1 /*-------------------------------------------------------------------------
4 * The front-end (client) authorization routines
6 * Portions Copyright (c) 1996-2004, PostgreSQL Global Development Group
7 * Portions Copyright (c) 1994, Regents of the University of California
9 * NOTE: the error message strings returned by this module must not
10 * exceed INITIAL_EXPBUFFER_SIZE (currently 256 bytes).
13 * $PostgreSQL: pgsql/src/interfaces/libpq/fe-auth.c,v 1.94 2004/10/16 03:10:17 momjian Exp $
15 *-------------------------------------------------------------------------
20 * frontend (client) routines:
21 * fe_sendauth send authentication information
22 * fe_getauthname get user's name according to the client side
23 * of the authentication system
24 * fe_setauthsvc set frontend authentication service
25 * fe_getauthsvc get current frontend authentication service
31 #include "postgres_fe.h"
39 #include <sys/types.h>
40 #include <sys/param.h> /* for MAXHOSTNAMELEN on most */
41 #include <sys/socket.h>
42 #if defined(HAVE_STRUCT_CMSGCRED) || defined(HAVE_STRUCT_FCRED) || defined(HAVE_STRUCT_SOCKCRED)
44 #include <sys/ucred.h>
46 #ifndef MAXHOSTNAMELEN
47 #include <netdb.h> /* for MAXHOSTNAMELEN on some */
57 #include "libpq-int.h"
59 #include "libpq/crypt.h"
63 * common definitions for generic fe/be routines
66 #define STARTUP_MSG 7 /* Initialise a connection */
67 #define STARTUP_KRB4_MSG 10 /* krb4 session follows */
68 #define STARTUP_KRB5_MSG 11 /* krb5 session follows */
69 #define STARTUP_PASSWORD_MSG 14 /* Password follows */
73 const char *name; /* service nickname (for command line) */
74 MsgType msgtype; /* startup packet header type */
75 int allowed; /* initially allowed (before command line
80 * Command-line parsing routines use this structure to map nicknames
81 * onto service types (and the startup packets to use with them).
83 * Programs receiving an authentication request use this structure to
84 * decide which authentication service types are currently permitted.
85 * By default, all authentication systems compiled into the system are
86 * allowed. Unauthenticated connections are disallowed unless there
87 * isn't any authentication system.
89 static const struct authsvc authsvcs[] = {
91 {"krb4", STARTUP_KRB4_MSG, 1},
92 {"kerberos", STARTUP_KRB4_MSG, 1},
95 {"krb5", STARTUP_KRB5_MSG, 1},
96 {"kerberos", STARTUP_KRB5_MSG, 1},
98 {UNAUTHNAME, STARTUP_MSG,
99 #if defined(KRB4) || defined(KRB5)
101 #else /* !(KRB4 || KRB5) */
103 #endif /* !(KRB4 || KRB5) */
105 {"password", STARTUP_PASSWORD_MSG, 0}
108 static const int n_authsvcs = sizeof(authsvcs) / sizeof(struct authsvc);
112 * MIT Kerberos authentication system - protocol version 4
117 /* for some reason, this is not defined in krb.h ... */
118 extern char *tkt_string(void);
121 * pg_krb4_init -- initialization performed before any Kerberos calls are made
123 * For v4, all we need to do is make sure the library routines get the right
124 * ticket file if we want them to see a special one. (They will open the file
131 static int init_done = 0;
138 * If the user set PGREALM, then we use a ticket file with a special
139 * name: <usual-ticket-file-name>@<PGREALM-value>
141 if ((realm = getenv("PGREALM")))
143 char tktbuf[MAXPGPATH];
145 (void) snprintf(tktbuf, sizeof(tktbuf), "%s@%s", tkt_string(), realm);
146 krb_set_tkt_string(tktbuf);
151 * pg_krb4_authname -- returns a pointer to static space containing whatever
152 * name the user has authenticated to the system
154 * We obtain this information by digging around in the ticket file.
157 pg_krb4_authname(char *PQerrormsg)
159 char instance[INST_SZ + 1];
160 char realm[REALM_SZ + 1];
162 static char name[SNAME_SZ + 1] = "";
169 name[SNAME_SZ] = '\0';
170 status = krb_get_tf_fullname(tkt_string(), name, instance, realm);
171 if (status != KSUCCESS)
173 snprintf(PQerrormsg, PQERRORMSG_LENGTH,
174 "pg_krb4_authname: krb_get_tf_fullname: %s\n",
175 krb_err_txt[status]);
182 * pg_krb4_sendauth -- client routine to send authentication information to
185 * This routine does not do mutual authentication, nor does it return enough
186 * information to do encrypted connections. But then, if we want to do
187 * encrypted connections, we'll have to redesign the whole RPC mechanism
190 * If the user is too lazy to feed us a hostname, we try to come up with
191 * something other than "localhost" since the hostname is used as an
192 * instance and instance names in v4 databases are usually actual hostnames
193 * (canonicalized to omit all domain suffixes).
196 pg_krb4_sendauth(char *PQerrormsg, int sock,
197 struct sockaddr_in * laddr,
198 struct sockaddr_in * raddr,
199 const char *hostname)
201 long krbopts = 0; /* one-way authentication */
204 char hostbuf[MAXHOSTNAMELEN];
205 const char *realm = getenv("PGREALM"); /* NULL == current realm */
207 if (!hostname || !(*hostname))
209 if (gethostname(hostbuf, MAXHOSTNAMELEN) < 0)
210 strcpy(hostbuf, "localhost");
216 status = krb_sendauth(krbopts,
229 if (status != KSUCCESS)
231 snprintf(PQerrormsg, PQERRORMSG_LENGTH,
232 libpq_gettext("Kerberos 4 error: %s\n"),
233 krb_err_txt[status]);
242 * MIT Kerberos authentication system - protocol version 5
249 * pg_an_to_ln -- return the local name corresponding to an authentication
252 * XXX Assumes that the first aname component is the user name. This is NOT
253 * necessarily so, since an aname can actually be something out of your
254 * worst X.400 nightmare, like
255 * ORGANIZATION=U. C. Berkeley/NAME=Paul M. Aoki@CS.BERKELEY.EDU
256 * Note that the MIT an_to_ln code does the same thing if you don't
257 * provide an aname mapping database...it may be a better idea to use
258 * krb5_an_to_ln, except that it punts if multiple components are found,
259 * and we can't afford to punt.
262 pg_an_to_ln(char *aname)
266 if ((p = strchr(aname, '/')) || (p = strchr(aname, '@')))
273 * Various krb5 state which is not connection specific, and a flag to
274 * indicate whether we have initialised it yet.
276 static int pg_krb5_initialised;
277 static krb5_context pg_krb5_context;
278 static krb5_ccache pg_krb5_ccache;
279 static krb5_principal pg_krb5_client;
280 static char *pg_krb5_name;
284 pg_krb5_init(char *PQerrormsg)
286 krb5_error_code retval;
288 if (pg_krb5_initialised)
291 retval = krb5_init_context(&pg_krb5_context);
294 snprintf(PQerrormsg, PQERRORMSG_LENGTH,
295 "pg_krb5_init: krb5_init_context: %s\n",
296 error_message(retval));
300 retval = krb5_cc_default(pg_krb5_context, &pg_krb5_ccache);
303 snprintf(PQerrormsg, PQERRORMSG_LENGTH,
304 "pg_krb5_init: krb5_cc_default: %s\n",
305 error_message(retval));
306 krb5_free_context(pg_krb5_context);
310 retval = krb5_cc_get_principal(pg_krb5_context, pg_krb5_ccache,
314 snprintf(PQerrormsg, PQERRORMSG_LENGTH,
315 "pg_krb5_init: krb5_cc_get_principal: %s\n",
316 error_message(retval));
317 krb5_cc_close(pg_krb5_context, pg_krb5_ccache);
318 krb5_free_context(pg_krb5_context);
322 retval = krb5_unparse_name(pg_krb5_context, pg_krb5_client, &pg_krb5_name);
325 snprintf(PQerrormsg, PQERRORMSG_LENGTH,
326 "pg_krb5_init: krb5_unparse_name: %s\n",
327 error_message(retval));
328 krb5_free_principal(pg_krb5_context, pg_krb5_client);
329 krb5_cc_close(pg_krb5_context, pg_krb5_ccache);
330 krb5_free_context(pg_krb5_context);
334 pg_krb5_name = pg_an_to_ln(pg_krb5_name);
336 pg_krb5_initialised = 1;
342 * pg_krb5_authname -- returns a pointer to static space containing whatever
343 * name the user has authenticated to the system
346 pg_krb5_authname(char *PQerrormsg)
348 if (pg_krb5_init(PQerrormsg) != STATUS_OK)
356 * pg_krb5_sendauth -- client routine to send authentication information to
360 pg_krb5_sendauth(char *PQerrormsg, int sock, const char *hostname)
362 krb5_error_code retval;
364 krb5_principal server;
365 krb5_auth_context auth_context = NULL;
366 krb5_error *err_ret = NULL;
369 ret = pg_krb5_init(PQerrormsg);
370 if (ret != STATUS_OK)
373 retval = krb5_sname_to_principal(pg_krb5_context, hostname, PG_KRB_SRVNAM,
374 KRB5_NT_SRV_HST, &server);
377 snprintf(PQerrormsg, PQERRORMSG_LENGTH,
378 "pg_krb5_sendauth: krb5_sname_to_principal: %s\n",
379 error_message(retval));
384 * libpq uses a non-blocking socket. But kerberos needs a blocking
385 * socket, and we have to block somehow to do mutual authentication
386 * anyway. So we temporarily make it blocking.
388 flags = fcntl(sock, F_GETFL);
389 if (flags < 0 || fcntl(sock, F_SETFL, (long) (flags & ~O_NONBLOCK)))
393 snprintf(PQerrormsg, PQERRORMSG_LENGTH,
394 libpq_gettext("could not set socket to blocking mode: %s\n"), pqStrerror(errno, sebuf, sizeof(sebuf)));
395 krb5_free_principal(pg_krb5_context, server);
399 retval = krb5_sendauth(pg_krb5_context, &auth_context,
400 (krb5_pointer) & sock, PG_KRB_SRVNAM,
401 pg_krb5_client, server,
402 AP_OPTS_MUTUAL_REQUIRED,
403 NULL, 0, /* no creds, use ccache instead */
404 pg_krb5_ccache, &err_ret, NULL, NULL);
407 if (retval == KRB5_SENDAUTH_REJECTED && err_ret)
409 #if defined(HAVE_KRB5_ERROR_TEXT_DATA)
410 snprintf(PQerrormsg, PQERRORMSG_LENGTH,
411 libpq_gettext("Kerberos 5 authentication rejected: %*s\n"),
412 (int) err_ret->text.length, err_ret->text.data);
413 #elif defined(HAVE_KRB5_ERROR_E_DATA)
414 snprintf(PQerrormsg, PQERRORMSG_LENGTH,
415 libpq_gettext("Kerberos 5 authentication rejected: %*s\n"),
416 (int) err_ret->e_data->length,
417 (const char *) err_ret->e_data->data);
419 #error "bogus configuration"
424 snprintf(PQerrormsg, PQERRORMSG_LENGTH,
425 "krb5_sendauth: %s\n", error_message(retval));
429 krb5_free_error(pg_krb5_context, err_ret);
434 krb5_free_principal(pg_krb5_context, server);
436 if (fcntl(sock, F_SETFL, (long) flags))
440 snprintf(PQerrormsg, PQERRORMSG_LENGTH,
441 libpq_gettext("could not restore non-blocking mode on socket: %s\n"),
442 pqStrerror(errno, sebuf, sizeof(sebuf)));
451 * Respond to AUTH_REQ_SCM_CREDS challenge.
453 * Note: current backends will not use this challenge if HAVE_GETPEEREID
454 * or SO_PEERCRED is defined, but pre-7.4 backends might, so compile the
458 pg_local_sendauth(char *PQerrormsg, PGconn *conn)
460 #if defined(HAVE_STRUCT_CMSGCRED) || defined(HAVE_STRUCT_FCRED) || \
461 (defined(HAVE_STRUCT_SOCKCRED) && defined(LOCAL_CREDS))
466 #ifdef HAVE_STRUCT_CMSGCRED
467 /* Prevent padding */
468 char cmsgmem[sizeof(struct cmsghdr) + sizeof(struct cmsgcred)];
470 /* Point to start of first structure */
471 struct cmsghdr *cmsg = (struct cmsghdr *) cmsgmem;
475 * The backend doesn't care what we send here, but it wants exactly
476 * one character to force recvmsg() to block and wait for us.
482 memset(&msg, 0, sizeof(msg));
486 #ifdef HAVE_STRUCT_CMSGCRED
487 /* Create control header, FreeBSD */
488 msg.msg_control = cmsg;
489 msg.msg_controllen = sizeof(cmsgmem);
490 memset(cmsg, 0, sizeof(cmsgmem));
491 cmsg->cmsg_len = sizeof(cmsgmem);
492 cmsg->cmsg_level = SOL_SOCKET;
493 cmsg->cmsg_type = SCM_CREDS;
496 if (sendmsg(conn->sock, &msg, 0) == -1)
500 snprintf(PQerrormsg, PQERRORMSG_LENGTH,
501 "pg_local_sendauth: sendmsg: %s\n",
502 pqStrerror(errno, sebuf, sizeof(sebuf)));
507 snprintf(PQerrormsg, PQERRORMSG_LENGTH,
508 libpq_gettext("SCM_CRED authentication method not supported\n"));
514 pg_password_sendauth(PGconn *conn, const char *password, AuthRequest areq)
519 /* Encrypt the password if needed. */
527 if (!(crypt_pwd = malloc(MD5_PASSWD_LEN + 1)) ||
528 !(crypt_pwd2 = malloc(MD5_PASSWD_LEN + 1)))
533 if (!EncryptMD5(password, conn->pguser,
534 strlen(conn->pguser), crypt_pwd2))
540 if (!EncryptMD5(crypt_pwd2 + strlen("md5"), conn->md5Salt,
541 sizeof(conn->md5Salt), crypt_pwd))
554 StrNCpy(salt, conn->cryptSalt, 3);
555 crypt_pwd = crypt(password, salt);
558 case AUTH_REQ_PASSWORD:
559 /* discard const so we can assign it */
560 crypt_pwd = (char *) password;
565 /* Packet has a message type as of protocol 3.0 */
566 if (PG_PROTOCOL_MAJOR(conn->pversion) >= 3)
567 ret = pqPacketSend(conn, 'p', crypt_pwd, strlen(crypt_pwd) + 1);
569 ret = pqPacketSend(conn, 0, crypt_pwd, strlen(crypt_pwd) + 1);
570 if (areq == AUTH_REQ_MD5)
576 * fe_sendauth -- client demux routine for outgoing authentication information
579 fe_sendauth(AuthRequest areq, PGconn *conn, const char *hostname,
580 const char *password, char *PQerrormsg)
582 #if !defined(KRB4) && !defined(KRB5)
583 (void) hostname; /* not used */
594 if (pg_krb4_sendauth(PQerrormsg, conn->sock,
595 (struct sockaddr_in *) & conn->laddr.addr,
596 (struct sockaddr_in *) & conn->raddr.addr,
597 hostname) != STATUS_OK)
599 snprintf(PQerrormsg, PQERRORMSG_LENGTH,
600 libpq_gettext("Kerberos 4 authentication failed\n"));
607 snprintf(PQerrormsg, PQERRORMSG_LENGTH,
608 libpq_gettext("Kerberos 4 authentication not supported\n"));
615 if (pg_krb5_sendauth(PQerrormsg, conn->sock,
616 hostname) != STATUS_OK)
618 snprintf(PQerrormsg, PQERRORMSG_LENGTH,
619 libpq_gettext("Kerberos 5 authentication failed\n"));
626 snprintf(PQerrormsg, PQERRORMSG_LENGTH,
627 libpq_gettext("Kerberos 5 authentication not supported\n"));
633 case AUTH_REQ_PASSWORD:
634 if (password == NULL || *password == '\0')
636 (void) snprintf(PQerrormsg, PQERRORMSG_LENGTH,
637 PQnoPasswordSupplied);
640 if (pg_password_sendauth(conn, password, areq) != STATUS_OK)
642 (void) snprintf(PQerrormsg, PQERRORMSG_LENGTH,
643 "fe_sendauth: error sending password authentication\n");
648 case AUTH_REQ_SCM_CREDS:
649 if (pg_local_sendauth(PQerrormsg, conn) != STATUS_OK)
654 snprintf(PQerrormsg, PQERRORMSG_LENGTH,
655 libpq_gettext("authentication method %u not supported\n"), areq);
666 * Set/return the authentication service currently selected for use by the
667 * frontend. (You can only use one in the frontend, obviously.)
669 * NB: This is not thread-safe if different threads try to select different
670 * authentication services! It's OK for fe_getauthsvc to select the default,
671 * since that will be the same for all threads, but direct application use
672 * of fe_setauthsvc is not thread-safe. However, use of fe_setauthsvc is
673 * deprecated anyway...
676 static int pg_authsvc = -1;
679 fe_setauthsvc(const char *name, char *PQerrormsg)
683 for (i = 0; i < n_authsvcs; ++i)
684 if (strcmp(name, authsvcs[i].name) == 0)
691 snprintf(PQerrormsg, PQERRORMSG_LENGTH,
692 libpq_gettext("invalid authentication service name \"%s\", ignored\n"),
699 fe_getauthsvc(char *PQerrormsg)
701 if (pg_authsvc < 0 || pg_authsvc >= n_authsvcs)
703 fe_setauthsvc(DEFAULT_CLIENT_AUTHSVC, PQerrormsg);
704 if (pg_authsvc < 0 || pg_authsvc >= n_authsvcs)
706 /* Can only get here if DEFAULT_CLIENT_AUTHSVC is misdefined */
710 return authsvcs[pg_authsvc].msgtype;
714 * fe_getauthname -- returns a pointer to dynamic space containing whatever
715 * name the user has authenticated to the system
716 * if there is an error, return the error message in PQerrormsg
719 fe_getauthname(char *PQerrormsg)
721 const char *name = NULL;
725 authsvc = fe_getauthsvc(PQerrormsg);
727 /* this just guards against broken DEFAULT_CLIENT_AUTHSVC, see above */
729 return NULL; /* leave original error message in place */
733 if (authsvc == STARTUP_KRB4_MSG)
734 name = pg_krb4_authname(PQerrormsg);
737 if (authsvc == STARTUP_KRB5_MSG)
738 name = pg_krb5_authname(PQerrormsg);
741 if (authsvc == STARTUP_MSG
742 || (authsvc == STARTUP_KRB4_MSG && !name)
743 || (authsvc == STARTUP_KRB5_MSG && !name))
747 DWORD namesize = sizeof(username) - 1;
749 if (GetUserName(username, &namesize))
753 struct passwd pwdstr;
754 struct passwd *pw = NULL;
756 if (pqGetpwuid(geteuid(), &pwdstr,
757 pwdbuf, sizeof(pwdbuf), &pw) == 0)
762 if (authsvc != STARTUP_MSG && authsvc != STARTUP_KRB4_MSG && authsvc != STARTUP_KRB5_MSG)
763 snprintf(PQerrormsg, PQERRORMSG_LENGTH,
764 libpq_gettext("fe_getauthname: invalid authentication system: %d\n"),
767 if (name && (authn = (char *) malloc(strlen(name) + 1)))