On Sat, Mar 12, 2016 at 5:14 AM, David Steele <da...@pgmasters.net> wrote: > On 1/14/16 11:22 PM, Robert Haas wrote: >> On Tue, Jan 12, 2016 at 2:27 AM, Marisa Emerson <m...@insec.sh> wrote: >>> I've attached the latest version of this patch. I've fixed up an issue with >>> the configuration scripts that I missed. >> Looks reasonable on a quick read-through. Can anyone with access to a >> BSD system review and test? > > Is anyone with access to/experience with BSD able to review and test > this patch? Seems like it would make a great addition to 9.6.
(Disclaimer: I am not a regular OpenBSD user or a security expert.) I tried this out on OpenBSD 5.8 and it works as described, using default "passwd" style authentication. + <note> + <para> + To use BSD Authentication, the postgresql user must first be added + to the <literal>auth</literal> group. + </para> + </note> Our usual wording is "the PostgreSQL user account". Perhaps we should be more explicit about the fact that membership of this Unix group is needed on *OpenBSD*, since other current or future BSD forks could vary. I see that the specific reason this is needed on this OpenBSD 5.8 box is so that it can fork/exec the setuid login_XXX binaries that live under /usr/libexec/auth. auth_userokay is called with a type of "pg-auth". I noticed from looking at man page and source of some other applications that the convention is usually a hardcoded string like "auth-myserver", "auth-sockd", "auth-ssh", "auth-doas", "auth-popa3d" etc. So perhaps we should have "auth-postgresql" (or "auth-postgres" or "auth-pgsql") here? And as Peter E already said, that string should probably be documented: it looks a bit like it is useful for allowing the available authentication styles to be restricted or defaulted specifically for PostgreSQL in login.conf based on that string. (Though when I tried to set that up, it seemed to ignore my possibly-incorrectly-specified rule asking it to use "reject" so I may have misunderstood.) The style argument is hard coded as NULL, as I see is the case in some other applications. From the man page: "If style is not NULL, it specifies the desired style of authentication to be used. If it is NULL then the default style for the user is used. In this case, name may include the desired style by appending it to the user's name with a single colon (‘:’) as a separator." I wonder if such user-controllable styles are OK (though I guess would require username mapping to strip them off if we do want that as a feature). I wonder if it should be possible to provide the style argument that we pass to auth_userokay explicitly in pg_hba.conf, so that the DBA could explicitly say BSD auth with style=radius. I also tested on a system with no BSD auth support and configure behaved sensibly with and without the new option ('error: header file <bsd_auth.h> is required for BSD Authentication support'). I tried configuring BSD auth in pg_hba.conf on a system built without the new feature and it behaved sensibly ('invalid authentication method "bsd": not supported by this build'). -- Thomas Munro http://www.enterprisedb.com -- Sent via pgsql-hackers mailing list (email@example.com) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers