Make the location of the Kerberos server key file run time configurable
(rather than compile time). For libpq, even when Kerberos support is compiled in, the default user name should still fall back to geteuid() if it can't be determined via the Kerberos system. A couple of fixes for string type configuration parameters, now that there is one.
This commit is contained in:
parent
69cf335687
commit
996832caee
11 changed files with 490 additions and 514 deletions
20
configure.in
20
configure.in
|
@ -477,6 +477,8 @@ if test "$with_krb4" = yes ; then
|
|||
fi
|
||||
dnl Test for these libraries is below
|
||||
KRB_LIBS="$krb_libdir -lkrb -ldes"
|
||||
|
||||
krb_srvtab='/etc/srvtab'
|
||||
fi
|
||||
|
||||
|
||||
|
@ -513,6 +515,8 @@ if test "$with_krb5" = yes ; then
|
|||
|
||||
dnl Test for these libraries is below
|
||||
KRB_LIBS="$krb_libdir -lkrb5 -lcrypto -lcom_err"
|
||||
|
||||
krb_srvtab='FILE:$(sysconfdir)/krb5.keytab'
|
||||
fi
|
||||
|
||||
|
||||
|
@ -521,6 +525,8 @@ if test "$with_krb4" = yes && test "$with_krb5" = yes ; then
|
|||
AC_MSG_ERROR([Kerberos 4 and Kerberos 5 support cannot be combined])
|
||||
fi
|
||||
|
||||
|
||||
AC_SUBST(krb_srvtab)
|
||||
dnl Necessary for special libpq link
|
||||
AC_SUBST(KRB_LIBS)
|
||||
|
||||
|
@ -537,20 +543,6 @@ fi],
|
|||
[krb_srvnam="postgres"])
|
||||
AC_DEFINE_UNQUOTED(PG_KRB_SRVNAM, ["$krb_srvnam"], [The name of the Postgres service principal])
|
||||
|
||||
AC_ARG_WITH(krb-srvtab, [ --with-krb-srvtab=FILE location of Kerberos server's keytab file],
|
||||
[if test x"$withval" = x"yes"; then
|
||||
AC_MSG_ERROR([argument required for --with-krb-srvtab])
|
||||
else
|
||||
krb_srvtab=$withval
|
||||
fi],
|
||||
[if test "$with_krb5" = yes ; then
|
||||
krb_srvtab='FILE:${sysconfdir}/krb5.keytab'
|
||||
elif test "$with_krb4" = yes ; then
|
||||
krb_srvtab='/etc/srvtab'
|
||||
else
|
||||
krb_srvtab=
|
||||
fi])
|
||||
AC_SUBST(krb_srvtab)
|
||||
|
||||
|
||||
#
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
<!-- $Header: /cvsroot/pgsql/doc/src/sgml/client-auth.sgml,v 1.3 2000/07/15 21:35:47 petere Exp $ -->
|
||||
<!-- $Header: /cvsroot/pgsql/doc/src/sgml/client-auth.sgml,v 1.4 2000/08/25 10:00:29 petere Exp $ -->
|
||||
|
||||
<chapter id="client-authentication">
|
||||
<title>Client Authentication</title>
|
||||
|
@ -341,7 +341,7 @@ host all 192.168.2.0 255.255.255.0 ident othermap
|
|||
|
||||
</sect2>
|
||||
|
||||
<sect2>
|
||||
<sect2 id="kerberos-auth">
|
||||
<title>Kerberos authentication</title>
|
||||
|
||||
<para>
|
||||
|
@ -369,13 +369,15 @@ host all 192.168.2.0 255.255.255.0 ident othermap
|
|||
<productname>Postgres</> should operate like a normal Kerberos
|
||||
service. The name of the service principal is normally
|
||||
<literal>postgres</literal>, unless it was changed during the
|
||||
build. Make sure that your server keytab file is readable (and
|
||||
build. Make sure that your server key file is readable (and
|
||||
preferrably only readable) by the Postgres server account (see
|
||||
<xref linkend="postgres-user">). The location of the keytab file
|
||||
is specified at build time; by default it is
|
||||
<filename>/etc/srvtab</filename> in Kerberos 4 and
|
||||
<filename>FILE:/usr/local/pgsql/etc/krb5.keytab</filename> in
|
||||
Kerberos 5.
|
||||
<xref linkend="postgres-user">). The location of the key file
|
||||
is specified with the <varname>krb_server_keyfile</> run time
|
||||
configuration parameter. (See also <xref linkend="runtime-config">.)
|
||||
The default is <filename>/etc/srvtab</> if you are using Kerberos 4
|
||||
and <filename>FILE:/usr/local/pgsql/etc/krb5.keytab</> (or whichever
|
||||
directory was specified as <varname>sysconfdir</> at build time)
|
||||
with Kerberos 5.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
<!-- $Header: /cvsroot/pgsql/doc/src/sgml/installation.sgml,v 1.13 2000/07/22 14:48:01 petere Exp $ -->
|
||||
<!-- $Header: /cvsroot/pgsql/doc/src/sgml/installation.sgml,v 1.14 2000/08/25 10:00:29 petere Exp $ -->
|
||||
|
||||
<chapter id="installation">
|
||||
<title><![%flattext-install-include[<productname>PostgreSQL</> ]]>Installation Instructions</title>
|
||||
|
@ -577,27 +577,13 @@ su - postgres
|
|||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>--with-krb-srvtab=<replaceable>FILE</></term>
|
||||
<listitem>
|
||||
<para>
|
||||
Specifies the location of the Kerberos server shared key file
|
||||
(<quote>srvtab</>). If you are using Kerberos 4, this
|
||||
defaults to <filename>/etc/srvtab</>, with Kerberos 5 to
|
||||
<filename>FILE:/usr/local/pgsql/etc/krb5.keytab</>, or
|
||||
equivalent, depending on what you set <option>--sysconfdir</>
|
||||
to above.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>--enable-syslog</term>
|
||||
<listitem>
|
||||
<para>
|
||||
Enables the <productname>PostgreSQL</> server to use the
|
||||
syslog logging facility. (Using this option does not mean
|
||||
that you have to log with syslog or even that it will be done
|
||||
that you will have to log with syslog or even that it will be done
|
||||
by default, it simply makes it possible to turn this option
|
||||
on at run time.)
|
||||
</para>
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
<!--
|
||||
$Header: /cvsroot/pgsql/doc/src/sgml/runtime.sgml,v 1.18 2000/08/11 18:31:06 tgl Exp $
|
||||
$Header: /cvsroot/pgsql/doc/src/sgml/runtime.sgml,v 1.19 2000/08/25 10:00:29 petere Exp $
|
||||
-->
|
||||
|
||||
<Chapter Id="runtime">
|
||||
|
@ -898,6 +898,16 @@ env PGOPTIONS='--geqo=off' psql
|
|||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>KRB_SERVER_KEYFILE</>
|
||||
<listitem>
|
||||
<para>
|
||||
Sets the location of the Kerberos server key file. See
|
||||
<xref linkend="kerberos-auth"> for details.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>MAX_CONNECTIONS (<type>integer</type>)</term>
|
||||
<listitem>
|
||||
|
|
|
@ -4,13 +4,13 @@
|
|||
# Makefile for libpq subsystem (backend half of libpq interface)
|
||||
#
|
||||
# IDENTIFICATION
|
||||
# $Header: /cvsroot/pgsql/src/backend/libpq/Makefile,v 1.23 2000/07/09 13:48:45 petere Exp $
|
||||
# $Header: /cvsroot/pgsql/src/backend/libpq/Makefile,v 1.24 2000/08/25 10:00:30 petere Exp $
|
||||
#
|
||||
#-------------------------------------------------------------------------
|
||||
|
||||
subdir = src/backend/libpq
|
||||
top_builddir = ../../..
|
||||
include ../../Makefile.global
|
||||
include $(top_builddir)/src/Makefile.global
|
||||
|
||||
# be-fsstubs is here for historical reasons, probably belongs elsewhere
|
||||
|
||||
|
@ -18,12 +18,6 @@ OBJS = be-fsstubs.o \
|
|||
auth.o crypt.o hba.o password.o \
|
||||
pqcomm.o pqformat.o pqpacket.o pqsignal.o util.o
|
||||
|
||||
# This location might depend on the installation directories. Therefore
|
||||
# we can't subsitute it into config.h.
|
||||
ifdef krb_srvtab
|
||||
CPPFLAGS += -DPG_KRB_SRVTAB='"$(krb_srvtab)"'
|
||||
endif
|
||||
|
||||
|
||||
all: SUBSYS.o
|
||||
|
||||
|
@ -39,4 +33,3 @@ clean:
|
|||
ifeq (depend,$(wildcard depend))
|
||||
include depend
|
||||
endif
|
||||
|
||||
|
|
|
@ -8,7 +8,7 @@
|
|||
*
|
||||
*
|
||||
* IDENTIFICATION
|
||||
* $Header: /cvsroot/pgsql/src/backend/libpq/auth.c,v 1.48 2000/07/04 16:31:53 petere Exp $
|
||||
* $Header: /cvsroot/pgsql/src/backend/libpq/auth.c,v 1.49 2000/08/25 10:00:30 petere Exp $
|
||||
*
|
||||
*-------------------------------------------------------------------------
|
||||
*/
|
||||
|
@ -51,6 +51,9 @@ static int map_old_to_new(Port *port, UserAuth old, int status);
|
|||
static void auth_failed(Port *port);
|
||||
|
||||
|
||||
char * pg_krb_server_keyfile;
|
||||
|
||||
|
||||
#ifdef KRB4
|
||||
/*----------------------------------------------------------------
|
||||
* MIT Kerberos authentication system - protocol version 4
|
||||
|
@ -89,7 +92,7 @@ pg_krb4_recvauth(Port *port)
|
|||
&port->raddr.in,
|
||||
&port->laddr.in,
|
||||
&auth_data,
|
||||
PG_KRB_SRVTAB,
|
||||
pg_krb_server_keyfile,
|
||||
key_sched,
|
||||
version);
|
||||
if (status != KSUCCESS)
|
||||
|
@ -197,13 +200,13 @@ pg_krb5_init(void)
|
|||
return STATUS_ERROR;
|
||||
}
|
||||
|
||||
retval = krb5_kt_resolve(pg_krb5_context, PG_KRB_SRVTAB, &pg_krb5_keytab);
|
||||
retval = krb5_kt_resolve(pg_krb5_context, pg_krb_server_keyfile, &pg_krb5_keytab);
|
||||
if (retval) {
|
||||
snprintf(PQerrormsg, PQERRORMSG_LENGTH,
|
||||
"pg_krb5_init: krb5_kt_resolve returned"
|
||||
" Kerberos error %d\n", retval);
|
||||
com_err("postgres", retval, "while resolving keytab file %s",
|
||||
PG_KRB_SRVTAB);
|
||||
pg_krb_server_keyfile);
|
||||
krb5_free_context(pg_krb5_context);
|
||||
return STATUS_ERROR;
|
||||
}
|
||||
|
@ -216,7 +219,7 @@ pg_krb5_init(void)
|
|||
" Kerberos error %d\n", retval);
|
||||
com_err("postgres", retval,
|
||||
"while getting server principal for service %s",
|
||||
PG_KRB_SRVTAB);
|
||||
pg_krb_server_keyfile);
|
||||
krb5_kt_close(pg_krb5_context, pg_krb5_keytab);
|
||||
krb5_free_context(pg_krb5_context);
|
||||
return STATUS_ERROR;
|
||||
|
|
|
@ -1,18 +1,18 @@
|
|||
#-------------------------------------------------------------------------
|
||||
#
|
||||
# Makefile--
|
||||
# Makefile for utils/misc
|
||||
#
|
||||
# IDENTIFICATION
|
||||
# $Header: /cvsroot/pgsql/src/backend/utils/misc/Makefile,v 1.16 2000/06/04 01:44:34 petere Exp $
|
||||
#
|
||||
#-------------------------------------------------------------------------
|
||||
# $Header: /cvsroot/pgsql/src/backend/utils/misc/Makefile,v 1.17 2000/08/25 10:00:31 petere Exp $
|
||||
|
||||
SRCDIR = ../../..
|
||||
include $(SRCDIR)/Makefile.global
|
||||
subdir = src/backend/utils/misc
|
||||
top_builddir = ../../../..
|
||||
include $(top_builddir)/src/Makefile.global
|
||||
|
||||
OBJS = database.o superuser.o guc.o guc-file.o ps_status.o
|
||||
|
||||
# This location might depend on the installation directories. Therefore
|
||||
# we can't subsitute it into config.h.
|
||||
ifdef krb_srvtab
|
||||
CPPFLAGS += -DPG_KRB_SRVTAB='"$(krb_srvtab)"'
|
||||
endif
|
||||
|
||||
|
||||
all: SUBSYS.o
|
||||
|
||||
SUBSYS.o: $(OBJS)
|
||||
|
|
|
@ -4,7 +4,7 @@
|
|||
* Support for grand unified configuration scheme, including SET
|
||||
* command, configuration file, and command line options.
|
||||
*
|
||||
* $Header: /cvsroot/pgsql/src/backend/utils/misc/guc.c,v 1.8 2000/08/11 18:31:10 tgl Exp $
|
||||
* $Header: /cvsroot/pgsql/src/backend/utils/misc/guc.c,v 1.9 2000/08/25 10:00:31 petere Exp $
|
||||
*
|
||||
* Copyright 2000 by PostgreSQL Global Development Group
|
||||
* Written by Peter Eisentraut <peter_e@gmx.net>.
|
||||
|
@ -21,6 +21,7 @@
|
|||
#include "utils/guc.h"
|
||||
|
||||
#include "commands/async.h"
|
||||
#include "libpq/auth.h"
|
||||
#include "miscadmin.h"
|
||||
#include "optimizer/cost.h"
|
||||
#include "optimizer/geqo.h"
|
||||
|
@ -54,6 +55,11 @@ bool Show_btree_build_stats = false;
|
|||
|
||||
bool SQL_inheritance = true;
|
||||
|
||||
#ifndef PG_KRB_SRVTAB
|
||||
# define PG_KRB_SRVTAB ""
|
||||
#endif
|
||||
|
||||
|
||||
|
||||
enum config_type
|
||||
{
|
||||
|
@ -113,7 +119,7 @@ struct config_string
|
|||
{
|
||||
const char *name;
|
||||
GucContext context;
|
||||
char *variable;
|
||||
char **variable;
|
||||
const char *default_val;
|
||||
bool (*parse_hook)(const char *);
|
||||
};
|
||||
|
@ -273,7 +279,8 @@ ConfigureNamesReal[] =
|
|||
static struct config_string
|
||||
ConfigureNamesString[] =
|
||||
{
|
||||
/* none so far */
|
||||
{"krb_server_keyfile", PGC_USERSET, &pg_krb_server_keyfile,
|
||||
PG_KRB_SRVTAB, NULL},
|
||||
|
||||
{NULL, 0, NULL, NULL, NULL}
|
||||
};
|
||||
|
@ -323,7 +330,7 @@ find_option(const char * name, struct config_generic ** record)
|
|||
{
|
||||
if (record)
|
||||
*record = (struct config_generic *)&ConfigureNamesString[i];
|
||||
return PGC_REAL;
|
||||
return PGC_STRING;
|
||||
}
|
||||
|
||||
return PGC_NONE;
|
||||
|
@ -349,7 +356,7 @@ ResetAllOptions(void)
|
|||
for (i = 0; ConfigureNamesReal[i].name; i++)
|
||||
*(ConfigureNamesReal[i].variable) = ConfigureNamesReal[i].default_val;
|
||||
|
||||
for (i = 0; ConfigureNamesString[i].name; i++)
|
||||
for (i = 0; ConfigureNamesString[i].name; i++)
|
||||
{
|
||||
char * str = NULL;
|
||||
|
||||
|
@ -359,7 +366,7 @@ ResetAllOptions(void)
|
|||
if (str == NULL)
|
||||
elog(ERROR, "out of memory");
|
||||
}
|
||||
ConfigureNamesString[i].variable = str;
|
||||
*(ConfigureNamesString[i].variable) = str;
|
||||
}
|
||||
|
||||
if (getenv("PGPORT"))
|
||||
|
@ -650,8 +657,8 @@ set_config_option(const char * name, const char * value, GucContext
|
|||
elog(elevel, "out of memory");
|
||||
return false;
|
||||
}
|
||||
free(conf->variable);
|
||||
conf->variable = str;
|
||||
free(*conf->variable);
|
||||
*conf->variable = str;
|
||||
}
|
||||
}
|
||||
else if (DoIt)
|
||||
|
@ -664,8 +671,8 @@ set_config_option(const char * name, const char * value, GucContext
|
|||
elog(elevel, "out of memory");
|
||||
return false;
|
||||
}
|
||||
free(conf->variable);
|
||||
conf->variable = str;
|
||||
free(*conf->variable);
|
||||
*conf->variable = str;
|
||||
}
|
||||
break;
|
||||
}
|
||||
|
@ -725,7 +732,7 @@ GetConfigOption(const char * name)
|
|||
return buffer;
|
||||
|
||||
case PGC_STRING:
|
||||
return ((struct config_string *)record)->variable;
|
||||
return *((struct config_string *)record)->variable;
|
||||
|
||||
default:
|
||||
;
|
||||
|
|
|
@ -7,7 +7,7 @@
|
|||
* Portions Copyright (c) 1996-2000, PostgreSQL, Inc
|
||||
* Portions Copyright (c) 1994, Regents of the University of California
|
||||
*
|
||||
* $Id: auth.h,v 1.13 2000/01/26 05:58:11 momjian Exp $
|
||||
* $Id: auth.h,v 1.14 2000/08/25 10:00:33 petere Exp $
|
||||
*
|
||||
*-------------------------------------------------------------------------
|
||||
*/
|
||||
|
@ -26,4 +26,6 @@ void be_recvauth(Port *port);
|
|||
#define PG_KRB4_VERSION "PGVER4.1" /* at most KRB_SENDAUTH_VLEN chars */
|
||||
#define PG_KRB5_VERSION "PGVER5.1"
|
||||
|
||||
extern char * pg_krb_server_keyfile;
|
||||
|
||||
#endif /* AUTH_H */
|
||||
|
|
|
@ -10,7 +10,7 @@
|
|||
* exceed INITIAL_EXPBUFFER_SIZE (currently 256 bytes).
|
||||
*
|
||||
* IDENTIFICATION
|
||||
* $Header: /cvsroot/pgsql/src/interfaces/libpq/fe-auth.c,v 1.43 2000/06/17 00:10:09 petere Exp $
|
||||
* $Header: /cvsroot/pgsql/src/interfaces/libpq/fe-auth.c,v 1.44 2000/08/25 10:00:35 petere Exp $
|
||||
*
|
||||
*-------------------------------------------------------------------------
|
||||
*/
|
||||
|
@ -565,41 +565,37 @@ fe_getauthname(char *PQerrormsg)
|
|||
MsgType authsvc;
|
||||
|
||||
authsvc = fe_getauthsvc(PQerrormsg);
|
||||
switch ((int) authsvc)
|
||||
{
|
||||
|
||||
#ifdef KRB4
|
||||
case STARTUP_KRB4_MSG:
|
||||
name = pg_krb4_authname(PQerrormsg);
|
||||
break;
|
||||
if (authsvc == STARTUP_KRB4_MSG)
|
||||
name = pg_krb4_authname(PQerrormsg);
|
||||
#endif
|
||||
#ifdef KRB5
|
||||
case STARTUP_KRB5_MSG:
|
||||
name = pg_krb5_authname(PQerrormsg);
|
||||
break;
|
||||
if (authsvc == STARTUP_KRB5_MSG)
|
||||
name = pg_krb5_authname(PQerrormsg);
|
||||
#endif
|
||||
case STARTUP_MSG:
|
||||
{
|
||||
|
||||
if (authsvc == STARTUP_MSG
|
||||
|| (authsvc == STARTUP_KRB4_MSG && !name)
|
||||
|| (authsvc == STARTUP_KRB5_MSG && !name))
|
||||
{
|
||||
#ifdef WIN32
|
||||
char username[128];
|
||||
DWORD namesize = sizeof(username) - 1;
|
||||
char username[128];
|
||||
DWORD namesize = sizeof(username) - 1;
|
||||
|
||||
if (GetUserName(username, &namesize))
|
||||
name = username;
|
||||
if (GetUserName(username, &namesize))
|
||||
name = username;
|
||||
#else
|
||||
struct passwd *pw = getpwuid(geteuid());
|
||||
struct passwd *pw = getpwuid(geteuid());
|
||||
|
||||
if (pw)
|
||||
name = pw->pw_name;
|
||||
if (pw)
|
||||
name = pw->pw_name;
|
||||
#endif
|
||||
}
|
||||
break;
|
||||
default:
|
||||
(void) sprintf(PQerrormsg,
|
||||
"fe_getauthname: invalid authentication system: %d\n",
|
||||
authsvc);
|
||||
break;
|
||||
}
|
||||
|
||||
if (authsvc != STARTUP_MSG && authsvc != STARTUP_KRB4_MSG && authsvc != STARTUP_KRB5_MSG)
|
||||
sprintf(PQerrormsg,"fe_getauthname: invalid authentication system: %d\n", authsvc);
|
||||
|
||||
if (name && (authn = (char *) malloc(strlen(name) + 1)))
|
||||
strcpy(authn, name);
|
||||
return authn;
|
||||
|
|
Loading…
Reference in a new issue