Index: configure
===================================================================
RCS file: /projects/cvsroot/pgsql/configure,v
retrieving revision 1.438
diff -c -r1.438 configure
*** configure 15 May 2005 00:26:17 -0000 1.438
--- configure 22 May 2005 17:40:38 -0000
***************
*** 869,875 ****
--with-python build Python modules (PL/Python)
--with-krb4 build with Kerberos 4 support
--with-krb5 build with Kerberos 5 support
! --with-krb-srvnam=NAME name of the service principal in Kerberos [postgres]
--with-pam build with PAM support
--with-bonjour build with Bonjour support
--with-openssl build with OpenSSL support
--- 869,875 ----
--with-python build Python modules (PL/Python)
--with-krb4 build with Kerberos 4 support
--with-krb5 build with Kerberos 5 support
! --with-krb-srvnam=NAME name of the default service principal in Kerberos [postgres]
--with-pam build with PAM support
--with-bonjour build with Bonjour support
--with-openssl build with OpenSSL support
Index: configure.in
===================================================================
RCS file: /projects/cvsroot/pgsql/configure.in,v
retrieving revision 1.411
diff -c -r1.411 configure.in
*** configure.in 15 May 2005 00:26:18 -0000 1.411
--- configure.in 22 May 2005 17:40:38 -0000
***************
*** 447,457 ****
# Kerberos configuration parameters
#
PGAC_ARG_REQ(with, krb-srvnam,
! [ --with-krb-srvnam=NAME name of the service principal in Kerberos [[postgres]]],
[],
[with_krb_srvnam="postgres"])
AC_DEFINE_UNQUOTED([PG_KRB_SRVNAM], ["$with_krb_srvnam"],
! [Define to the name of the PostgreSQL service principal in Kerberos. (--with-krb-srvnam=NAME)])
#
--- 447,457 ----
# Kerberos configuration parameters
#
PGAC_ARG_REQ(with, krb-srvnam,
! [ --with-krb-srvnam=NAME name of the default service principal in Kerberos [[postgres]]],
[],
[with_krb_srvnam="postgres"])
AC_DEFINE_UNQUOTED([PG_KRB_SRVNAM], ["$with_krb_srvnam"],
! [Define to the name of the default PostgreSQL service principal in Kerberos. (--with-krb-srvnam=NAME)])
#
Index: doc/src/sgml/client-auth.sgml
===================================================================
RCS file: /projects/cvsroot/pgsql/doc/src/sgml/client-auth.sgml,v
retrieving revision 1.79
diff -c -r1.79 client-auth.sgml
*** doc/src/sgml/client-auth.sgml 27 Apr 2005 20:11:07 -0000 1.79
--- doc/src/sgml/client-auth.sgml 22 May 2005 17:40:38 -0000
***************
*** 617,623 ****
quite complex (yet powerful). The
Kerberos FAQ or
! MIT Project Athena
can be a good starting point for exploration.
Several sources for Kerberos distributions exist.
--- 617,623 ----
quite complex (yet powerful). The
Kerberos FAQ or
! MIT Kerberos page
can be a good starting point for exploration.
Several sources for Kerberos distributions exist.
***************
*** 626,648 ****
While PostgreSQL supports both Kerberos 4 and
Kerberos 5, only Kerberos 5 is recommended. Kerberos 4 is
considered insecure and no longer recommended for general
! use.
!
!
!
! In order to use Kerberos, support for it must be
! enabled at build time. See for more
! information. Both Kerberos 4 and 5 are supported, but only one
! version can be supported in any one build.
PostgreSQL operates like a normal Kerberos service.
The name of the service principal is
! servicename/hostname@realm, where
! servicename is postgres (unless a
! different service name was selected at configure time with
! ./configure --with-krb-srvnam=whatever).
hostname is the fully qualified host name of the
server machine. The service principal's realm is the preferred realm
of the server machine.
--- 626,654 ----
While PostgreSQL supports both Kerberos 4 and
Kerberos 5, only Kerberos 5 is recommended. Kerberos 4 is
considered insecure and no longer recommended for general
! use. Only one version of Kerberos can be supported in any one
! build, and support must be enabled at build time. See
! for more information.
PostgreSQL operates like a normal Kerberos service.
The name of the service principal is
! servicename/hostname@realm.
!
!
! servicename can be set on the server side using the
! configuration parameter, and on the
! client side using the krbsrvname connection parameter. (See also .). The installation default can be changed from the default
! postgres at build time using
! ./configure --with-krb-srvnam=whatever). In most environments,
! this parameter never needs to be changed. However, to support multiple
! PostgreSQL installations on the same host it is necessary.
! Some Kerberos implementations may also require a different service name,
! such as Microsoft Active Directory which requires the service name
! to be in uppercase (POSTGRES).
!
! hostname is the fully qualified host name of the
server machine. The service principal's realm is the preferred realm
of the server machine.
***************
*** 658,669 ****
! Make sure that your server key file is readable (and preferably
only readable) by the PostgreSQL server
account. (See also .) The location
of the key file is specified by the configuration
! parameter. (See also .) The default
is /etc/srvtab if you are using Kerberos 4 and
/usr/local/pgsql/etc/krb5.keytab (or whichever
directory was specified as sysconfdir at build time)
--- 664,675 ----
! Make sure that your server keytab file is readable (and preferably
only readable) by the PostgreSQL server
account. (See also .) The location
of the key file is specified by the configuration
! parameter. The default
is /etc/srvtab if you are using Kerberos 4 and
/usr/local/pgsql/etc/krb5.keytab (or whichever
directory was specified as sysconfdir at build time)
***************
*** 671,682 ****
! To generate the keytab file, use for example (with version 5)
kadmin% ank -randkey postgres/server.my.domain.org
kadmin% ktadd -k krb5.keytab postgres/server.my.domain.org
- Read the Kerberos documentation for details.
--- 677,689 ----
! The keytab file is generated in the Kerberos system, see the
! Kerberos documentation for details. The following example is
! for MIT-compatible Kerberos 5 implementations:
kadmin% ank -randkey postgres/server.my.domain.org
kadmin% ktadd -k krb5.keytab postgres/server.my.domain.org
Index: doc/src/sgml/installation.sgml
===================================================================
RCS file: /projects/cvsroot/pgsql/doc/src/sgml/installation.sgml,v
retrieving revision 1.233
diff -c -r1.233 installation.sgml
*** doc/src/sgml/installation.sgml 15 May 2005 00:26:18 -0000 1.233
--- doc/src/sgml/installation.sgml 22 May 2005 17:40:38 -0000
***************
*** 816,823 ****
! The name of the Kerberos service principal.
! postgres is the default. There's probably no
reason to change this.
--- 816,823 ----
! The default name of the Kerberos service principal.
! postgres is the default. There's usually no
reason to change this.
Index: doc/src/sgml/libpq.sgml
===================================================================
RCS file: /projects/cvsroot/pgsql/doc/src/sgml/libpq.sgml,v
retrieving revision 1.180
diff -c -r1.180 libpq.sgml
*** doc/src/sgml/libpq.sgml 26 Feb 2005 18:39:04 -0000 1.180
--- doc/src/sgml/libpq.sgml 22 May 2005 17:40:39 -0000
***************
*** 280,285 ****
--- 280,297 ----
+ krbsrvname
+
+
+ Kerberos service name to use when authenticating with Kerberos 4 or 5.
+ This must match the service name specified in the server
+ configuration for Kerberos authentication to succeed. (See also
+ .)
+
+
+
+
+ service
***************
*** 3771,3776 ****
--- 3783,3797 ----
+ PGKRBSRVNAME
+
+ PGKRBSRVNAME sets the Kerberos service name to use when
+ authenticating with Kerberos 4 or 5.
+
+
+
+
+ PGCONNECT_TIMEOUTPGCONNECT_TIMEOUT sets the maximum number of seconds
Index: doc/src/sgml/runtime.sgml
===================================================================
RCS file: /projects/cvsroot/pgsql/doc/src/sgml/runtime.sgml,v
retrieving revision 1.320
diff -c -r1.320 runtime.sgml
*** doc/src/sgml/runtime.sgml 20 May 2005 14:53:25 -0000 1.320
--- doc/src/sgml/runtime.sgml 22 May 2005 17:40:39 -0000
***************
*** 955,965 ****
Sets the location of the Kerberos server key file. See
! for details.
db_user_namespace (boolean)
--- 955,993 ----
Sets the location of the Kerberos server key file. See
! for details. This parameter
! can only be set at server start.
+
+ krb_srvname (string)
+
+ krb_srvname configuration parameter
+
+
+
+ Sets the Kerberos service name. See
+ for details. This parameter can only be set at server start.
+
+
+
+
+
+ krb_caseins_users (boolean)
+
+ krb_caseins_users configuration parameter
+
+
+
+ Sets if Kerberos usernames should be treated case-insensitive.
+ The default is off (case sensitive). This parameter can only be
+ set at server start.
+
+
+
+
db_user_namespace (boolean)
Index: src/backend/libpq/auth.c
===================================================================
RCS file: /projects/cvsroot/pgsql/src/backend/libpq/auth.c,v
retrieving revision 1.123
diff -c -r1.123 auth.c
*** src/backend/libpq/auth.c 22 Feb 2005 04:35:57 -0000 1.123
--- src/backend/libpq/auth.c 22 May 2005 17:40:39 -0000
***************
*** 41,46 ****
--- 41,48 ----
static int recv_and_check_password_packet(Port *port);
char *pg_krb_server_keyfile;
+ char *pg_krb_srvnam;
+ bool pg_krb_caseins_users;
#ifdef USE_PAM
#ifdef HAVE_PAM_PAM_APPL_H
***************
*** 99,105 ****
status = krb_recvauth(krbopts,
port->sock,
&clttkt,
! PG_KRB_SRVNAM,
instance,
&port->raddr.in,
&port->laddr.in,
--- 101,107 ----
status = krb_recvauth(krbopts,
port->sock,
&clttkt,
! pg_krb_srvnam,
instance,
&port->raddr.in,
&port->laddr.in,
***************
*** 219,234 ****
return STATUS_ERROR;
}
! retval = krb5_sname_to_principal(pg_krb5_context, NULL, PG_KRB_SRVNAM,
KRB5_NT_SRV_HST, &pg_krb5_server);
if (retval)
{
ereport(LOG,
(errmsg("Kerberos sname_to_principal(\"%s\") returned error %d",
! PG_KRB_SRVNAM, retval)));
com_err("postgres", retval,
"while getting server principal for service \"%s\"",
! PG_KRB_SRVNAM);
krb5_kt_close(pg_krb5_context, pg_krb5_keytab);
krb5_free_context(pg_krb5_context);
return STATUS_ERROR;
--- 221,236 ----
return STATUS_ERROR;
}
! retval = krb5_sname_to_principal(pg_krb5_context, NULL, pg_krb_srvnam,
KRB5_NT_SRV_HST, &pg_krb5_server);
if (retval)
{
ereport(LOG,
(errmsg("Kerberos sname_to_principal(\"%s\") returned error %d",
! pg_krb_srvnam, retval)));
com_err("postgres", retval,
"while getting server principal for service \"%s\"",
! pg_krb_srvnam);
krb5_kt_close(pg_krb5_context, pg_krb5_keytab);
krb5_free_context(pg_krb5_context);
return STATUS_ERROR;
***************
*** 264,270 ****
return ret;
retval = krb5_recvauth(pg_krb5_context, &auth_context,
! (krb5_pointer) & port->sock, PG_KRB_SRVNAM,
pg_krb5_server, 0, pg_krb5_keytab, &ticket);
if (retval)
{
--- 266,272 ----
return ret;
retval = krb5_recvauth(pg_krb5_context, &auth_context,
! (krb5_pointer) & port->sock, "postgres",
pg_krb5_server, 0, pg_krb5_keytab, &ticket);
if (retval)
{
***************
*** 303,309 ****
}
kusername = pg_an_to_ln(kusername);
! if (strncmp(port->user_name, kusername, SM_DATABASE_USER))
{
ereport(LOG,
(errmsg("unexpected Kerberos user name received from client (received \"%s\", expected \"%s\")",
--- 305,315 ----
}
kusername = pg_an_to_ln(kusername);
! if (pg_krb_caseins_users)
! ret = strncasecmp(port->user_name, kusername, SM_DATABASE_USER);
! else
! ret = strncmp(port->user_name, kusername, SM_DATABASE_USER);
! if (ret)
{
ereport(LOG,
(errmsg("unexpected Kerberos user name received from client (received \"%s\", expected \"%s\")",
Index: src/backend/utils/misc/guc.c
===================================================================
RCS file: /projects/cvsroot/pgsql/src/backend/utils/misc/guc.c,v
retrieving revision 1.262
diff -c -r1.262 guc.c
*** src/backend/utils/misc/guc.c 15 May 2005 00:26:19 -0000 1.262
--- src/backend/utils/misc/guc.c 22 May 2005 17:40:40 -0000
***************
*** 63,68 ****
--- 63,71 ----
#ifndef PG_KRB_SRVTAB
#define PG_KRB_SRVTAB ""
#endif
+ #ifndef PG_KRB_SRVNAM
+ #define PG_KRB_SRVNAM ""
+ #endif
#define CONFIG_FILENAME "postgresql.conf"
#define HBA_FILENAME "pg_hba.conf"
***************
*** 860,865 ****
--- 863,877 ----
#endif
},
+ {
+ {"krb_caseins_users", PGC_POSTMASTER, CONN_AUTH_SECURITY,
+ gettext_noop("Sets if Kerberos user names should be treated case insensitive."),
+ NULL
+ },
+ &pg_krb_caseins_users,
+ false, NULL, NULL
+ },
+
/* End-of-list marker */
{
{NULL, 0, 0, NULL, NULL}, NULL, false, NULL, NULL
***************
*** 1573,1578 ****
--- 1585,1599 ----
},
{
+ {"krb_srvname", PGC_POSTMASTER, CONN_AUTH_SECURITY,
+ gettext_noop("Sets the name of the Kerberos service."),
+ NULL
+ },
+ &pg_krb_srvnam,
+ PG_KRB_SRVNAM, NULL, NULL
+ },
+
+ {
{"bonjour_name", PGC_POSTMASTER, CONN_AUTH_SETTINGS,
gettext_noop("Sets the Bonjour broadcast service name."),
NULL
Index: src/include/libpq/auth.h
===================================================================
RCS file: /projects/cvsroot/pgsql/src/include/libpq/auth.h,v
retrieving revision 1.26
diff -c -r1.26 auth.h
*** src/include/libpq/auth.h 31 Dec 2004 22:03:32 -0000 1.26
--- src/include/libpq/auth.h 22 May 2005 17:40:40 -0000
***************
*** 27,31 ****
--- 27,33 ----
#define PG_KRB5_VERSION "PGVER5.1"
extern char *pg_krb_server_keyfile;
+ extern char *pg_krb_srvnam;
+ extern bool pg_krb_caseins_users;
#endif /* AUTH_H */
Index: src/interfaces/libpq/fe-auth.c
===================================================================
RCS file: /projects/cvsroot/pgsql/src/interfaces/libpq/fe-auth.c,v
retrieving revision 1.100
diff -c -r1.100 fe-auth.c
*** src/interfaces/libpq/fe-auth.c 25 Mar 2005 00:34:28 -0000 1.100
--- src/interfaces/libpq/fe-auth.c 22 May 2005 17:40:40 -0000
***************
*** 196,202 ****
pg_krb4_sendauth(char *PQerrormsg, int sock,
struct sockaddr_in * laddr,
struct sockaddr_in * raddr,
! const char *hostname)
{
long krbopts = 0; /* one-way authentication */
KTEXT_ST clttkt;
--- 196,203 ----
pg_krb4_sendauth(char *PQerrormsg, int sock,
struct sockaddr_in * laddr,
struct sockaddr_in * raddr,
! const char *hostname,
! const char *servicename)
{
long krbopts = 0; /* one-way authentication */
KTEXT_ST clttkt;
***************
*** 216,222 ****
status = krb_sendauth(krbopts,
sock,
&clttkt,
! PG_KRB_SRVNAM,
hostname,
realm,
(u_long) 0,
--- 217,223 ----
status = krb_sendauth(krbopts,
sock,
&clttkt,
! servicename,
hostname,
realm,
(u_long) 0,
***************
*** 260,265 ****
--- 261,270 ----
* provide an aname mapping database...it may be a better idea to use
* krb5_an_to_ln, except that it punts if multiple components are found,
* and we can't afford to punt.
+ *
+ * For WIN32, convert username to lowercase because the Win32 kerberos library
+ * generates tickets with the username as the user entered it instead of as
+ * it is entered in the directory.
*/
static char *
pg_an_to_ln(char *aname)
***************
*** 268,273 ****
--- 273,283 ----
if ((p = strchr(aname, '/')) || (p = strchr(aname, '@')))
*p = '\0';
+ #ifdef WIN32
+ for (p = aname; *p ; p++)
+ *p = pg_tolower(*p);
+ #endif
+
return aname;
}
***************
*** 360,366 ****
* the server
*/
static int
! pg_krb5_sendauth(char *PQerrormsg, int sock, const char *hostname)
{
krb5_error_code retval;
int ret;
--- 370,376 ----
* the server
*/
static int
! pg_krb5_sendauth(char *PQerrormsg, int sock, const char *hostname, const char *servicename)
{
krb5_error_code retval;
int ret;
***************
*** 379,385 ****
if (ret != STATUS_OK)
return ret;
! retval = krb5_sname_to_principal(pg_krb5_context, hostname, PG_KRB_SRVNAM,
KRB5_NT_SRV_HST, &server);
if (retval)
{
--- 389,395 ----
if (ret != STATUS_OK)
return ret;
! retval = krb5_sname_to_principal(pg_krb5_context, hostname, servicename,
KRB5_NT_SRV_HST, &server);
if (retval)
{
***************
*** 405,411 ****
}
retval = krb5_sendauth(pg_krb5_context, &auth_context,
! (krb5_pointer) & sock, PG_KRB_SRVNAM,
pg_krb5_client, server,
AP_OPTS_MUTUAL_REQUIRED,
NULL, 0, /* no creds, use ccache instead */
--- 415,421 ----
}
retval = krb5_sendauth(pg_krb5_context, &auth_context,
! (krb5_pointer) & sock, "postgres",
pg_krb5_client, server,
AP_OPTS_MUTUAL_REQUIRED,
NULL, 0, /* no creds, use ccache instead */
***************
*** 602,608 ****
if (pg_krb4_sendauth(PQerrormsg, conn->sock,
(struct sockaddr_in *) & conn->laddr.addr,
(struct sockaddr_in *) & conn->raddr.addr,
! hostname) != STATUS_OK)
{
/* PQerrormsg already filled in */
pgunlock_thread();
--- 612,618 ----
if (pg_krb4_sendauth(PQerrormsg, conn->sock,
(struct sockaddr_in *) & conn->laddr.addr,
(struct sockaddr_in *) & conn->raddr.addr,
! hostname, conn->krbsrvname) != STATUS_OK)
{
/* PQerrormsg already filled in */
pgunlock_thread();
***************
*** 620,626 ****
#ifdef KRB5
pglock_thread();
if (pg_krb5_sendauth(PQerrormsg, conn->sock,
! hostname) != STATUS_OK)
{
/* PQerrormsg already filled in */
pgunlock_thread();
--- 630,636 ----
#ifdef KRB5
pglock_thread();
if (pg_krb5_sendauth(PQerrormsg, conn->sock,
! hostname, conn->krbsrvname) != STATUS_OK)
{
/* PQerrormsg already filled in */
pgunlock_thread();
Index: src/interfaces/libpq/fe-connect.c
===================================================================
RCS file: /projects/cvsroot/pgsql/src/interfaces/libpq/fe-connect.c,v
retrieving revision 1.306
diff -c -r1.306 fe-connect.c
*** src/interfaces/libpq/fe-connect.c 5 May 2005 16:40:42 -0000 1.306
--- src/interfaces/libpq/fe-connect.c 22 May 2005 17:40:40 -0000
***************
*** 170,175 ****
--- 170,181 ----
{"sslmode", "PGSSLMODE", DefaultSSLMode, NULL,
"SSL-Mode", "", 8}, /* sizeof("disable") == 8 */
+ #if defined(KRB4) || defined(KRB5)
+ /* Kerberos authentication supports specifying the service name */
+ {"krbsrvname", "PGKRBSRVNAME", PG_KRB_SRVNAM, NULL,
+ "Kerberos-service-name", "", 20},
+ #endif
+
/* Terminating entry --- MUST BE LAST */
{NULL, NULL, NULL, NULL,
NULL, NULL, 0}
***************
*** 393,398 ****
--- 399,408 ----
conn->sslmode = strdup("require");
}
#endif
+ #if defined(KRB4) || defined(KRB5)
+ tmp = conninfo_getval(connOptions, "krbsrvname");
+ conn->krbsrvname = tmp ? strdup(tmp) : NULL;
+ #endif
/*
* Free the option info - all is in conn now
***************
*** 2074,2079 ****
--- 2084,2093 ----
free(conn->pgpass);
if (conn->sslmode)
free(conn->sslmode);
+ #if defined(KRB4) || defined(KRB5)
+ if (conn->krbsrvname)
+ free(conn->krbsrvname);
+ #endif
/* Note that conn->Pfdebug is not ours to close or free */
notify = conn->notifyHead;
while (notify != NULL)
Index: src/interfaces/libpq/libpq-int.h
===================================================================
RCS file: /projects/cvsroot/pgsql/src/interfaces/libpq/libpq-int.h,v
retrieving revision 1.100
diff -c -r1.100 libpq-int.h
*** src/interfaces/libpq/libpq-int.h 6 Jan 2005 00:59:47 -0000 1.100
--- src/interfaces/libpq/libpq-int.h 22 May 2005 17:40:40 -0000
***************
*** 261,266 ****
--- 261,269 ----
char *pguser; /* Postgres username and password, if any */
char *pgpass;
char *sslmode; /* SSL mode (require,prefer,allow,disable) */
+ #if defined(KRB5) || defined(KRB4)
+ char *krbsrvname; /* Kerberos service name */
+ #endif
/* Optional file to write trace info to */
FILE *Pfdebug;