--with-tclconfig=DIR tclConfig.sh is in DIR
--with-perl build Perl modules (PL/Perl)
--with-python build Python modules (PL/Python)
- --with-krb4 build with Kerberos 4 support
--with-krb5 build with Kerberos 5 support
--with-krb-srvnam=NAME name of the default service principal in Kerberos [postgres]
--with-pam build with PAM support
echo "${ECHO_T}$with_python" >&6
-#
-# Kerberos 4
-#
-echo "$as_me:$LINENO: checking whether to build with Kerberos 4 support" >&5
-echo $ECHO_N "checking whether to build with Kerberos 4 support... $ECHO_C" >&6
-
-
-
-# Check whether --with-krb4 or --without-krb4 was given.
-if test "${with_krb4+set}" = set; then
- withval="$with_krb4"
-
- case $withval in
- yes)
-
-
-cat >>confdefs.h <<\_ACEOF
-#define KRB4 1
-_ACEOF
-
- krb_srvtab="/etc/srvtab"
-
- ;;
- no)
- :
- ;;
- *)
- { { echo "$as_me:$LINENO: error: no argument expected for --with-krb4 option" >&5
-echo "$as_me: error: no argument expected for --with-krb4 option" >&2;}
- { (exit 1); exit 1; }; }
- ;;
- esac
-
-else
- with_krb4=no
-
-fi;
-
-echo "$as_me:$LINENO: result: $with_krb4" >&5
-echo "${ECHO_T}$with_krb4" >&6
-
-
-
#
# Kerberos 5
#
-# Using both Kerberos 4 and Kerberos 5 at the same time isn't going to work.
-if test "$with_krb4" = yes && test "$with_krb5" = yes ; then
- { { echo "$as_me:$LINENO: error: Kerberos 4 and Kerberos 5 support cannot be combined" >&5
-echo "$as_me: error: Kerberos 4 and Kerberos 5 support cannot be combined" >&2;}
- { (exit 1); exit 1; }; }
-fi
-
*** Not using spinlocks will cause poor performance." >&2;}
fi
-if test "$with_krb4" = yes ; then
-
-echo "$as_me:$LINENO: checking for des_encrypt in -ldes" >&5
-echo $ECHO_N "checking for des_encrypt in -ldes... $ECHO_C" >&6
-if test "${ac_cv_lib_des_des_encrypt+set}" = set; then
- echo $ECHO_N "(cached) $ECHO_C" >&6
-else
- ac_check_lib_save_LIBS=$LIBS
-LIBS="-ldes $LIBS"
-cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
-#include "confdefs.h"
-
-/* Override any gcc2 internal prototype to avoid an error. */
-#ifdef __cplusplus
-extern "C"
-#endif
-/* We use char because int might match the return type of a gcc2
- builtin and then its argument prototype would still apply. */
-char des_encrypt ();
-#ifdef F77_DUMMY_MAIN
-# ifdef __cplusplus
- extern "C"
-# endif
- int F77_DUMMY_MAIN() { return 1; }
-#endif
-int
-main ()
-{
-des_encrypt ();
- ;
- return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
- (eval $ac_link) 2>&5
- ac_status=$?
- echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); } &&
- { ac_try='test -s conftest$ac_exeext'
- { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
- (eval $ac_try) 2>&5
- ac_status=$?
- echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); }; }; then
- ac_cv_lib_des_des_encrypt=yes
-else
- echo "$as_me: failed program was:" >&5
-cat conftest.$ac_ext >&5
-ac_cv_lib_des_des_encrypt=no
-fi
-rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
-fi
-echo "$as_me:$LINENO: result: $ac_cv_lib_des_des_encrypt" >&5
-echo "${ECHO_T}$ac_cv_lib_des_des_encrypt" >&6
-if test $ac_cv_lib_des_des_encrypt = yes; then
- cat >>confdefs.h <<_ACEOF
-#define HAVE_LIBDES 1
-_ACEOF
-
- LIBS="-ldes $LIBS"
-
-else
- { { echo "$as_me:$LINENO: error: library 'des' is required for Kerberos 4" >&5
-echo "$as_me: error: library 'des' is required for Kerberos 4" >&2;}
- { (exit 1); exit 1; }; }
-fi
-
-
-echo "$as_me:$LINENO: checking for krb_sendauth in -lkrb" >&5
-echo $ECHO_N "checking for krb_sendauth in -lkrb... $ECHO_C" >&6
-if test "${ac_cv_lib_krb_krb_sendauth+set}" = set; then
- echo $ECHO_N "(cached) $ECHO_C" >&6
-else
- ac_check_lib_save_LIBS=$LIBS
-LIBS="-lkrb $LIBS"
-cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
-#include "confdefs.h"
-
-/* Override any gcc2 internal prototype to avoid an error. */
-#ifdef __cplusplus
-extern "C"
-#endif
-/* We use char because int might match the return type of a gcc2
- builtin and then its argument prototype would still apply. */
-char krb_sendauth ();
-#ifdef F77_DUMMY_MAIN
-# ifdef __cplusplus
- extern "C"
-# endif
- int F77_DUMMY_MAIN() { return 1; }
-#endif
-int
-main ()
-{
-krb_sendauth ();
- ;
- return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
- (eval $ac_link) 2>&5
- ac_status=$?
- echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); } &&
- { ac_try='test -s conftest$ac_exeext'
- { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
- (eval $ac_try) 2>&5
- ac_status=$?
- echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); }; }; then
- ac_cv_lib_krb_krb_sendauth=yes
-else
- echo "$as_me: failed program was:" >&5
-cat conftest.$ac_ext >&5
-ac_cv_lib_krb_krb_sendauth=no
-fi
-rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
-fi
-echo "$as_me:$LINENO: result: $ac_cv_lib_krb_krb_sendauth" >&5
-echo "${ECHO_T}$ac_cv_lib_krb_krb_sendauth" >&6
-if test $ac_cv_lib_krb_krb_sendauth = yes; then
- cat >>confdefs.h <<_ACEOF
-#define HAVE_LIBKRB 1
-_ACEOF
-
- LIBS="-lkrb $LIBS"
-
-else
- { { echo "$as_me:$LINENO: error: library 'krb' is required for Kerberos 4" >&5
-echo "$as_me: error: library 'krb' is required for Kerberos 4" >&2;}
- { (exit 1); exit 1; }; }
-fi
-
-
-for ac_func in gethostname
-do
-as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
-echo "$as_me:$LINENO: checking for $ac_func" >&5
-echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6
-if eval "test \"\${$as_ac_var+set}\" = set"; then
- echo $ECHO_N "(cached) $ECHO_C" >&6
-else
- cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
-#include "confdefs.h"
-/* System header to define __stub macros and hopefully few prototypes,
- which can conflict with char $ac_func (); below. */
-#include <assert.h>
-/* Override any gcc2 internal prototype to avoid an error. */
-#ifdef __cplusplus
-extern "C"
-#endif
-/* We use char because int might match the return type of a gcc2
- builtin and then its argument prototype would still apply. */
-char $ac_func ();
-char (*f) ();
-
-#ifdef F77_DUMMY_MAIN
-# ifdef __cplusplus
- extern "C"
-# endif
- int F77_DUMMY_MAIN() { return 1; }
-#endif
-int
-main ()
-{
-/* The GNU C library defines this for functions which it implements
- to always fail with ENOSYS. Some functions are actually named
- something starting with __ and the normal name is an alias. */
-#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
-choke me
-#else
-f = $ac_func;
-#endif
-
- ;
- return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
- (eval $ac_link) 2>&5
- ac_status=$?
- echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); } &&
- { ac_try='test -s conftest$ac_exeext'
- { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
- (eval $ac_try) 2>&5
- ac_status=$?
- echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); }; }; then
- eval "$as_ac_var=yes"
-else
- echo "$as_me: failed program was:" >&5
-cat conftest.$ac_ext >&5
-eval "$as_ac_var=no"
-fi
-rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext
-fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_var'}'`" >&5
-echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6
-if test `eval echo '${'$as_ac_var'}'` = yes; then
- cat >>confdefs.h <<_ACEOF
-#define `echo "HAVE_$ac_func" | $as_tr_cpp` 1
-_ACEOF
-
-else
- LIBOBJS="$LIBOBJS $ac_func.$ac_objext"
-fi
-done
-
-
-fi
-
if test "$with_krb5" = yes ; then
if test "$PORTNAME" != "win32"; then
echo "$as_me:$LINENO: checking for library containing com_err" >&5
fi
-fi
-
-if test "$with_krb4" = yes ; then
- if test "${ac_cv_header_krb_h+set}" = set; then
- echo "$as_me:$LINENO: checking for krb.h" >&5
-echo $ECHO_N "checking for krb.h... $ECHO_C" >&6
-if test "${ac_cv_header_krb_h+set}" = set; then
- echo $ECHO_N "(cached) $ECHO_C" >&6
-fi
-echo "$as_me:$LINENO: result: $ac_cv_header_krb_h" >&5
-echo "${ECHO_T}$ac_cv_header_krb_h" >&6
-else
- # Is the header compilable?
-echo "$as_me:$LINENO: checking krb.h usability" >&5
-echo $ECHO_N "checking krb.h usability... $ECHO_C" >&6
-cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
-#include "confdefs.h"
-$ac_includes_default
-#include <krb.h>
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
- (eval $ac_compile) 2>&5
- ac_status=$?
- echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); } &&
- { ac_try='test -s conftest.$ac_objext'
- { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
- (eval $ac_try) 2>&5
- ac_status=$?
- echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); }; }; then
- ac_header_compiler=yes
-else
- echo "$as_me: failed program was:" >&5
-cat conftest.$ac_ext >&5
-ac_header_compiler=no
-fi
-rm -f conftest.$ac_objext conftest.$ac_ext
-echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
-echo "${ECHO_T}$ac_header_compiler" >&6
-
-# Is the header present?
-echo "$as_me:$LINENO: checking krb.h presence" >&5
-echo $ECHO_N "checking krb.h presence... $ECHO_C" >&6
-cat >conftest.$ac_ext <<_ACEOF
-#line $LINENO "configure"
-#include "confdefs.h"
-#include <krb.h>
-_ACEOF
-if { (eval echo "$as_me:$LINENO: \"$ac_cpp conftest.$ac_ext\"") >&5
- (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1
- ac_status=$?
- egrep -v '^ *\+' conftest.er1 >conftest.err
- rm -f conftest.er1
- cat conftest.err >&5
- echo "$as_me:$LINENO: \$? = $ac_status" >&5
- (exit $ac_status); } >/dev/null; then
- if test -s conftest.err; then
- ac_cpp_err=$ac_c_preproc_warn_flag
- else
- ac_cpp_err=
- fi
-else
- ac_cpp_err=yes
-fi
-if test -z "$ac_cpp_err"; then
- ac_header_preproc=yes
-else
- echo "$as_me: failed program was:" >&5
- cat conftest.$ac_ext >&5
- ac_header_preproc=no
-fi
-rm -f conftest.err conftest.$ac_ext
-echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
-echo "${ECHO_T}$ac_header_preproc" >&6
-
-# So? What about this header?
-case $ac_header_compiler:$ac_header_preproc in
- yes:no )
- { echo "$as_me:$LINENO: WARNING: krb.h: accepted by the compiler, rejected by the preprocessor!" >&5
-echo "$as_me: WARNING: krb.h: accepted by the compiler, rejected by the preprocessor!" >&2;}
- { echo "$as_me:$LINENO: WARNING: krb.h: proceeding with the preprocessor's result" >&5
-echo "$as_me: WARNING: krb.h: proceeding with the preprocessor's result" >&2;};;
- no:yes )
- { echo "$as_me:$LINENO: WARNING: krb.h: present but cannot be compiled" >&5
-echo "$as_me: WARNING: krb.h: present but cannot be compiled" >&2;}
- { echo "$as_me:$LINENO: WARNING: krb.h: check for missing prerequisite headers?" >&5
-echo "$as_me: WARNING: krb.h: check for missing prerequisite headers?" >&2;}
- { echo "$as_me:$LINENO: WARNING: krb.h: proceeding with the preprocessor's result" >&5
-echo "$as_me: WARNING: krb.h: proceeding with the preprocessor's result" >&2;};;
-esac
-echo "$as_me:$LINENO: checking for krb.h" >&5
-echo $ECHO_N "checking for krb.h... $ECHO_C" >&6
-if test "${ac_cv_header_krb_h+set}" = set; then
- echo $ECHO_N "(cached) $ECHO_C" >&6
-else
- ac_cv_header_krb_h=$ac_header_preproc
-fi
-echo "$as_me:$LINENO: result: $ac_cv_header_krb_h" >&5
-echo "${ECHO_T}$ac_cv_header_krb_h" >&6
-
-fi
-if test $ac_cv_header_krb_h = yes; then
- :
-else
- { { echo "$as_me:$LINENO: error: header file <krb.h> is required for Kerberos 4" >&5
-echo "$as_me: error: header file <krb.h> is required for Kerberos 4" >&2;}
- { (exit 1); exit 1; }; }
-fi
-
-
fi
if test "$with_krb5" = yes ; then
s,@with_tcl@,$with_tcl,;t t
s,@with_perl@,$with_perl,;t t
s,@with_python@,$with_python,;t t
-s,@with_krb4@,$with_krb4,;t t
s,@with_krb5@,$with_krb5,;t t
s,@krb_srvtab@,$krb_srvtab,;t t
s,@with_pam@,$with_pam,;t t
s,@python_libdir@,$python_libdir,;t t
s,@python_libspec@,$python_libspec,;t t
s,@python_additional_libs@,$python_additional_libs,;t t
-s,@LIBOBJS@,$LIBOBJS,;t t
s,@HAVE_IPV6@,$HAVE_IPV6,;t t
+s,@LIBOBJS@,$LIBOBJS,;t t
s,@acx_pthread_config@,$acx_pthread_config,;t t
s,@PTHREAD_CC@,$PTHREAD_CC,;t t
s,@PTHREAD_LIBS@,$PTHREAD_LIBS,;t t
dnl Process this file with autoconf to produce a configure script.
-dnl $PostgreSQL: pgsql/configure.in,v 1.412 2005/06/04 20:42:41 momjian Exp $
+dnl $PostgreSQL: pgsql/configure.in,v 1.413 2005/06/27 02:04:23 neilc Exp $
dnl
dnl Developers, please strive to achieve this order:
dnl
AC_MSG_RESULT([$with_python])
AC_SUBST(with_python)
-#
-# Kerberos 4
-#
-AC_MSG_CHECKING([whether to build with Kerberos 4 support])
-PGAC_ARG_BOOL(with, krb4, no, [ --with-krb4 build with Kerberos 4 support],
-[
- AC_DEFINE(KRB4, 1, [Define to build with Kerberos 4 support. (--with-krb4)])
- krb_srvtab="/etc/srvtab"
-])
-AC_MSG_RESULT([$with_krb4])
-AC_SUBST(with_krb4)
-
-
#
# Kerberos 5
#
AC_SUBST(with_krb5)
-# Using both Kerberos 4 and Kerberos 5 at the same time isn't going to work.
-if test "$with_krb4" = yes && test "$with_krb5" = yes ; then
- AC_MSG_ERROR([Kerberos 4 and Kerberos 5 support cannot be combined])
-fi
-
AC_SUBST(krb_srvtab)
*** Not using spinlocks will cause poor performance.])
fi
-if test "$with_krb4" = yes ; then
- AC_CHECK_LIB(des, des_encrypt, [], [AC_MSG_ERROR([library 'des' is required for Kerberos 4])])
- AC_CHECK_LIB(krb, krb_sendauth, [], [AC_MSG_ERROR([library 'krb' is required for Kerberos 4])])
- AC_REPLACE_FUNCS([gethostname])
-fi
-
if test "$with_krb5" = yes ; then
if test "$PORTNAME" != "win32"; then
AC_SEARCH_LIBS(com_err, [krb5 'krb5 -ldes -lasn1 -lroken' com_err], [],
Use --without-zlib to disable zlib support.])])
fi
-if test "$with_krb4" = yes ; then
- AC_CHECK_HEADER(krb.h, [], [AC_MSG_ERROR([header file <krb.h> is required for Kerberos 4])])
-fi
-
if test "$with_krb5" = yes ; then
AC_CHECK_HEADER(krb5.h, [], [AC_MSG_ERROR([header file <krb5.h> is required for Kerberos 5])])
fi
<!--
-$PostgreSQL: pgsql/doc/src/sgml/client-auth.sgml,v 1.81 2005/06/21 04:02:29 tgl Exp $
+$PostgreSQL: pgsql/doc/src/sgml/client-auth.sgml,v 1.82 2005/06/27 02:04:23 neilc Exp $
-->
<chapter id="client-authentication">
</listitem>
</varlistentry>
- <varlistentry>
- <term><literal>krb4</></term>
- <listitem>
- <para>
- Use Kerberos V4 to authenticate the user. This is only
- available for TCP/IP connections. See <xref
- linkend="kerberos-auth"> for details.
- </para>
- </listitem>
- </varlistentry>
-
<varlistentry>
<term><literal>krb5</></term>
<listitem>
</para>
<para>
- While <productname>PostgreSQL</> supports both Kerberos 4 and
- Kerberos 5, only Kerberos 5 is recommended. Kerberos 4 is
- considered insecure and no longer recommended for general
- use. Only one version of Kerberos can be supported in any one
- build, and support must be enabled at build time. See
+ <productname>PostgreSQL</> supports Kerberos version 5, and it has
+ to be enabled at build time. See
<xref linkend="installation"> for more information.
</para>
account. (See also <xref linkend="postgres-user">.) The location
of the key file is specified by the <xref
linkend="guc-krb-server-keyfile"> configuration
- parameter. The default
- is <filename>/etc/srvtab</> if you are using Kerberos 4 and
+ parameter. The default is
<filename>/usr/local/pgsql/etc/krb5.keytab</> (or whichever
- directory was specified as <varname>sysconfdir</> at build time)
- with Kerberos 5.
+ directory was specified as <varname>sysconfdir</> at build time).
</para>
<para>
-<!-- $PostgreSQL: pgsql/doc/src/sgml/installation.sgml,v 1.237 2005/06/21 20:45:43 tgl Exp $ -->
+<!-- $PostgreSQL: pgsql/doc/src/sgml/installation.sgml,v 1.238 2005/06/27 02:04:23 neilc Exp $ -->
<chapter id="installation">
<title><![%standalone-include[<productname>PostgreSQL</>]]>
</varlistentry>
<varlistentry>
- <term><option>--with-krb4</option></term>
<term><option>--with-krb5</option></term>
<listitem>
<para>
- Build with support for Kerberos authentication. You can use
- either Kerberos version 4 or 5, but not both. On many
+ Build with support for Kerberos 5 authentication. On many
systems, the Kerberos system is not installed in a location
that is searched by default (e.g., <filename>/usr/include</>,
<filename>/usr/lib</>), so you must use the options
<!--
-$PostgreSQL: pgsql/doc/src/sgml/libpq.sgml,v 1.187 2005/06/26 19:16:04 tgl Exp $
+$PostgreSQL: pgsql/doc/src/sgml/libpq.sgml,v 1.188 2005/06/27 02:04:24 neilc Exp $
-->
<chapter id="libpq">
<term><literal>krbsrvname</literal></term>
<listitem>
<para>
- Kerberos service name to use when authenticating with Kerberos 4 or 5.
+ Kerberos service name to use when authenticating with Kerberos 5.
This must match the service name specified in the server
configuration for Kerberos authentication to succeed. (See also
<xref linkend="kerberos-auth">.)
<primary><envar>PGKRBSRVNAME</envar></primary>
</indexterm>
<envar>PGKRBSRVNAME</envar> sets the Kerberos service name to use when
-authenticating with Kerberos 4 or 5.
+authenticating with Kerberos 5.
</para>
</listitem>
<listitem>
-<!-- $PostgreSQL: pgsql/doc/src/sgml/protocol.sgml,v 1.60 2005/06/26 19:16:04 tgl Exp $ -->
+<!-- $PostgreSQL: pgsql/doc/src/sgml/protocol.sgml,v 1.61 2005/06/27 02:04:24 neilc Exp $ -->
<chapter id="protocol">
<title>Frontend/Backend Protocol</title>
</listitem>
</varlistentry>
- <varlistentry>
- <term>AuthenticationKerberosV4</term>
- <listitem>
- <para>
- The frontend must now take part in a Kerberos V4
- authentication dialog (not described here, part of the
- Kerberos specification) with the server. If this is
- successful, the server responds with an AuthenticationOk,
- otherwise it responds with an ErrorResponse.
- </para>
- </listitem>
- </varlistentry>
-
<varlistentry>
<term>AuthenticationKerberosV5</term>
<listitem>
</varlistentry>
-<varlistentry>
-<term>
-AuthenticationKerberosV4 (B)
-</term>
-<listitem>
-<para>
-
-<variablelist>
-<varlistentry>
-<term>
- Byte1('R')
-</term>
-<listitem>
-<para>
- Identifies the message as an authentication request.
-</para>
-</listitem>
-</varlistentry>
-<varlistentry>
-<term>
- Int32(8)
-</term>
-<listitem>
-<para>
- Length of message contents in bytes, including self.
-</para>
-</listitem>
-</varlistentry>
-<varlistentry>
-<term>
- Int32(1)
-</term>
-<listitem>
-<para>
- Specifies that Kerberos V4 authentication is required.
-</para>
-</listitem>
-</varlistentry>
-</variablelist>
-</para>
-</listitem>
-</varlistentry>
-
-
<varlistentry>
<term>
AuthenticationKerberosV5 (B)
*
*
* IDENTIFICATION
- * $PostgreSQL: pgsql/src/backend/libpq/auth.c,v 1.125 2005/06/14 17:43:13 momjian Exp $
+ * $PostgreSQL: pgsql/src/backend/libpq/auth.c,v 1.126 2005/06/27 02:04:24 neilc Exp $
*
*-------------------------------------------------------------------------
*/
* into pam_passwd_conv_proc */
#endif /* USE_PAM */
-#ifdef KRB4
-/*----------------------------------------------------------------
- * MIT Kerberos authentication system - protocol version 4
- *----------------------------------------------------------------
- */
-
-#include "krb.h"
-
-/*
- * pg_krb4_recvauth -- server routine to receive authentication information
- * from the client
- *
- * Nothing unusual here, except that we compare the username obtained from
- * the client's setup packet to the authenticated name. (We have to retain
- * the name in the setup packet since we have to retain the ability to handle
- * unauthenticated connections.)
- */
-static int
-pg_krb4_recvauth(Port *port)
-{
- long krbopts = 0; /* one-way authentication */
- KTEXT_ST clttkt;
- char instance[INST_SZ + 1],
- version[KRB_SENDAUTH_VLEN + 1];
- AUTH_DAT auth_data;
- Key_schedule key_sched;
- int status;
-
- strcpy(instance, "*"); /* don't care, but arg gets expanded
- * anyway */
- status = krb_recvauth(krbopts,
- port->sock,
- &clttkt,
- pg_krb_srvnam,
- instance,
- &port->raddr.in,
- &port->laddr.in,
- &auth_data,
- pg_krb_server_keyfile,
- key_sched,
- version);
- if (status != KSUCCESS)
- {
- ereport(LOG,
- (errmsg("Kerberos error: %s", krb_err_txt[status])));
- return STATUS_ERROR;
- }
- if (strncmp(version, PG_KRB4_VERSION, KRB_SENDAUTH_VLEN) != 0)
- {
- ereport(LOG,
- (errmsg("unexpected Kerberos protocol version received from client (received \"%s\", expected \"%s\")",
- version, PG_KRB4_VERSION)));
- return STATUS_ERROR;
- }
- if (strncmp(port->user_name, auth_data.pname, SM_DATABASE_USER) != 0)
- {
- ereport(LOG,
- (errmsg("unexpected Kerberos user name received from client (received \"%s\", expected \"%s\")",
- port->user_name, auth_data.pname)));
- return STATUS_ERROR;
- }
- return STATUS_OK;
-}
-
-#else
-
-static int
-pg_krb4_recvauth(Port *port)
-{
- ereport(LOG,
- (errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
- errmsg("Kerberos 4 not implemented on this server")));
- return STATUS_ERROR;
-}
-#endif /* KRB4 */
-
-
#ifdef KRB5
/*----------------------------------------------------------------
* MIT Kerberos authentication system - protocol version 5
* from the client
*
* We still need to compare the username obtained from the client's setup
- * packet to the authenticated name, as described in pg_krb4_recvauth. This
- * is a bit more problematic in v5, as described above in pg_an_to_ln.
+ * packet to the authenticated name.
*
* We have our own keytab file because postgres is unlikely to run as root,
* and so cannot read the default keytab.
case uaReject:
errstr = gettext_noop("authentication failed for user \"%s\": host rejected");
break;
- case uaKrb4:
- errstr = gettext_noop("Kerberos 4 authentication failed for user \"%s\"");
- break;
case uaKrb5:
errstr = gettext_noop("Kerberos 5 authentication failed for user \"%s\"");
break;
(errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
errmsg("no pg_hba.conf entry for host \"%s\", user \"%s\", database \"%s\", %s",
hostinfo, port->user_name, port->database_name,
- port->ssl ? _("SSL on") : _("SSL off"))));
+ port->ssl ? _("SSL on") : _("SSL off"))));
#else
ereport(FATAL,
(errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
errmsg("no pg_hba.conf entry for host \"%s\", user \"%s\", database \"%s\"",
- hostinfo, port->user_name, port->database_name)));
+ hostinfo, port->user_name, port->database_name)));
#endif
break;
}
- case uaKrb4:
- /* Kerberos 4 only seems to work with AF_INET. */
- if (port->raddr.addr.ss_family != AF_INET
- || port->laddr.addr.ss_family != AF_INET)
- ereport(FATAL,
- (errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
- errmsg("Kerberos 4 only supports IPv4 connections")));
- sendAuthRequest(port, AUTH_REQ_KRB4);
- status = pg_krb4_recvauth(port);
- break;
-
case uaKrb5:
sendAuthRequest(port, AUTH_REQ_KRB5);
status = pg_krb5_recvauth(port);
*
*
* IDENTIFICATION
- * $PostgreSQL: pgsql/src/backend/libpq/hba.c,v 1.141 2005/06/21 01:20:09 neilc Exp $
+ * $PostgreSQL: pgsql/src/backend/libpq/hba.c,v 1.142 2005/06/27 02:04:25 neilc Exp $
*
*-------------------------------------------------------------------------
*/
*userauth_p = uaIdent;
else if (strcmp(token, "password") == 0)
*userauth_p = uaPassword;
- else if (strcmp(token, "krb4") == 0)
- *userauth_p = uaKrb4;
else if (strcmp(token, "krb5") == 0)
*userauth_p = uaKrb5;
else if (strcmp(token, "reject") == 0)
goto hba_syntax;
/* Disallow auth methods that always need TCP/IP sockets to work */
- if (port->auth_method == uaKrb4 ||
- port->auth_method == uaKrb5)
+ if (port->auth_method == uaKrb5)
goto hba_syntax;
/* Does not match if connection isn't AF_UNIX */
# an IP address and netmask in separate columns to specify the set of hosts.
#
# METHOD can be "trust", "reject", "md5", "crypt", "password",
-# "krb4", "krb5", "ident", or "pam". Note that "password" sends passwords
+# "krb5", "ident", or "pam". Note that "password" sends passwords
# in clear text; "md5" is preferred since it sends encrypted passwords.
#
# OPTION is the ident map or the name of the PAM service, depending on METHOD.
* Portions Copyright (c) 1996-2005, PostgreSQL Global Development Group
* Portions Copyright (c) 1994, Regents of the University of California
*
- * $PostgreSQL: pgsql/src/include/libpq/auth.h,v 1.28 2005/06/14 17:43:14 momjian Exp $
+ * $PostgreSQL: pgsql/src/include/libpq/auth.h,v 1.29 2005/06/27 02:04:25 neilc Exp $
*
*-------------------------------------------------------------------------
*/
extern void ClientAuthentication(Port *port);
-#define PG_KRB4_VERSION "PGVER4.1" /* at most KRB_SENDAUTH_VLEN chars */
-#define PG_KRB5_VERSION "PGVER5.1"
+#define PG_KRB5_VERSION "PGVER5.1" /* at most KRB_SENDAUTH_VLEN chars */
extern char *pg_krb_server_keyfile;
extern char *pg_krb_srvnam;
* Interface to hba.c
*
*
- * $PostgreSQL: pgsql/src/include/libpq/hba.h,v 1.36 2005/02/26 18:43:34 tgl Exp $
+ * $PostgreSQL: pgsql/src/include/libpq/hba.h,v 1.37 2005/06/27 02:04:25 neilc Exp $
*
*-------------------------------------------------------------------------
*/
typedef enum UserAuth
{
uaReject,
- uaKrb4,
uaKrb5,
uaTrust,
uaIdent,
* Portions Copyright (c) 1996-2005, PostgreSQL Global Development Group
* Portions Copyright (c) 1994, Regents of the University of California
*
- * $PostgreSQL: pgsql/src/include/libpq/pqcomm.h,v 1.96 2004/12/31 22:03:32 pgsql Exp $
+ * $PostgreSQL: pgsql/src/include/libpq/pqcomm.h,v 1.97 2005/06/27 02:04:26 neilc Exp $
*
*-------------------------------------------------------------------------
*/
/* These are the authentication request codes sent by the backend. */
#define AUTH_REQ_OK 0 /* User is authenticated */
-#define AUTH_REQ_KRB4 1 /* Kerberos V4 */
+#define AUTH_REQ_KRB4 1 /* Kerberos V4. Not supported any more. */
#define AUTH_REQ_KRB5 2 /* Kerberos V5 */
#define AUTH_REQ_PASSWORD 3 /* Password */
#define AUTH_REQ_CRYPT 4 /* crypt password */
/* Define to the appropriate snprintf format for 64-bit ints, if any. */
#undef INT64_FORMAT
-/* Define to build with Kerberos 4 support. (--with-krb4) */
-#undef KRB4
-
/* Define to build with Kerberos 5 support. (--with-krb5) */
#undef KRB5
* Portions Copyright (c) 1996-2005, PostgreSQL Global Development Group
* Portions Copyright (c) 1994, Regents of the University of California
*
- * $PostgreSQL: pgsql/src/include/port.h,v 1.75 2005/05/25 21:40:41 momjian Exp $
+ * $PostgreSQL: pgsql/src/include/port.h,v 1.76 2005/06/27 02:04:25 neilc Exp $
*
*-------------------------------------------------------------------------
*/
extern int isinf(double x);
#endif
-#if !defined(HAVE_GETHOSTNAME) && defined(KRB4)
-extern int gethostname(char *name, int namelen);
-#endif
-
#ifndef HAVE_RINT
extern double rint(double x);
#endif
# Portions Copyright (c) 1996-2005, PostgreSQL Global Development Group
# Portions Copyright (c) 1994, Regents of the University of California
#
-# $PostgreSQL: pgsql/src/interfaces/libpq/Makefile,v 1.133 2005/04/29 14:07:27 momjian Exp $
+# $PostgreSQL: pgsql/src/interfaces/libpq/Makefile,v 1.134 2005/06/27 02:04:26 neilc Exp $
#
#-------------------------------------------------------------------------
# Add libraries that libpq depends (or might depend) on into the
# shared library link. (The order in which you list them here doesn't
# matter.)
-SHLIB_LINK += $(filter -lcrypt -ldes -lkrb -lcom_err -lcrypto -lk5crypto -lkrb5 -lssl -lsocket -lnsl -lresolv -lintl, $(LIBS)) $(PTHREAD_LIBS)
+SHLIB_LINK += $(filter -lcrypt -ldes -lcom_err -lcrypto -lk5crypto -lkrb5 -lssl -lsocket -lnsl -lresolv -lintl, $(LIBS)) $(PTHREAD_LIBS)
ifeq ($(PORTNAME), win32)
SHLIB_LINK += -lshfolder -lwsock32 -lws2_32 $(filter -leay32 -lssleay32 -lcomerr32 -lkrb5_32, $(LIBS))
endif
* exceed INITIAL_EXPBUFFER_SIZE (currently 256 bytes).
*
* IDENTIFICATION
- * $PostgreSQL: pgsql/src/interfaces/libpq/fe-auth.c,v 1.101 2005/06/04 20:42:43 momjian Exp $
+ * $PostgreSQL: pgsql/src/interfaces/libpq/fe-auth.c,v 1.102 2005/06/27 02:04:26 neilc Exp $
*
*-------------------------------------------------------------------------
*/
*/
#define STARTUP_MSG 7 /* Initialise a connection */
-#define STARTUP_KRB4_MSG 10 /* krb4 session follows */
+#define STARTUP_KRB4_MSG 10 /* krb4 session follows. Not supported any more. */
#define STARTUP_KRB5_MSG 11 /* krb5 session follows */
#define STARTUP_PASSWORD_MSG 14 /* Password follows */
* isn't any authentication system.
*/
static const struct authsvc authsvcs[] = {
-#ifdef KRB4
- {"krb4", STARTUP_KRB4_MSG, 1},
- {"kerberos", STARTUP_KRB4_MSG, 1},
-#endif /* KRB4 */
#ifdef KRB5
{"krb5", STARTUP_KRB5_MSG, 1},
{"kerberos", STARTUP_KRB5_MSG, 1},
#endif /* KRB5 */
{UNAUTHNAME, STARTUP_MSG,
-#if defined(KRB4) || defined(KRB5)
+#ifdef KRB5
0
-#else /* !(KRB4 || KRB5) */
+#else /* !KRB5 */
1
-#endif /* !(KRB4 || KRB5) */
+#endif /* !KRB5 */
},
{"password", STARTUP_PASSWORD_MSG, 0}
};
static const int n_authsvcs = sizeof(authsvcs) / sizeof(struct authsvc);
-#ifdef KRB4
-/*
- * MIT Kerberos authentication system - protocol version 4
- */
-
-#include "krb.h"
-
-/* for some reason, this is not defined in krb.h ... */
-extern char *tkt_string(void);
-
-/*
- * pg_krb4_init -- initialization performed before any Kerberos calls are made
- *
- * For v4, all we need to do is make sure the library routines get the right
- * ticket file if we want them to see a special one. (They will open the file
- * themselves.)
- */
-static void
-pg_krb4_init()
-{
- char *realm;
- static int init_done = 0;
-
- if (init_done)
- return;
- init_done = 1;
-
- /*
- * If the user set PGREALM, then we use a ticket file with a special
- * name: <usual-ticket-file-name>@<PGREALM-value>
- */
- if ((realm = getenv("PGREALM")))
- {
- char tktbuf[MAXPGPATH];
-
- (void) snprintf(tktbuf, sizeof(tktbuf), "%s@%s", tkt_string(), realm);
- krb_set_tkt_string(tktbuf);
- }
-}
-
-/*
- * pg_krb4_authname -- returns a pointer to static space containing whatever
- * name the user has authenticated to the system
- *
- * We obtain this information by digging around in the ticket file.
- */
-static char *
-pg_krb4_authname(char *PQerrormsg)
-{
- char instance[INST_SZ + 1];
- char realm[REALM_SZ + 1];
- int status;
- static char name[SNAME_SZ + 1] = "";
-
- if (name[0])
- return name;
-
- pg_krb4_init();
-
- name[SNAME_SZ] = '\0';
- status = krb_get_tf_fullname(tkt_string(), name, instance, realm);
- if (status != KSUCCESS)
- {
- snprintf(PQerrormsg, PQERRORMSG_LENGTH,
- "pg_krb4_authname: krb_get_tf_fullname: %s\n",
- krb_err_txt[status]);
- return NULL;
- }
- return name;
-}
-
-/*
- * pg_krb4_sendauth -- client routine to send authentication information to
- * the server
- *
- * This routine does not do mutual authentication, nor does it return enough
- * information to do encrypted connections. But then, if we want to do
- * encrypted connections, we'll have to redesign the whole RPC mechanism
- * anyway.
- *
- * If the user is too lazy to feed us a hostname, we try to come up with
- * something other than "localhost" since the hostname is used as an
- * instance and instance names in v4 databases are usually actual hostnames
- * (canonicalized to omit all domain suffixes).
- */
-static int
-pg_krb4_sendauth(char *PQerrormsg, int sock,
- struct sockaddr_in * laddr,
- struct sockaddr_in * raddr,
- const char *hostname,
- const char *servicename)
-{
- long krbopts = 0; /* one-way authentication */
- KTEXT_ST clttkt;
- int status;
- char hostbuf[MAXHOSTNAMELEN];
- const char *realm = getenv("PGREALM"); /* NULL == current realm */
-
- if (!hostname || !(*hostname))
- {
- if (gethostname(hostbuf, MAXHOSTNAMELEN) < 0)
- strcpy(hostbuf, "localhost");
- hostname = hostbuf;
- }
-
- pg_krb4_init();
-
- status = krb_sendauth(krbopts,
- sock,
- &clttkt,
- servicename,
- hostname,
- realm,
- (u_long) 0,
- NULL,
- NULL,
- NULL,
- laddr,
- raddr,
- PG_KRB4_VERSION);
- if (status != KSUCCESS)
- {
- snprintf(PQerrormsg, PQERRORMSG_LENGTH,
- libpq_gettext("Kerberos 4 error: %s\n"),
- krb_err_txt[status]);
- return STATUS_ERROR;
- }
- return STATUS_OK;
-}
-#endif /* KRB4 */
-
#ifdef KRB5
/*
* MIT Kerberos authentication system - protocol version 5
fe_sendauth(AuthRequest areq, PGconn *conn, const char *hostname,
const char *password, char *PQerrormsg)
{
-#if !defined(KRB4) && !defined(KRB5)
+#ifndef KRB5
(void) hostname; /* not used */
#endif
break;
case AUTH_REQ_KRB4:
-#ifdef KRB4
- pglock_thread();
- if (pg_krb4_sendauth(PQerrormsg, conn->sock,
- (struct sockaddr_in *) & conn->laddr.addr,
- (struct sockaddr_in *) & conn->raddr.addr,
- hostname, conn->krbsrvname) != STATUS_OK)
- {
- /* PQerrormsg already filled in */
- pgunlock_thread();
- return STATUS_ERROR;
- }
- pgunlock_thread();
- break;
-#else
snprintf(PQerrormsg, PQERRORMSG_LENGTH,
libpq_gettext("Kerberos 4 authentication not supported\n"));
return STATUS_ERROR;
-#endif
case AUTH_REQ_KRB5:
#ifdef KRB5
pglock_thread();
-#ifdef KRB4
- if (authsvc == STARTUP_KRB4_MSG)
- name = pg_krb4_authname(PQerrormsg);
-#endif
#ifdef KRB5
if (authsvc == STARTUP_KRB5_MSG)
name = pg_krb5_authname(PQerrormsg);
#endif
if (authsvc == STARTUP_MSG
- || (authsvc == STARTUP_KRB4_MSG && !name)
|| (authsvc == STARTUP_KRB5_MSG && !name))
{
#ifdef WIN32
#endif
}
- if (authsvc != STARTUP_MSG && authsvc != STARTUP_KRB4_MSG && authsvc != STARTUP_KRB5_MSG)
+ if (authsvc != STARTUP_MSG && authsvc != STARTUP_KRB5_MSG)
snprintf(PQerrormsg, PQERRORMSG_LENGTH,
libpq_gettext("fe_getauthname: invalid authentication system: %d\n"),
authsvc);
* Portions Copyright (c) 1996-2005, PostgreSQL Global Development Group
* Portions Copyright (c) 1994, Regents of the University of California
*
- * $PostgreSQL: pgsql/src/interfaces/libpq/fe-auth.h,v 1.20 2004/12/31 22:03:50 pgsql Exp $
+ * $PostgreSQL: pgsql/src/interfaces/libpq/fe-auth.h,v 1.21 2005/06/27 02:04:26 neilc Exp $
*
*-------------------------------------------------------------------------
*/
#define UNAUTHNAME "unauth"
/* what a frontend uses by default */
-#if !defined(KRB4) && !defined(KRB5)
+#ifndef KRB5
#define DEFAULT_CLIENT_AUTHSVC UNAUTHNAME
-#else /* KRB4 || KRB5 */
+#else
#define DEFAULT_CLIENT_AUTHSVC "kerberos"
-#endif /* KRB4 || KRB5 */
+#endif /* KRB5 */
extern int fe_sendauth(AuthRequest areq, PGconn *conn, const char *hostname,
const char *password, char *PQerrormsg);
extern void fe_setauthsvc(const char *name, char *PQerrormsg);
extern char *fe_getauthname(char *PQerrormsg);
-#define PG_KRB4_VERSION "PGVER4.1" /* at most KRB_SENDAUTH_VLEN chars */
-#define PG_KRB5_VERSION "PGVER5.1"
+#define PG_KRB5_VERSION "PGVER5.1" /* at most KRB_SENDAUTH_VLEN chars */
#endif /* FE_AUTH_H */
*
*
* IDENTIFICATION
- * $PostgreSQL: pgsql/src/interfaces/libpq/fe-connect.c,v 1.312 2005/06/19 13:10:55 momjian Exp $
+ * $PostgreSQL: pgsql/src/interfaces/libpq/fe-connect.c,v 1.313 2005/06/27 02:04:26 neilc Exp $
*
*-------------------------------------------------------------------------
*/
{"sslmode", "PGSSLMODE", DefaultSSLMode, NULL,
"SSL-Mode", "", 8}, /* sizeof("disable") == 8 */
-#if defined(KRB4) || defined(KRB5)
+#ifdef KRB5
/* Kerberos authentication supports specifying the service name */
{"krbsrvname", "PGKRBSRVNAME", PG_KRB_SRVNAM, NULL,
"Kerberos-service-name", "", 20},
conn->sslmode = strdup("require");
}
#endif
-#if defined(KRB4) || defined(KRB5)
+#ifdef KRB5
tmp = conninfo_getval(connOptions, "krbsrvname");
conn->krbsrvname = tmp ? strdup(tmp) : NULL;
#endif
free(conn->pgpass);
if (conn->sslmode)
free(conn->sslmode);
-#if defined(KRB4) || defined(KRB5)
+#ifdef KRB5
if (conn->krbsrvname)
free(conn->krbsrvname);
#endif
* Portions Copyright (c) 1996-2005, PostgreSQL Global Development Group
* Portions Copyright (c) 1994, Regents of the University of California
*
- * $PostgreSQL: pgsql/src/interfaces/libpq/libpq-int.h,v 1.103 2005/06/13 02:26:53 tgl Exp $
+ * $PostgreSQL: pgsql/src/interfaces/libpq/libpq-int.h,v 1.104 2005/06/27 02:04:26 neilc Exp $
*
*-------------------------------------------------------------------------
*/
char *pguser; /* Postgres username and password, if any */
char *pgpass;
char *sslmode; /* SSL mode (require,prefer,allow,disable) */
-#if defined(KRB5) || defined(KRB4)
+#ifdef KRB5
char *krbsrvname; /* Kerberos service name */
#endif
projects / postgresql / commitdiff