVTAB ""
#endif
enum config_type
{
@ -113,7 +119,7 @@ struct config_string
{
const char *name;
GucContext context;
char *variable;
char **variable;
const char *default_val;
bool (*parse_hook)(const char *);
};
@ -273,7 +279,8 @@ ConfigureNamesReal[] =
static struct config_string
ConfigureNamesString[] =
{
/* none so far */
{"krb_server_keyfile", PGC_USERSET, &pg_krb_server_keyfile,
PG_KRB_SRVTAB, NULL},
{NULL, 0, NULL, NULL, NULL}
};
@ -323,7 +330,7 @@ find_option(const char * name, struct config_generic ** record)
{
if (record)
*record = (struct config_generic *)&ConfigureNamesString[i];
return PGC_REAL;
return PGC_STRING;
}
return PGC_NONE;
@ -349,7 +356,7 @@ ResetAllOptions(void)
for (i = 0; ConfigureNamesReal[i].name; i++)
*(ConfigureNamesReal[i].variable) = ConfigureNamesReal[i].default_val;
for (i = 0; ConfigureNamesString[i].name; i++)
for (i = 0; ConfigureNamesString[i].name; i++)
{
char * str = NULL;
@ -359,7 +366,7 @@ ResetAllOptions(void)
if (str == NULL)
elog(ERROR, "out of memory");
}
ConfigureNamesString[i].variable = str;
*(ConfigureNamesString[i].variable) = str;
}
if (getenv("PGPORT"))
@ -650,8 +657,8 @@ set_config_option(const char * name, const char * value, GucContext
elog(elevel, "out of memory");
return false;
}
free(conf->variable);
conf->variable = str;
free(*conf->variable);
*conf->variable = str;
}
}
else if (DoIt)
@ -664,8 +671,8 @@ set_config_option(const char * name, const char * value, GucContext
elog(elevel, "out of memory");
return false;
}
free(conf->variable);
conf->variable = str;
free(*conf->variable);
*conf->variable = str;
}
break;
}
@ -725,7 +732,7 @@ GetConfigOption(const char * name)
return buffer;
case PGC_STRING:
return ((struct config_string *)record)->variable;
return *((struct config_string *)record)->variable;
default:
;

View file

@ -7,7 +7,7 @@
* Portions Copyright (c) 1996-2000, PostgreSQL, Inc
* Portions Copyright (c) 1994, Regents of the University of California
*
* $Id: auth.h,v 1.13 2000/01/26 05:58:11 momjian Exp $
* $Id: auth.h,v 1.14 2000/08/25 10:00:33 petere Exp $
*
*-------------------------------------------------------------------------
*/
@ -26,4 +26,6 @@ void be_recvauth(Port *port);
#define PG_KRB4_VERSION "PGVER4.1" /* at most KRB_SENDAUTH_VLEN chars */
#define PG_KRB5_VERSION "PGVER5.1"
extern char * pg_krb_server_keyfile;
#endif /* AUTH_H */

View file

@ -10,7 +10,7 @@
* exceed INITIAL_EXPBUFFER_SIZE (currently 256 bytes).
*
* IDENTIFICATION
* $Header: /cvsroot/pgsql/src/interfaces/libpq/fe-auth.c,v 1.43 2000/06/17 00:10:09 petere Exp $
* $Header: /cvsroot/pgsql/src/interfaces/libpq/fe-auth.c,v 1.44 2000/08/25 10:00:35 petere Exp $
*
*-------------------------------------------------------------------------
*/
@ -565,41 +565,37 @@ fe_getauthname(char *PQerrormsg)
MsgType authsvc;
authsvc = fe_getauthsvc(PQerrormsg);
switch ((int) authsvc)
{
#ifdef KRB4
case STARTUP_KRB4_MSG:
name = pg_krb4_authname(PQerrormsg);
break;
if (authsvc == STARTUP_KRB4_MSG)
name = pg_krb4_authname(PQerrormsg);
#endif
#ifdef KRB5
case STARTUP_KRB5_MSG:
name = pg_krb5_authname(PQerrormsg);
break;
if (authsvc == STARTUP_KRB5_MSG)
name = pg_krb5_authname(PQerrormsg);
#endif
case STARTUP_MSG:
{
if (authsvc == STARTUP_MSG
|| (authsvc == STARTUP_KRB4_MSG && !name)
|| (authsvc == STARTUP_KRB5_MSG && !name))
{
#ifdef WIN32
char username[128];
DWORD namesize = sizeof(username) - 1;
char username[128];
DWORD namesize = sizeof(username) - 1;
if (GetUserName(username, &namesize))
name = username;
if (GetUserName(username, &namesize))
name = username;
#else
struct passwd *pw = getpwuid(geteuid());
struct passwd *pw = getpwuid(geteuid());
if (pw)
name = pw->pw_name;
if (pw)
name = pw->pw_name;
#endif
}
break;
default:
(void) sprintf(PQerrormsg,
"fe_getauthname: invalid authentication system: %d\n",
authsvc);
break;
}
if (authsvc != STARTUP_MSG && authsvc != STARTUP_KRB4_MSG && authsvc != STARTUP_KRB5_MSG)
sprintf(PQerrormsg,"fe_getauthname: invalid authentication system: %d\n", authsvc);
if (name && (authn = (char *) malloc(strlen(name) + 1)))
strcpy(authn, name);
return authn;