1 /*-------------------------------------------------------------------------
4 * The front-end (client) authorization routines
6 * Portions Copyright (c) 1996-2001, PostgreSQL Global Development Group
7 * Portions Copyright (c) 1994, Regents of the University of California
9 * NOTE: the error message strings returned by this module must not
10 * exceed INITIAL_EXPBUFFER_SIZE (currently 256 bytes).
13 * $Header: /cvsroot/pgsql/src/interfaces/libpq/fe-auth.c,v 1.49 2001/08/15 18:42:15 momjian Exp $
15 *-------------------------------------------------------------------------
20 * frontend (client) routines:
21 * fe_sendauth send authentication information
22 * fe_getauthname get user's name according to the client side
23 * of the authentication system
24 * fe_setauthsvc set frontend authentication service
25 * fe_getauthsvc get current frontend authentication service
31 #include "postgres_fe.h"
34 #include "libpq-int.h"
43 #include <sys/param.h> /* for MAXHOSTNAMELEN on most */
44 #ifndef MAXHOSTNAMELEN
45 #include <netdb.h> /* for MAXHOSTNAMELEN on some */
55 /*----------------------------------------------------------------
56 * common definitions for generic fe/be routines
57 *----------------------------------------------------------------
62 char name[NAMEDATALEN]; /* service nickname (for command
64 MsgType msgtype; /* startup packet header type */
65 int allowed; /* initially allowed (before command line
70 * Command-line parsing routines use this structure to map nicknames
71 * onto service types (and the startup packets to use with them).
73 * Programs receiving an authentication request use this structure to
74 * decide which authentication service types are currently permitted.
75 * By default, all authentication systems compiled into the system are
76 * allowed. Unauthenticated connections are disallowed unless there
77 * isn't any authentication system.
79 static const struct authsvc authsvcs[] = {
81 {"krb4", STARTUP_KRB4_MSG, 1},
82 {"kerberos", STARTUP_KRB4_MSG, 1},
85 {"krb5", STARTUP_KRB5_MSG, 1},
86 {"kerberos", STARTUP_KRB5_MSG, 1},
88 {UNAUTHNAME, STARTUP_MSG,
89 #if defined(KRB4) || defined(KRB5)
91 #else /* !(KRB4 || KRB5) */
93 #endif /* !(KRB4 || KRB5) */
95 {"password", STARTUP_PASSWORD_MSG, 0}
98 static const int n_authsvcs = sizeof(authsvcs) / sizeof(struct authsvc);
101 /*----------------------------------------------------------------
102 * MIT Kerberos authentication system - protocol version 4
103 *----------------------------------------------------------------
108 /* for some reason, this is not defined in krb.h ... */
109 extern char *tkt_string(void);
112 * pg_krb4_init -- initialization performed before any Kerberos calls are made
114 * For v4, all we need to do is make sure the library routines get the right
115 * ticket file if we want them to see a special one. (They will open the file
122 static int init_done = 0;
129 * If the user set PGREALM, then we use a ticket file with a special
130 * name: <usual-ticket-file-name>@<PGREALM-value>
132 if ((realm = getenv("PGREALM")))
134 char tktbuf[MAXPGPATH];
136 (void) sprintf(tktbuf, "%s@%s", tkt_string(), realm);
137 krb_set_tkt_string(tktbuf);
142 * pg_krb4_authname -- returns a pointer to static space containing whatever
143 * name the user has authenticated to the system
145 * We obtain this information by digging around in the ticket file.
148 pg_krb4_authname(char *PQerrormsg)
150 char instance[INST_SZ + 1];
151 char realm[REALM_SZ + 1];
153 static char name[SNAME_SZ + 1] = "";
160 name[SNAME_SZ] = '\0';
161 status = krb_get_tf_fullname(tkt_string(), name, instance, realm);
162 if (status != KSUCCESS)
164 snprintf(PQerrormsg, PQERRORMSG_LENGTH,
165 "pg_krb4_authname: krb_get_tf_fullname: %s\n",
166 krb_err_txt[status]);
167 return (char *) NULL;
173 * pg_krb4_sendauth -- client routine to send authentication information to
176 * This routine does not do mutual authentication, nor does it return enough
177 * information to do encrypted connections. But then, if we want to do
178 * encrypted connections, we'll have to redesign the whole RPC mechanism
181 * If the user is too lazy to feed us a hostname, we try to come up with
182 * something other than "localhost" since the hostname is used as an
183 * instance and instance names in v4 databases are usually actual hostnames
184 * (canonicalized to omit all domain suffixes).
187 pg_krb4_sendauth(char *PQerrormsg, int sock,
188 struct sockaddr_in * laddr,
189 struct sockaddr_in * raddr,
190 const char *hostname)
192 long krbopts = 0; /* one-way authentication */
195 char hostbuf[MAXHOSTNAMELEN];
196 const char *realm = getenv("PGREALM"); /* NULL == current realm */
198 if (!hostname || !(*hostname))
200 if (gethostname(hostbuf, MAXHOSTNAMELEN) < 0)
201 strcpy(hostbuf, "localhost");
207 status = krb_sendauth(krbopts,
215 (CREDENTIALS *) NULL,
220 if (status != KSUCCESS)
222 snprintf(PQerrormsg, PQERRORMSG_LENGTH,
223 libpq_gettext("Kerberos 4 error: %s\n"),
224 krb_err_txt[status]);
233 /*----------------------------------------------------------------
234 * MIT Kerberos authentication system - protocol version 5
235 *----------------------------------------------------------------
242 * pg_an_to_ln -- return the local name corresponding to an authentication
245 * XXX Assumes that the first aname component is the user name. This is NOT
246 * necessarily so, since an aname can actually be something out of your
247 * worst X.400 nightmare, like
248 * ORGANIZATION=U. C. Berkeley/NAME=Paul M. Aoki@CS.BERKELEY.EDU
249 * Note that the MIT an_to_ln code does the same thing if you don't
250 * provide an aname mapping database...it may be a better idea to use
251 * krb5_an_to_ln, except that it punts if multiple components are found,
252 * and we can't afford to punt.
255 pg_an_to_ln(char *aname)
259 if ((p = strchr(aname, '/')) || (p = strchr(aname, '@')))
266 * Various krb5 state which is not connection specfic, and a flag to
267 * indicate whether we have initialised it yet.
269 static int pg_krb5_initialised;
270 static krb5_context pg_krb5_context;
271 static krb5_ccache pg_krb5_ccache;
272 static krb5_principal pg_krb5_client;
273 static char *pg_krb5_name;
277 pg_krb5_init(char *PQerrormsg)
279 krb5_error_code retval;
281 if (pg_krb5_initialised)
284 retval = krb5_init_context(&pg_krb5_context);
287 snprintf(PQerrormsg, PQERRORMSG_LENGTH,
288 "pg_krb5_init: krb5_init_context: %s",
289 error_message(retval));
293 retval = krb5_cc_default(pg_krb5_context, &pg_krb5_ccache);
296 snprintf(PQerrormsg, PQERRORMSG_LENGTH,
297 "pg_krb5_init: krb5_cc_default: %s",
298 error_message(retval));
299 krb5_free_context(pg_krb5_context);
303 retval = krb5_cc_get_principal(pg_krb5_context, pg_krb5_ccache,
307 snprintf(PQerrormsg, PQERRORMSG_LENGTH,
308 "pg_krb5_init: krb5_cc_get_principal: %s",
309 error_message(retval));
310 krb5_cc_close(pg_krb5_context, pg_krb5_ccache);
311 krb5_free_context(pg_krb5_context);
315 retval = krb5_unparse_name(pg_krb5_context, pg_krb5_client, &pg_krb5_name);
318 snprintf(PQerrormsg, PQERRORMSG_LENGTH,
319 "pg_krb5_init: krb5_unparse_name: %s",
320 error_message(retval));
321 krb5_free_principal(pg_krb5_context, pg_krb5_client);
322 krb5_cc_close(pg_krb5_context, pg_krb5_ccache);
323 krb5_free_context(pg_krb5_context);
327 pg_krb5_name = pg_an_to_ln(pg_krb5_name);
329 pg_krb5_initialised = 1;
335 * pg_krb5_authname -- returns a pointer to static space containing whatever
336 * name the user has authenticated to the system
339 pg_krb5_authname(char *PQerrormsg)
341 if (pg_krb5_init(PQerrormsg) != STATUS_OK)
349 * pg_krb5_sendauth -- client routine to send authentication information to
353 pg_krb5_sendauth(char *PQerrormsg, int sock,
354 struct sockaddr_in * laddr,
355 struct sockaddr_in * raddr,
356 const char *hostname)
358 krb5_error_code retval;
360 krb5_principal server;
361 krb5_auth_context auth_context = NULL;
362 krb5_error *err_ret = NULL;
365 ret = pg_krb5_init(PQerrormsg);
366 if (ret != STATUS_OK)
369 retval = krb5_sname_to_principal(pg_krb5_context, hostname, PG_KRB_SRVNAM,
370 KRB5_NT_SRV_HST, &server);
373 snprintf(PQerrormsg, PQERRORMSG_LENGTH,
374 "pg_krb5_sendauth: krb5_sname_to_principal: %s",
375 error_message(retval));
380 * libpq uses a non-blocking socket. But kerberos needs a blocking
381 * socket, and we have to block somehow to do mutual authentication
382 * anyway. So we temporarily make it blocking.
384 flags = fcntl(sock, F_GETFL);
385 if (flags < 0 || fcntl(sock, F_SETFL, (long) (flags & ~O_NONBLOCK)))
387 snprintf(PQerrormsg, PQERRORMSG_LENGTH,
388 libpq_gettext("could not set socket to blocking mode: %s"), strerror(errno));
389 krb5_free_principal(pg_krb5_context, server);
393 retval = krb5_sendauth(pg_krb5_context, &auth_context,
394 (krb5_pointer) & sock, PG_KRB_SRVNAM,
395 pg_krb5_client, server,
396 AP_OPTS_MUTUAL_REQUIRED,
397 NULL, 0, /* no creds, use ccache instead */
398 pg_krb5_ccache, &err_ret, NULL, NULL);
401 if (retval == KRB5_SENDAUTH_REJECTED && err_ret)
403 snprintf(PQerrormsg, PQERRORMSG_LENGTH,
404 libpq_gettext("Kerberos 5 authentication rejected: %*s"),
405 err_ret->text.length, err_ret->text.data);
409 snprintf(PQerrormsg, PQERRORMSG_LENGTH,
411 error_message(retval));
415 krb5_free_error(pg_krb5_context, err_ret);
420 krb5_free_principal(pg_krb5_context, server);
422 if (fcntl(sock, F_SETFL, (long) flags))
424 snprintf(PQerrormsg, PQERRORMSG_LENGTH,
425 libpq_gettext("could not restore non-blocking mode on socket: %s"),
436 pg_password_sendauth(PGconn *conn, const char *password, AuthRequest areq)
441 /* Encrypt the password if needed. */
446 crypt_pwd = crypt(password, conn->salt);
452 if (!(crypt_pwd = malloc(MD5_PASSWD_LEN+1)) ||
453 !(crypt_pwd2 = malloc(MD5_PASSWD_LEN+1)))
458 if (!EncryptMD5(password, conn->pguser, crypt_pwd2))
464 if (!EncryptMD5(crypt_pwd2 + strlen("md5"), conn->salt,
475 /* discard const so we can assign it */
476 crypt_pwd = (char *)password;
480 ret = pqPacketSend(conn, crypt_pwd, strlen(crypt_pwd) + 1);
481 if (areq == AUTH_REQ_MD5)
487 * fe_sendauth -- client demux routine for outgoing authentication information
490 fe_sendauth(AuthRequest areq, PGconn *conn, const char *hostname,
491 const char *password, char *PQerrormsg)
493 #if !defined(KRB4) && !defined(KRB5)
494 (void) hostname; /* not used */
504 if (pg_krb4_sendauth(PQerrormsg, conn->sock, &conn->laddr.in,
506 hostname) != STATUS_OK)
508 snprintf(PQerrormsg, PQERRORMSG_LENGTH,
509 libpq_gettext("Kerberos 4 authentication failed\n"));
514 snprintf(PQerrormsg, PQERRORMSG_LENGTH,
515 libpq_gettext("Kerberos 4 authentication not supported\n"));
521 if (pg_krb5_sendauth(PQerrormsg, conn->sock, &conn->laddr.in,
523 hostname) != STATUS_OK)
525 snprintf(PQerrormsg, PQERRORMSG_LENGTH,
526 libpq_gettext("Kerberos 5 authentication failed\n"));
531 snprintf(PQerrormsg, PQERRORMSG_LENGTH,
532 libpq_gettext("Kerberos 5 authentication not supported\n"));
536 case AUTH_REQ_PASSWORD:
539 if (password == NULL || *password == '\0')
541 (void) sprintf(PQerrormsg,
542 "fe_sendauth: no password supplied\n");
545 if (pg_password_sendauth(conn, password, areq) != STATUS_OK)
547 (void) sprintf(PQerrormsg,
548 "fe_sendauth: error sending password authentication\n");
553 snprintf(PQerrormsg, PQERRORMSG_LENGTH,
554 libpq_gettext("authentication method %u not supported\n"), areq);
565 * Set/return the authentication service currently selected for use by the
566 * frontend. (You can only use one in the frontend, obviously.)
568 * NB: This is not thread-safe if different threads try to select different
569 * authentication services! It's OK for fe_getauthsvc to select the default,
570 * since that will be the same for all threads, but direct application use
571 * of fe_setauthsvc is not thread-safe. However, use of fe_setauthsvc is
572 * deprecated anyway...
575 static int pg_authsvc = -1;
578 fe_setauthsvc(const char *name, char *PQerrormsg)
582 for (i = 0; i < n_authsvcs; ++i)
583 if (strcmp(name, authsvcs[i].name) == 0)
590 snprintf(PQerrormsg, PQERRORMSG_LENGTH,
591 libpq_gettext("invalid authentication service name \"%s\", ignored"),
598 fe_getauthsvc(char *PQerrormsg)
600 if (pg_authsvc < 0 || pg_authsvc >= n_authsvcs)
601 fe_setauthsvc(DEFAULT_CLIENT_AUTHSVC, PQerrormsg);
602 return authsvcs[pg_authsvc].msgtype;
606 * fe_getauthname -- returns a pointer to dynamic space containing whatever
607 * name the user has authenticated to the system
608 * if there is an error, return the error message in PQerrormsg
611 fe_getauthname(char *PQerrormsg)
613 char *name = (char *) NULL;
614 char *authn = (char *) NULL;
617 authsvc = fe_getauthsvc(PQerrormsg);
620 if (authsvc == STARTUP_KRB4_MSG)
621 name = pg_krb4_authname(PQerrormsg);
624 if (authsvc == STARTUP_KRB5_MSG)
625 name = pg_krb5_authname(PQerrormsg);
628 if (authsvc == STARTUP_MSG
629 || (authsvc == STARTUP_KRB4_MSG && !name)
630 || (authsvc == STARTUP_KRB5_MSG && !name))
634 DWORD namesize = sizeof(username) - 1;
636 if (GetUserName(username, &namesize))
639 struct passwd *pw = getpwuid(geteuid());
646 if (authsvc != STARTUP_MSG && authsvc != STARTUP_KRB4_MSG && authsvc != STARTUP_KRB5_MSG)
647 snprintf(PQerrormsg, PQERRORMSG_LENGTH,
648 libpq_gettext("fe_getauthname: invalid authentication system: %d\n"),
651 if (name && (authn = (char *) malloc(strlen(name) + 1)))