*
*
* IDENTIFICATION
- * $Header: /cvsroot/pgsql/src/backend/libpq/auth.c,v 1.45 2000/05/27 03:39:31 momjian Exp $
+ * $Header: /cvsroot/pgsql/src/backend/libpq/auth.c,v 1.46 2000/05/27 03:58:19 momjian Exp $
*
*-------------------------------------------------------------------------
*/
*----------------------------------------------------------------
*/
-#include <krb5.h>
-#include <com_err.h>
+#include "krb5/krb5.h"
/*
* pg_an_to_ln -- return the local name corresponding to an authentication
return aname;
}
-
-/*
- * Various krb5 state which is not connection specfic, and a flag to
- * indicate whether we have initialised it yet.
- */
-static int pg_krb5_initialised;
-static krb5_context pg_krb5_context;
-static krb5_keytab pg_krb5_keytab;
-static krb5_principal pg_krb5_server;
-
-
-static int
-pg_krb5_init(void)
-{
- krb5_error_code retval;
-
- if (pg_krb5_initialised)
- return STATUS_OK;
-
- retval = krb5_init_context(&pg_krb5_context);
- if (retval) {
- snprintf(PQerrormsg, PQERRORMSG_LENGTH,
- "pg_krb5_init: krb5_init_context returned"
- " Kerberos error %d\n", retval);
- com_err("postgres", retval, "while initializing krb5");
- return STATUS_ERROR;
- }
-
- retval = krb5_kt_resolve(pg_krb5_context, PG_KRB_SRVTAB, &pg_krb5_keytab);
- if (retval) {
- snprintf(PQerrormsg, PQERRORMSG_LENGTH,
- "pg_krb5_init: krb5_kt_resolve returned"
- " Kerberos error %d\n", retval);
- com_err("postgres", retval, "while resolving keytab file %s",
- PG_KRB_SRVTAB);
- krb5_free_context(pg_krb5_context);
- return STATUS_ERROR;
- }
-
- retval = krb5_sname_to_principal(pg_krb5_context, NULL, PG_KRB_SRVNAM,
- KRB5_NT_SRV_HST, &pg_krb5_server);
- if (retval) {
- snprintf(PQerrormsg, PQERRORMSG_LENGTH,
- "pg_krb5_init: krb5_sname_to_principal returned"
- " Kerberos error %d\n", retval);
- com_err("postgres", retval,
- "while getting server principal for service %s",
- PG_KRB_SRVTAB);
- krb5_kt_close(pg_krb5_context, pg_krb5_keytab);
- krb5_free_context(pg_krb5_context);
- return STATUS_ERROR;
- }
-
- pg_krb5_initialised = 1;
- return STATUS_OK;
-}
-
-
/*
* pg_krb5_recvauth -- server routine to receive authentication information
* from the client
* packet to the authenticated name, as described in pg_krb4_recvauth. This
* is a bit more problematic in v5, as described above in pg_an_to_ln.
*
- * We have our own keytab file because postgres is unlikely to run as root,
- * and so cannot read the default keytab.
+ * In addition, as described above in pg_krb5_sendauth, we still need to
+ * canonicalize the server name v4-style before constructing a principal
+ * from it. Again, this is kind of iffy.
+ *
+ * Finally, we need to tangle with the fact that v5 doesn't let you explicitly
+ * set server keytab file names -- you have to feed lower-level routines a
+ * function to retrieve the contents of a keytab, along with a single argument
+ * that allows them to open the keytab. We assume that a server keytab is
+ * always a real file so we can allow people to specify their own filenames.
+ * (This is important because the POSTGRES keytab needs to be readable by
+ * non-root users/groups; the v4 tools used to force you do dump a whole
+ * host's worth of keys into a file, effectively forcing you to use one file,
+ * but kdb5_edit allows you to select which principals to dump. Yay!)
*/
static int
pg_krb5_recvauth(Port *port)
{
- krb5_error_code retval;
- int ret;
- krb5_auth_context auth_context = NULL;
- krb5_ticket *ticket;
- char *kusername;
-
- ret = pg_krb5_init();
- if (ret != STATUS_OK)
- return ret;
-
- retval = krb5_recvauth(pg_krb5_context, &auth_context,
- (krb5_pointer)&port->sock, PG_KRB_SRVNAM,
- pg_krb5_server, 0, pg_krb5_keytab, &ticket);
- if (retval) {
+ char servbuf[MAXHOSTNAMELEN + 1 +
+ sizeof(PG_KRB_SRVNAM)];
+ char *hostp,
+ *kusername = (char *) NULL;
+ krb5_error_code code;
+ krb5_principal client,
+ server;
+ krb5_address sender_addr;
+ krb5_rdreq_key_proc keyproc = (krb5_rdreq_key_proc) NULL;
+ krb5_pointer keyprocarg = (krb5_pointer) NULL;
+
+ /*
+ * Set up server side -- since we have no ticket file to make this
+ * easy, we construct our own name and parse it. See note on
+ * canonicalization above.
+ */
+ strcpy(servbuf, PG_KRB_SRVNAM);
+ *(hostp = servbuf + (sizeof(PG_KRB_SRVNAM) - 1)) = '/';
+ if (gethostname(++hostp, MAXHOSTNAMELEN) < 0)
+ strcpy(hostp, "localhost");
+ if (hostp = strchr(hostp, '.'))
+ *hostp = '\0';
+ if (code = krb5_parse_name(servbuf, &server))
+ {
+ snprintf(PQerrormsg, PQERRORMSG_LENGTH,
+ "pg_krb5_recvauth: Kerberos error %d in krb5_parse_name\n", code);
+ com_err("pg_krb5_recvauth", code, "in krb5_parse_name");
+ return STATUS_ERROR;
+ }
+
+ /*
+ * krb5_sendauth needs this to verify the address in the client
+ * authenticator.
+ */
+ sender_addr.addrtype = port->raddr.in.sin_family;
+ sender_addr.length = sizeof(port->raddr.in.sin_addr);
+ sender_addr.contents = (krb5_octet *) & (port->raddr.in.sin_addr);
+
+ if (strcmp(PG_KRB_SRVTAB, ""))
+ {
+ keyproc = krb5_kt_read_service_key;
+ keyprocarg = PG_KRB_SRVTAB;
+ }
+
+ if (code = krb5_recvauth((krb5_pointer) & port->sock,
+ PG_KRB5_VERSION,
+ server,
+ &sender_addr,
+ (krb5_pointer) NULL,
+ keyproc,
+ keyprocarg,
+ (char *) NULL,
+ (krb5_int32 *) NULL,
+ &client,
+ (krb5_ticket **) NULL,
+ (krb5_authenticator **) NULL))
+ {
snprintf(PQerrormsg, PQERRORMSG_LENGTH,
- "pg_krb5_recvauth: krb5_recvauth returned"
- " Kerberos error %d\n", retval);
- com_err("postgres", retval, "from krb5_recvauth");
+ "pg_krb5_recvauth: Kerberos error %d in krb5_recvauth\n", code);
+ com_err("pg_krb5_recvauth", code, "in krb5_recvauth");
+ krb5_free_principal(server);
return STATUS_ERROR;
- }
+ }
+ krb5_free_principal(server);
/*
* The "client" structure comes out of the ticket and is therefore
* authenticated. Use it to check the username obtained from the
* postmaster startup packet.
- *
- * I have no idea why this is considered necessary.
*/
- retval = krb5_unparse_name(pg_krb5_context,
- ticket->enc_part2->client, &kusername);
- if (retval) {
+ if ((code = krb5_unparse_name(client, &kusername)))
+ {
snprintf(PQerrormsg, PQERRORMSG_LENGTH,
- "pg_krb5_recvauth: krb5_unparse_name returned"
- " Kerberos error %d\n", retval);
- com_err("postgres", retval, "while unparsing client name");
- krb5_free_ticket(pg_krb5_context, ticket);
- krb5_auth_con_free(pg_krb5_context, auth_context);
+ "pg_krb5_recvauth: Kerberos error %d in krb5_unparse_name\n", code);
+ com_err("pg_krb5_recvauth", code, "in krb5_unparse_name");
+ krb5_free_principal(client);
+ return STATUS_ERROR;
+ }
+ krb5_free_principal(client);
+ if (!kusername)
+ {
+ snprintf(PQerrormsg, PQERRORMSG_LENGTH,
+ "pg_krb5_recvauth: could not decode username\n");
+ fputs(PQerrormsg, stderr);
+ pqdebug("%s", PQerrormsg);
return STATUS_ERROR;
}
-
kusername = pg_an_to_ln(kusername);
- if (strncmp(port->user, kusername, SM_USER))
+ if (strncmp(username, kusername, SM_USER))
{
snprintf(PQerrormsg, PQERRORMSG_LENGTH,
- "pg_krb5_recvauth: user name \"%s\" != krb5 name \"%s\"\n",
- port->user, kusername);
- ret = STATUS_ERROR;
+ "pg_krb5_recvauth: name \"%s\" != \"%s\"\n", port->user, kusername);
+ fputs(PQerrormsg, stderr);
+ pqdebug("%s", PQerrormsg);
+ pfree(kusername);
+ return STATUS_ERROR;
}
- else
- ret = STATUS_OK;
-
- krb5_free_ticket(pg_krb5_context, ticket);
- krb5_auth_con_free(pg_krb5_context, auth_context);
- free(kusername);
-
- return ret;
+ pfree(kusername);
+ return STATUS_OK;
}
#else
* exceed INITIAL_EXPBUFFER_SIZE (currently 256 bytes).
*
* IDENTIFICATION
- * $Header: /cvsroot/pgsql/src/interfaces/libpq/fe-auth.c,v 1.40 2000/05/27 03:39:33 momjian Exp $
+ * $Header: /cvsroot/pgsql/src/interfaces/libpq/fe-auth.c,v 1.41 2000/05/27 03:58:20 momjian Exp $
*
*-------------------------------------------------------------------------
*/
#include "win32.h"
#else
#include <unistd.h>
-#include <fcntl.h>
#include <sys/param.h> /* for MAXHOSTNAMELEN on most */
#ifndef MAXHOSTNAMELEN
#include <netdb.h> /* for MAXHOSTNAMELEN on some */
*----------------------------------------------------------------
*/
-#include <krb5.h>
-#include <com_err.h>
+#include "krb5/krb5.h"
/*
* pg_an_to_ln -- return the local name corresponding to an authentication
* and we can't afford to punt.
*/
static char *
-pg_an_to_ln(char *aname)
+pg_an_to_ln(const char *aname)
{
char *p;
/*
- * Various krb5 state which is not connection specfic, and a flag to
- * indicate whether we have initialised it yet.
+ * pg_krb5_init -- initialization performed before any Kerberos calls are made
+ *
+ * With v5, we can no longer set the ticket (credential cache) file name;
+ * we now have to provide a file handle for the open (well, "resolved")
+ * ticket file everywhere.
+ *
*/
-static int pg_krb5_initialised;
-static krb5_context pg_krb5_context;
-static krb5_ccache pg_krb5_ccache;
-static krb5_principal pg_krb5_client;
-static char *pg_krb5_name;
-
-
static int
-pg_krb5_init(char *PQerrormsg)
+ krb5_ccache
+pg_krb5_init(void)
{
- krb5_error_code retval;
+ krb5_error_code code;
+ char *realm,
+ *defname;
+ char tktbuf[MAXPGPATH];
+ static krb5_ccache ccache = (krb5_ccache) NULL;
- if (pg_krb5_initialised)
- return STATUS_OK;
+ if (ccache)
+ return ccache;
- retval = krb5_init_context(&pg_krb5_context);
- if (retval) {
- snprintf(PQerrormsg, PQERRORMSG_LENGTH,
- "pg_krb5_init: krb5_init_context: %s",
- error_message(retval));
- return STATUS_ERROR;
+ /*
+ * If the user set PGREALM, then we use a ticket file with a special
+ * name: <usual-ticket-file-name>@<PGREALM-value>
+ */
+ if (!(defname = krb5_cc_default_name()))
+ {
+ (void) sprintf(PQerrormsg,
+ "pg_krb5_init: krb5_cc_default_name failed\n");
+ return (krb5_ccache) NULL;
+ }
+ strcpy(tktbuf, defname);
+ if (realm = getenv("PGREALM"))
+ {
+ strcat(tktbuf, "@");
+ strcat(tktbuf, realm);
}
- retval = krb5_cc_default(pg_krb5_context, &pg_krb5_ccache);
- if (retval) {
- snprintf(PQerrormsg, PQERRORMSG_LENGTH,
- "pg_krb5_init: krb5_cc_default: %s",
- error_message(retval));
- krb5_free_context(pg_krb5_context);
- return STATUS_ERROR;
- }
-
- retval = krb5_cc_get_principal(pg_krb5_context, pg_krb5_ccache,
- &pg_krb5_client);
- if (retval) {
- snprintf(PQerrormsg, PQERRORMSG_LENGTH,
- "pg_krb5_init: krb5_cc_get_principal: %s",
- error_message(retval));
- krb5_cc_close(pg_krb5_context, pg_krb5_ccache);
- krb5_free_context(pg_krb5_context);
- return STATUS_ERROR;
- }
-
- retval = krb5_unparse_name(pg_krb5_context, pg_krb5_client, &pg_krb5_name);
- if (retval) {
- snprintf(PQerrormsg, PQERRORMSG_LENGTH,
- "pg_krb5_init: krb5_unparse_name: %s",
- error_message(retval));
- krb5_free_principal(pg_krb5_context, pg_krb5_client);
- krb5_cc_close(pg_krb5_context, pg_krb5_ccache);
- krb5_free_context(pg_krb5_context);
- return STATUS_ERROR;
- }
-
- pg_krb5_name = pg_an_to_ln(pg_krb5_name);
-
- pg_krb5_initialised = 1;
- return STATUS_OK;
+ if (code = krb5_cc_resolve(tktbuf, &ccache))
+ {
+ (void) sprintf(PQerrormsg,
+ "pg_krb5_init: Kerberos error %d in krb5_cc_resolve\n", code);
+ com_err("pg_krb5_init", code, "in krb5_cc_resolve");
+ return (krb5_ccache) NULL;
+ }
+ return ccache;
}
-
/*
* pg_krb5_authname -- returns a pointer to static space containing whatever
* name the user has authenticated to the system
- */
+ *
+ * We obtain this information by digging around in the ticket file.
+ */
static const char *
-pg_krb5_authname(char *PQerrormsg)
+pg_krb5_authname(const char *PQerrormsg)
{
- if (pg_krb5_init(PQerrormsg) != STATUS_OK)
- return NULL;
+ krb5_ccache ccache;
+ krb5_principal principal;
+ krb5_error_code code;
+ static char *authname = (char *) NULL;
- return pg_krb5_name;
-}
+ if (authname)
+ return authname;
+ ccache = pg_krb5_init(); /* don't free this */
+
+ if (code = krb5_cc_get_principal(ccache, &principal))
+ {
+ (void) sprintf(PQerrormsg,
+ "pg_krb5_authname: Kerberos error %d in krb5_cc_get_principal\n", code);
+ com_err("pg_krb5_authname", code, "in krb5_cc_get_principal");
+ return (char *) NULL;
+ }
+ if (code = krb5_unparse_name(principal, &authname))
+ {
+ (void) sprintf(PQerrormsg,
+ "pg_krb5_authname: Kerberos error %d in krb5_unparse_name\n", code);
+ com_err("pg_krb5_authname", code, "in krb5_unparse_name");
+ krb5_free_principal(principal);
+ return (char *) NULL;
+ }
+ krb5_free_principal(principal);
+ return pg_an_to_ln(authname);
+}
/*
* pg_krb5_sendauth -- client routine to send authentication information to
* the server
+ *
+ * This routine does not do mutual authentication, nor does it return enough
+ * information to do encrypted connections. But then, if we want to do
+ * encrypted connections, we'll have to redesign the whole RPC mechanism
+ * anyway.
+ *
+ * Server hostnames are canonicalized v4-style, i.e., all domain suffixes
+ * are simply chopped off. Hence, we are assuming that you've entered your
+ * server instances as
+ * <value-of-PG_KRB_SRVNAM>/<canonicalized-hostname>
+ * in the PGREALM (or local) database. This is probably a bad assumption.
*/
static int
-pg_krb5_sendauth(char *PQerrormsg, int sock,
+pg_krb5_sendauth(const char *PQerrormsg, int sock,
struct sockaddr_in * laddr,
struct sockaddr_in * raddr,
const char *hostname)
{
- krb5_error_code retval;
- int ret;
- krb5_principal server;
- krb5_auth_context auth_context = NULL;
- krb5_error *err_ret = NULL;
- int flags;
-
- ret = pg_krb5_init(PQerrormsg);
- if (ret != STATUS_OK)
- return ret;
-
- retval = krb5_sname_to_principal(pg_krb5_context, hostname, PG_KRB_SRVNAM,
- KRB5_NT_SRV_HST, &server);
- if (retval) {
- snprintf(PQerrormsg, PQERRORMSG_LENGTH,
- "pg_krb5_sendauth: krb5_sname_to_principal: %s",
- error_message(retval));
+ char servbuf[MAXHOSTNAMELEN + 1 +
+ sizeof(PG_KRB_SRVNAM)];
+ const char *hostp;
+ const char *realm;
+ krb5_error_code code;
+ krb5_principal client,
+ server;
+ krb5_ccache ccache;
+ krb5_error *error = (krb5_error *) NULL;
+
+ ccache = pg_krb5_init(); /* don't free this */
+
+ /*
+ * set up client -- this is easy, we can get it out of the ticket
+ * file.
+ */
+ if (code = krb5_cc_get_principal(ccache, &client))
+ {
+ (void) sprintf(PQerrormsg,
+ "pg_krb5_sendauth: Kerberos error %d in krb5_cc_get_principal\n", code);
+ com_err("pg_krb5_sendauth", code, "in krb5_cc_get_principal");
return STATUS_ERROR;
}
- /*
- * libpq uses a non-blocking socket. But kerberos needs a blocking
- * socket, and we have to block somehow to do mutual authentication
- * anyway. So we temporarily make it blocking.
+ /*
+ * set up server -- canonicalize as described above
*/
- flags = fcntl(sock, F_GETFL);
- if (flags < 0 || fcntl(sock, F_SETFL, (long)(flags & ~O_NONBLOCK))) {
- snprintf(PQerrormsg, PQERRORMSG_LENGTH,
- "pg_krb5_sendauth: fcntl: %s", strerror(errno));
- krb5_free_principal(pg_krb5_context, server);
+ strcpy(servbuf, PG_KRB_SRVNAM);
+ *(hostp = servbuf + (sizeof(PG_KRB_SRVNAM) - 1)) = '/';
+ if (hostname || *hostname)
+ strncpy(++hostp, hostname, MAXHOSTNAMELEN);
+ else
+ {
+ if (gethostname(++hostp, MAXHOSTNAMELEN) < 0)
+ strcpy(hostp, "localhost");
+ }
+ if (hostp = strchr(hostp, '.'))
+ *hostp = '\0';
+ if (realm = getenv("PGREALM"))
+ {
+ strcat(servbuf, "@");
+ strcat(servbuf, realm);
+ }
+ if (code = krb5_parse_name(servbuf, &server))
+ {
+ (void) sprintf(PQerrormsg,
+ "pg_krb5_sendauth: Kerberos error %d in krb5_parse_name\n", code);
+ com_err("pg_krb5_sendauth", code, "in krb5_parse_name");
+ krb5_free_principal(client);
return STATUS_ERROR;
}
- retval = krb5_sendauth(pg_krb5_context, &auth_context,
- (krb5_pointer) &sock, PG_KRB_SRVNAM,
- pg_krb5_client, server,
- AP_OPTS_MUTUAL_REQUIRED,
- NULL, 0, /* no creds, use ccache instead */
- pg_krb5_ccache, &err_ret, NULL, NULL);
- if (retval) {
- if (retval == KRB5_SENDAUTH_REJECTED && err_ret) {
- snprintf(PQerrormsg, PQERRORMSG_LENGTH,
- "pg_krb5_sendauth: authentication rejected: \"%*s\"",
- err_ret->text.length, err_ret->text.data);
+ /*
+ * The only thing we want back from krb5_sendauth is an error status
+ * and any error messages.
+ */
+ if (code = krb5_sendauth((krb5_pointer) & sock,
+ PG_KRB5_VERSION,
+ client,
+ server,
+ (krb5_flags) 0,
+ (krb5_checksum *) NULL,
+ (krb5_creds *) NULL,
+ ccache,
+ (krb5_int32 *) NULL,
+ (krb5_keyblock **) NULL,
+ &error,
+ (krb5_ap_rep_enc_part **) NULL))
+ {
+ if ((code == KRB5_SENDAUTH_REJECTED) && error)
+ {
+ (void) sprintf(PQerrormsg,
+ "pg_krb5_sendauth: authentication rejected: \"%*s\"\n",
+ error->text.length, error->text.data);
}
- else {
- snprintf(PQerrormsg, PQERRORMSG_LENGTH,
- "pg_krb5_sendauth: krb5_sendauth: %s",
- error_message(retval));
+ else
+ {
+ (void) sprintf(PQerrormsg,
+ "pg_krb5_sendauth: Kerberos error %d in krb5_sendauth\n", code);
+ com_err("pg_krb5_sendauth", code, "in krb5_sendauth");
}
-
- if (err_ret)
- krb5_free_error(pg_krb5_context, err_ret);
-
- ret = STATUS_ERROR;
- }
-
- krb5_free_principal(pg_krb5_context, server);
-
- if (fcntl(sock, F_SETFL, (long)flags)) {
- snprintf(PQerrormsg, PQERRORMSG_LENGTH,
- "pg_krb5_sendauth: fcntl: %s", strerror(errno));
- ret = STATUS_ERROR;
}
-
- return ret;
+ krb5_free_principal(client);
+ krb5_free_principal(server);
+ return code ? STATUS_ERROR : STATUS_OK;
}
#endif /* KRB5 */
projects / postgresql / commitdiff