Index: configure.in
===================================================================
RCS file: /projects/cvsroot/pgsql/configure.in,v
retrieving revision 1.412
diff -c -r1.412 configure.in
*** configure.in	4 Jun 2005 20:42:41 -0000	1.412
--- configure.in	21 Jun 2005 20:27:45 -0000
***************
*** 410,428 ****
  AC_SUBST(with_python)
  
  #
- # Kerberos 4
- #
- AC_MSG_CHECKING([whether to build with Kerberos 4 support])
- PGAC_ARG_BOOL(with, krb4, no, [  --with-krb4             build with Kerberos 4 support],
- [
-   AC_DEFINE(KRB4, 1, [Define to build with Kerberos 4 support. (--with-krb4)])
-   krb_srvtab="/etc/srvtab"
- ])
- AC_MSG_RESULT([$with_krb4])
- AC_SUBST(with_krb4)
- 
- 
- #
  # Kerberos 5
  #
  AC_MSG_CHECKING([whether to build with Kerberos 5 support])
--- 410,415 ----
***************
*** 435,445 ****
  AC_SUBST(with_krb5)
  
  
- # Using both Kerberos 4 and Kerberos 5 at the same time isn't going to work.
- if test "$with_krb4" = yes && test "$with_krb5" = yes ; then
-   AC_MSG_ERROR([Kerberos 4 and Kerberos 5 support cannot be combined])
- fi
- 
  AC_SUBST(krb_srvtab)
  
  
--- 422,427 ----
***************
*** 666,677 ****
  *** Not using spinlocks will cause poor performance.])
  fi
  
- if test "$with_krb4" = yes ; then
-   AC_CHECK_LIB(des, des_encrypt, [], [AC_MSG_ERROR([library 'des' is required for Kerberos 4])])
-   AC_CHECK_LIB(krb, krb_sendauth, [], [AC_MSG_ERROR([library 'krb' is required for Kerberos 4])])
-   AC_REPLACE_FUNCS([gethostname])
- fi
- 
  if test "$with_krb5" = yes ; then
    if test "$PORTNAME" != "win32"; then
       AC_SEARCH_LIBS(com_err, [krb5 'krb5 -ldes -lasn1 -lroken' com_err], [],
--- 648,653 ----
***************
*** 762,771 ****
  Use --without-zlib to disable zlib support.])])
  fi
  
- if test "$with_krb4" = yes ; then
-   AC_CHECK_HEADER(krb.h, [], [AC_MSG_ERROR([header file <krb.h> is required for Kerberos 4])])
- fi
- 
  if test "$with_krb5" = yes ; then
    AC_CHECK_HEADER(krb5.h, [], [AC_MSG_ERROR([header file <krb5.h> is required for Kerberos 5])])
  fi
--- 738,743 ----
Index: doc/TODO
===================================================================
RCS file: /projects/cvsroot/pgsql/doc/TODO,v
retrieving revision 1.1568
diff -c -r1.1568 TODO
*** doc/TODO	18 Jun 2005 01:45:58 -0000	1.1568
--- doc/TODO	21 Jun 2005 20:27:46 -0000
***************
*** 975,981 ****
  * Promote debug_query_string into a server-side function current_query()
  * Allow the identifier length to be increased via a configure option
  * Remove Win32 rename/unlink looping if unnecessary
- * Remove kerberos4 from source tree?
  * Allow cross-compiling by generating the zic database on the target system
  * Improve NLS maintenace of libpgport messages linked onto applications
  * Allow ecpg to work with MSVC and BCC
--- 975,980 ----
Index: doc/src/sgml/client-auth.sgml
===================================================================
RCS file: /projects/cvsroot/pgsql/doc/src/sgml/client-auth.sgml,v
retrieving revision 1.81
diff -c -r1.81 client-auth.sgml
*** doc/src/sgml/client-auth.sgml	21 Jun 2005 04:02:29 -0000	1.81
--- doc/src/sgml/client-auth.sgml	21 Jun 2005 20:27:46 -0000
***************
*** 327,343 ****
         </varlistentry>
  
         <varlistentry>
-         <term><literal>krb4</></term>
-         <listitem>
-          <para>
-           Use Kerberos V4 to authenticate the user. This is only
-           available for TCP/IP connections.  See <xref
-           linkend="kerberos-auth"> for details.
-          </para>
-         </listitem>
-        </varlistentry>
- 
-        <varlistentry>
          <term><literal>krb5</></term>
          <listitem>
           <para>
--- 327,332 ----
***************
*** 623,633 ****
     </para>
  
     <para>
!     While <productname>PostgreSQL</> supports both Kerberos 4 and 
!     Kerberos 5, only Kerberos 5 is recommended.  Kerberos 4 is
!     considered insecure and no longer recommended for general
!     use. Only one version of Kerberos can be supported in any one
! 		build, and support must be enabled at build time. See
  		<xref linkend="installation"> for more information.
     </para>
  
--- 612,619 ----
     </para>
  
     <para>
!     <productname>PostgreSQL</> supports Kerberos version 5, and it has
! 	to be enabled at build time. See
  		<xref linkend="installation"> for more information.
     </para>
  
***************
*** 669,679 ****
      account.  (See also <xref linkend="postgres-user">.) The location
      of the key file is specified by the <xref
      linkend="guc-krb-server-keyfile"> configuration
!     parameter. The default
!     is <filename>/etc/srvtab</> if you are using Kerberos 4 and
      <filename>/usr/local/pgsql/etc/krb5.keytab</> (or whichever
!     directory was specified as <varname>sysconfdir</> at build time)
!     with Kerberos 5.
     </para>
  
     <para>
--- 655,663 ----
      account.  (See also <xref linkend="postgres-user">.) The location
      of the key file is specified by the <xref
      linkend="guc-krb-server-keyfile"> configuration
!     parameter. The default is
      <filename>/usr/local/pgsql/etc/krb5.keytab</> (or whichever
!     directory was specified as <varname>sysconfdir</> at build time).
     </para>
  
     <para>
Index: doc/src/sgml/installation.sgml
===================================================================
RCS file: /projects/cvsroot/pgsql/doc/src/sgml/installation.sgml,v
retrieving revision 1.236
diff -c -r1.236 installation.sgml
*** doc/src/sgml/installation.sgml	21 Jun 2005 04:02:29 -0000	1.236
--- doc/src/sgml/installation.sgml	21 Jun 2005 20:27:46 -0000
***************
*** 795,806 ****
        </varlistentry>
  
        <varlistentry>
-        <term><option>--with-krb4</option></term>
         <term><option>--with-krb5</option></term>
         <listitem>
          <para>
!          Build with support for Kerberos authentication. You can use
!          either Kerberos version 4 or 5, but not both.  On many
           systems, the Kerberos system is not installed in a location
           that is searched by default (e.g., <filename>/usr/include</>,
           <filename>/usr/lib</>), so you must use the options
--- 795,804 ----
        </varlistentry>
  
        <varlistentry>
         <term><option>--with-krb5</option></term>
         <listitem>
          <para>
!          Build with support for Kerberos 5 authentication. On many
           systems, the Kerberos system is not installed in a location
           that is searched by default (e.g., <filename>/usr/include</>,
           <filename>/usr/lib</>), so you must use the options
Index: doc/src/sgml/libpq.sgml
===================================================================
RCS file: /projects/cvsroot/pgsql/doc/src/sgml/libpq.sgml,v
retrieving revision 1.186
diff -c -r1.186 libpq.sgml
*** doc/src/sgml/libpq.sgml	21 Jun 2005 04:02:29 -0000	1.186
--- doc/src/sgml/libpq.sgml	21 Jun 2005 20:27:47 -0000
***************
*** 283,289 ****
       <term><literal>krbsrvname</literal></term>
       <listitem>
        <para>
!        Kerberos service name to use when authenticating with Kerberos 4 or 5.
         This must match the service name specified in the server
         configuration for Kerberos authentication to succeed. (See also
  			 <xref linkend="kerberos-auth">.)
--- 283,289 ----
       <term><literal>krbsrvname</literal></term>
       <listitem>
        <para>
!        Kerberos service name to use when authenticating with Kerberos 5.
         This must match the service name specified in the server
         configuration for Kerberos authentication to succeed. (See also
  			 <xref linkend="kerberos-auth">.)
***************
*** 3802,3808 ****
   <primary><envar>PGKRBSRVNAME</envar></primary>
  </indexterm>
  <envar>PGKRBSRVNAME</envar> sets the Kerberos service name to use when
! authenticating with Kerberos 4 or 5.
  </para>
  </listitem>
  <listitem>
--- 3802,3808 ----
   <primary><envar>PGKRBSRVNAME</envar></primary>
  </indexterm>
  <envar>PGKRBSRVNAME</envar> sets the Kerberos service name to use when
! authenticating with Kerberos 5.
  </para>
  </listitem>
  <listitem>
Index: doc/src/sgml/protocol.sgml
===================================================================
RCS file: /projects/cvsroot/pgsql/doc/src/sgml/protocol.sgml,v
retrieving revision 1.58
diff -c -r1.58 protocol.sgml
*** doc/src/sgml/protocol.sgml	23 Jan 2005 00:30:18 -0000	1.58
--- doc/src/sgml/protocol.sgml	21 Jun 2005 20:27:47 -0000
***************
*** 265,283 ****
       </varlistentry>
  
       <varlistentry>
-       <term>AuthenticationKerberosV4</term>
-       <listitem>
-        <para>
-         The frontend must now take part in a Kerberos V4
-         authentication dialog (not described here, part of the
-         Kerberos specification) with the server.  If this is
-         successful, the server responds with an AuthenticationOk,
-         otherwise it responds with an ErrorResponse.
-        </para>
-       </listitem>
-      </varlistentry>
- 
-      <varlistentry>
        <term>AuthenticationKerberosV5</term>
        <listitem>
         <para>
--- 265,270 ----
***************
*** 1390,1439 ****
  
  <varlistentry>
  <term>
- AuthenticationKerberosV4 (B)
- </term>
- <listitem>
- <para>
- 
- <variablelist>
- <varlistentry>
- <term>
-         Byte1('R')
- </term>
- <listitem>
- <para>
-                 Identifies the message as an authentication request.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>
-         Int32(8)
- </term>
- <listitem>
- <para>
-                 Length of message contents in bytes, including self.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>
-         Int32(1)
- </term>
- <listitem>
- <para>
-                 Specifies that Kerberos V4 authentication is required.
- </para>
- </listitem>
- </varlistentry>
- </variablelist>
- </para>
- </listitem>
- </varlistentry>
- 
- 
- <varlistentry>
- <term>
  AuthenticationKerberosV5 (B)
  </term>
  <listitem>
--- 1377,1382 ----
Index: src/backend/libpq/auth.c
===================================================================
RCS file: /projects/cvsroot/pgsql/src/backend/libpq/auth.c,v
retrieving revision 1.125
diff -c -r1.125 auth.c
*** src/backend/libpq/auth.c	14 Jun 2005 17:43:13 -0000	1.125
--- src/backend/libpq/auth.c	21 Jun 2005 20:27:48 -0000
***************
*** 69,151 ****
  								 * into pam_passwd_conv_proc */
  #endif   /* USE_PAM */
  
- #ifdef KRB4
- /*----------------------------------------------------------------
-  * MIT Kerberos authentication system - protocol version 4
-  *----------------------------------------------------------------
-  */
- 
- #include "krb.h"
- 
- /*
-  * pg_krb4_recvauth -- server routine to receive authentication information
-  *					   from the client
-  *
-  * Nothing unusual here, except that we compare the username obtained from
-  * the client's setup packet to the authenticated name.  (We have to retain
-  * the name in the setup packet since we have to retain the ability to handle
-  * unauthenticated connections.)
-  */
- static int
- pg_krb4_recvauth(Port *port)
- {
- 	long		krbopts = 0;	/* one-way authentication */
- 	KTEXT_ST	clttkt;
- 	char		instance[INST_SZ + 1],
- 				version[KRB_SENDAUTH_VLEN + 1];
- 	AUTH_DAT	auth_data;
- 	Key_schedule key_sched;
- 	int			status;
- 
- 	strcpy(instance, "*");		/* don't care, but arg gets expanded
- 								 * anyway */
- 	status = krb_recvauth(krbopts,
- 						  port->sock,
- 						  &clttkt,
- 						  pg_krb_srvnam,
- 						  instance,
- 						  &port->raddr.in,
- 						  &port->laddr.in,
- 						  &auth_data,
- 						  pg_krb_server_keyfile,
- 						  key_sched,
- 						  version);
- 	if (status != KSUCCESS)
- 	{
- 		ereport(LOG,
- 				(errmsg("Kerberos error: %s", krb_err_txt[status])));
- 		return STATUS_ERROR;
- 	}
- 	if (strncmp(version, PG_KRB4_VERSION, KRB_SENDAUTH_VLEN) != 0)
- 	{
- 		ereport(LOG,
- 				(errmsg("unexpected Kerberos protocol version received from client (received \"%s\", expected \"%s\")",
- 						version, PG_KRB4_VERSION)));
- 		return STATUS_ERROR;
- 	}
- 	if (strncmp(port->user_name, auth_data.pname, SM_DATABASE_USER) != 0)
- 	{
- 		ereport(LOG,
- 				(errmsg("unexpected Kerberos user name received from client (received \"%s\", expected \"%s\")",
- 						port->user_name, auth_data.pname)));
- 		return STATUS_ERROR;
- 	}
- 	return STATUS_OK;
- }
- 
- #else
- 
- static int
- pg_krb4_recvauth(Port *port)
- {
- 	ereport(LOG,
- 			(errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
- 			 errmsg("Kerberos 4 not implemented on this server")));
- 	return STATUS_ERROR;
- }
- #endif   /* KRB4 */
- 
- 
  #ifdef KRB5
  /*----------------------------------------------------------------
   * MIT Kerberos authentication system - protocol version 5
--- 69,74 ----
***************
*** 252,259 ****
   *					   from the client
   *
   * We still need to compare the username obtained from the client's setup
!  * packet to the authenticated name, as described in pg_krb4_recvauth.	This
!  * is a bit more problematic in v5, as described above in pg_an_to_ln.
   *
   * We have our own keytab file because postgres is unlikely to run as root,
   * and so cannot read the default keytab.
--- 175,181 ----
   *					   from the client
   *
   * We still need to compare the username obtained from the client's setup
!  * packet to the authenticated name.
   *
   * We have our own keytab file because postgres is unlikely to run as root,
   * and so cannot read the default keytab.
***************
*** 380,388 ****
  		case uaReject:
  			errstr = gettext_noop("authentication failed for user \"%s\": host rejected");
  			break;
- 		case uaKrb4:
- 			errstr = gettext_noop("Kerberos 4 authentication failed for user \"%s\"");
- 			break;
  		case uaKrb5:
  			errstr = gettext_noop("Kerberos 5 authentication failed for user \"%s\"");
  			break;
--- 302,307 ----
***************
*** 471,487 ****
  				break;
  			}
  
- 		case uaKrb4:
- 			/* Kerberos 4 only seems to work with AF_INET. */
- 			if (port->raddr.addr.ss_family != AF_INET
- 				|| port->laddr.addr.ss_family != AF_INET)
- 				ereport(FATAL,
- 						(errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
- 				   errmsg("Kerberos 4 only supports IPv4 connections")));
- 			sendAuthRequest(port, AUTH_REQ_KRB4);
- 			status = pg_krb4_recvauth(port);
- 			break;
- 
  		case uaKrb5:
  			sendAuthRequest(port, AUTH_REQ_KRB5);
  			status = pg_krb5_recvauth(port);
--- 390,395 ----
Index: src/backend/libpq/hba.c
===================================================================
RCS file: /projects/cvsroot/pgsql/src/backend/libpq/hba.c,v
retrieving revision 1.141
diff -c -r1.141 hba.c
*** src/backend/libpq/hba.c	21 Jun 2005 01:20:09 -0000	1.141
--- src/backend/libpq/hba.c	21 Jun 2005 20:27:48 -0000
***************
*** 607,614 ****
  		*userauth_p = uaIdent;
  	else if (strcmp(token, "password") == 0)
  		*userauth_p = uaPassword;
- 	else if (strcmp(token, "krb4") == 0)
- 		*userauth_p = uaKrb4;
  	else if (strcmp(token, "krb5") == 0)
  		*userauth_p = uaKrb5;
  	else if (strcmp(token, "reject") == 0)
--- 607,612 ----
***************
*** 694,701 ****
  			goto hba_syntax;
  
  		/* Disallow auth methods that always need TCP/IP sockets to work */
! 		if (port->auth_method == uaKrb4 ||
! 			port->auth_method == uaKrb5)
  			goto hba_syntax;
  
  		/* Does not match if connection isn't AF_UNIX */
--- 692,698 ----
  			goto hba_syntax;
  
  		/* Disallow auth methods that always need TCP/IP sockets to work */
! 		if (port->auth_method == uaKrb5)
  			goto hba_syntax;
  
  		/* Does not match if connection isn't AF_UNIX */
Index: src/backend/libpq/pg_hba.conf.sample
===================================================================
RCS file: /projects/cvsroot/pgsql/src/backend/libpq/pg_hba.conf.sample,v
retrieving revision 1.57
diff -c -r1.57 pg_hba.conf.sample
*** src/backend/libpq/pg_hba.conf.sample	7 Jan 2005 23:59:17 -0000	1.57
--- src/backend/libpq/pg_hba.conf.sample	21 Jun 2005 20:27:48 -0000
***************
*** 35,41 ****
  # an IP address and netmask in separate columns to specify the set of hosts.
  #
  # METHOD can be "trust", "reject", "md5", "crypt", "password",
! # "krb4", "krb5", "ident", or "pam".  Note that "password" sends passwords
  # in clear text; "md5" is preferred since it sends encrypted passwords.
  #
  # OPTION is the ident map or the name of the PAM service, depending on METHOD.
--- 35,41 ----
  # an IP address and netmask in separate columns to specify the set of hosts.
  #
  # METHOD can be "trust", "reject", "md5", "crypt", "password",
! # "krb5", "ident", or "pam".  Note that "password" sends passwords
  # in clear text; "md5" is preferred since it sends encrypted passwords.
  #
  # OPTION is the ident map or the name of the PAM service, depending on METHOD.
Index: src/include/pg_config.h.in
===================================================================
RCS file: /projects/cvsroot/pgsql/src/include/pg_config.h.in,v
retrieving revision 1.84
diff -c -r1.84 pg_config.h.in
*** src/include/pg_config.h.in	4 Jun 2005 20:42:42 -0000	1.84
--- src/include/pg_config.h.in	21 Jun 2005 20:27:48 -0000
***************
*** 575,583 ****
  /* Define to the appropriate snprintf format for 64-bit ints, if any. */
  #undef INT64_FORMAT
  
- /* Define to build with Kerberos 4 support. (--with-krb4) */
- #undef KRB4
- 
  /* Define to build with Kerberos 5 support. (--with-krb5) */
  #undef KRB5
  
--- 575,580 ----
Index: src/include/port.h
===================================================================
RCS file: /projects/cvsroot/pgsql/src/include/port.h,v
retrieving revision 1.75
diff -c -r1.75 port.h
*** src/include/port.h	25 May 2005 21:40:41 -0000	1.75
--- src/include/port.h	21 Jun 2005 20:27:48 -0000
***************
*** 267,276 ****
  extern int	isinf(double x);
  #endif
  
- #if !defined(HAVE_GETHOSTNAME) && defined(KRB4)
- extern int	gethostname(char *name, int namelen);
- #endif
- 
  #ifndef HAVE_RINT
  extern double rint(double x);
  #endif
--- 267,272 ----
Index: src/include/libpq/auth.h
===================================================================
RCS file: /projects/cvsroot/pgsql/src/include/libpq/auth.h,v
retrieving revision 1.28
diff -c -r1.28 auth.h
*** src/include/libpq/auth.h	14 Jun 2005 17:43:14 -0000	1.28
--- src/include/libpq/auth.h	21 Jun 2005 20:27:48 -0000
***************
*** 23,30 ****
  
  extern void ClientAuthentication(Port *port);
  
! #define PG_KRB4_VERSION "PGVER4.1"		/* at most KRB_SENDAUTH_VLEN chars */
! #define PG_KRB5_VERSION "PGVER5.1"
  
  extern char *pg_krb_server_keyfile;
  extern char *pg_krb_srvnam;
--- 23,29 ----
  
  extern void ClientAuthentication(Port *port);
  
! #define PG_KRB5_VERSION "PGVER5.1"      /* at most KRB_SENDAUTH_VLEN chars */
  
  extern char *pg_krb_server_keyfile;
  extern char *pg_krb_srvnam;
Index: src/include/libpq/hba.h
===================================================================
RCS file: /projects/cvsroot/pgsql/src/include/libpq/hba.h,v
retrieving revision 1.36
diff -c -r1.36 hba.h
*** src/include/libpq/hba.h	26 Feb 2005 18:43:34 -0000	1.36
--- src/include/libpq/hba.h	21 Jun 2005 20:27:48 -0000
***************
*** 17,23 ****
  typedef enum UserAuth
  {
  	uaReject,
! 	uaKrb4,
  	uaKrb5,
  	uaTrust,
  	uaIdent,
--- 17,23 ----
  typedef enum UserAuth
  {
  	uaReject,
! 	uaKrb4,				/* Not supported any more */
  	uaKrb5,
  	uaTrust,
  	uaIdent,
Index: src/include/libpq/pqcomm.h
===================================================================
RCS file: /projects/cvsroot/pgsql/src/include/libpq/pqcomm.h,v
retrieving revision 1.96
diff -c -r1.96 pqcomm.h
*** src/include/libpq/pqcomm.h	31 Dec 2004 22:03:32 -0000	1.96
--- src/include/libpq/pqcomm.h	21 Jun 2005 20:27:48 -0000
***************
*** 160,166 ****
  /* These are the authentication request codes sent by the backend. */
  
  #define AUTH_REQ_OK			0	/* User is authenticated  */
! #define AUTH_REQ_KRB4		1	/* Kerberos V4 */
  #define AUTH_REQ_KRB5		2	/* Kerberos V5 */
  #define AUTH_REQ_PASSWORD	3	/* Password */
  #define AUTH_REQ_CRYPT		4	/* crypt password */
--- 160,166 ----
  /* These are the authentication request codes sent by the backend. */
  
  #define AUTH_REQ_OK			0	/* User is authenticated  */
! #define AUTH_REQ_KRB4		1	/* Kerberos V4. Not supported any more. */
  #define AUTH_REQ_KRB5		2	/* Kerberos V5 */
  #define AUTH_REQ_PASSWORD	3	/* Password */
  #define AUTH_REQ_CRYPT		4	/* crypt password */
Index: src/interfaces/libpq/Makefile
===================================================================
RCS file: /projects/cvsroot/pgsql/src/interfaces/libpq/Makefile,v
retrieving revision 1.133
diff -c -r1.133 Makefile
*** src/interfaces/libpq/Makefile	29 Apr 2005 14:07:27 -0000	1.133
--- src/interfaces/libpq/Makefile	21 Jun 2005 20:27:49 -0000
***************
*** 53,59 ****
  # Add libraries that libpq depends (or might depend) on into the
  # shared library link.  (The order in which you list them here doesn't
  # matter.)
! SHLIB_LINK += $(filter -lcrypt -ldes -lkrb -lcom_err -lcrypto -lk5crypto -lkrb5 -lssl -lsocket -lnsl -lresolv -lintl, $(LIBS)) $(PTHREAD_LIBS)
  ifeq ($(PORTNAME), win32)
  SHLIB_LINK += -lshfolder -lwsock32 -lws2_32 $(filter -leay32 -lssleay32 -lcomerr32 -lkrb5_32, $(LIBS))
  endif
--- 53,59 ----
  # Add libraries that libpq depends (or might depend) on into the
  # shared library link.  (The order in which you list them here doesn't
  # matter.)
! SHLIB_LINK += $(filter -lcrypt -ldes -lcom_err -lcrypto -lk5crypto -lkrb5 -lssl -lsocket -lnsl -lresolv -lintl, $(LIBS)) $(PTHREAD_LIBS)
  ifeq ($(PORTNAME), win32)
  SHLIB_LINK += -lshfolder -lwsock32 -lws2_32 $(filter -leay32 -lssleay32 -lcomerr32 -lkrb5_32, $(LIBS))
  endif
Index: src/interfaces/libpq/fe-auth.c
===================================================================
RCS file: /projects/cvsroot/pgsql/src/interfaces/libpq/fe-auth.c,v
retrieving revision 1.101
diff -c -r1.101 fe-auth.c
*** src/interfaces/libpq/fe-auth.c	4 Jun 2005 20:42:43 -0000	1.101
--- src/interfaces/libpq/fe-auth.c	21 Jun 2005 20:27:49 -0000
***************
*** 64,70 ****
   */
  
  #define STARTUP_MSG		7		/* Initialise a connection */
! #define STARTUP_KRB4_MSG	10	/* krb4 session follows */
  #define STARTUP_KRB5_MSG	11	/* krb5 session follows */
  #define STARTUP_PASSWORD_MSG	14		/* Password follows */
  
--- 64,70 ----
   */
  
  #define STARTUP_MSG		7		/* Initialise a connection */
! #define STARTUP_KRB4_MSG	10	/* krb4 session follows. Not supported any more. */
  #define STARTUP_KRB5_MSG	11	/* krb5 session follows */
  #define STARTUP_PASSWORD_MSG	14		/* Password follows */
  
***************
*** 87,243 ****
   * isn't any authentication system.
   */
  static const struct authsvc authsvcs[] = {
- #ifdef KRB4
- 	{"krb4", STARTUP_KRB4_MSG, 1},
- 	{"kerberos", STARTUP_KRB4_MSG, 1},
- #endif   /* KRB4 */
  #ifdef KRB5
  	{"krb5", STARTUP_KRB5_MSG, 1},
  	{"kerberos", STARTUP_KRB5_MSG, 1},
  #endif   /* KRB5 */
  	{UNAUTHNAME, STARTUP_MSG,
! #if defined(KRB4) || defined(KRB5)
  		0
! #else							/* !(KRB4 || KRB5) */
  		1
! #endif   /* !(KRB4 || KRB5) */
  	},
  	{"password", STARTUP_PASSWORD_MSG, 0}
  };
  
  static const int n_authsvcs = sizeof(authsvcs) / sizeof(struct authsvc);
  
- #ifdef KRB4
- /*
-  * MIT Kerberos authentication system - protocol version 4
-  */
- 
- #include "krb.h"
- 
- /* for some reason, this is not defined in krb.h ... */
- extern char *tkt_string(void);
- 
- /*
-  * pg_krb4_init -- initialization performed before any Kerberos calls are made
-  *
-  * For v4, all we need to do is make sure the library routines get the right
-  * ticket file if we want them to see a special one.  (They will open the file
-  * themselves.)
-  */
- static void
- pg_krb4_init()
- {
- 	char	   *realm;
- 	static int	init_done = 0;
- 
- 	if (init_done)
- 		return;
- 	init_done = 1;
- 
- 	/*
- 	 * If the user set PGREALM, then we use a ticket file with a special
- 	 * name: <usual-ticket-file-name>@<PGREALM-value>
- 	 */
- 	if ((realm = getenv("PGREALM")))
- 	{
- 		char		tktbuf[MAXPGPATH];
- 
- 		(void) snprintf(tktbuf, sizeof(tktbuf), "%s@%s", tkt_string(), realm);
- 		krb_set_tkt_string(tktbuf);
- 	}
- }
- 
- /*
-  * pg_krb4_authname -- returns a pointer to static space containing whatever
-  *					   name the user has authenticated to the system
-  *
-  * We obtain this information by digging around in the ticket file.
-  */
- static char *
- pg_krb4_authname(char *PQerrormsg)
- {
- 	char		instance[INST_SZ + 1];
- 	char		realm[REALM_SZ + 1];
- 	int			status;
- 	static char name[SNAME_SZ + 1] = "";
- 
- 	if (name[0])
- 		return name;
- 
- 	pg_krb4_init();
- 
- 	name[SNAME_SZ] = '\0';
- 	status = krb_get_tf_fullname(tkt_string(), name, instance, realm);
- 	if (status != KSUCCESS)
- 	{
- 		snprintf(PQerrormsg, PQERRORMSG_LENGTH,
- 				 "pg_krb4_authname: krb_get_tf_fullname: %s\n",
- 				 krb_err_txt[status]);
- 		return NULL;
- 	}
- 	return name;
- }
- 
- /*
-  * pg_krb4_sendauth -- client routine to send authentication information to
-  *					   the server
-  *
-  * This routine does not do mutual authentication, nor does it return enough
-  * information to do encrypted connections.  But then, if we want to do
-  * encrypted connections, we'll have to redesign the whole RPC mechanism
-  * anyway.
-  *
-  * If the user is too lazy to feed us a hostname, we try to come up with
-  * something other than "localhost" since the hostname is used as an
-  * instance and instance names in v4 databases are usually actual hostnames
-  * (canonicalized to omit all domain suffixes).
-  */
- static int
- pg_krb4_sendauth(char *PQerrormsg, int sock,
- 				 struct sockaddr_in * laddr,
- 				 struct sockaddr_in * raddr,
- 				 const char *hostname, 
- 				 const char *servicename)
- {
- 	long		krbopts = 0;	/* one-way authentication */
- 	KTEXT_ST	clttkt;
- 	int			status;
- 	char		hostbuf[MAXHOSTNAMELEN];
- 	const char *realm = getenv("PGREALM");		/* NULL == current realm */
- 
- 	if (!hostname || !(*hostname))
- 	{
- 		if (gethostname(hostbuf, MAXHOSTNAMELEN) < 0)
- 			strcpy(hostbuf, "localhost");
- 		hostname = hostbuf;
- 	}
- 
- 	pg_krb4_init();
- 
- 	status = krb_sendauth(krbopts,
- 						  sock,
- 						  &clttkt,
- 						  servicename,
- 						  hostname,
- 						  realm,
- 						  (u_long) 0,
- 						  NULL,
- 						  NULL,
- 						  NULL,
- 						  laddr,
- 						  raddr,
- 						  PG_KRB4_VERSION);
- 	if (status != KSUCCESS)
- 	{
- 		snprintf(PQerrormsg, PQERRORMSG_LENGTH,
- 				 libpq_gettext("Kerberos 4 error: %s\n"),
- 				 krb_err_txt[status]);
- 		return STATUS_ERROR;
- 	}
- 	return STATUS_OK;
- }
- #endif   /* KRB4 */
- 
  #ifdef KRB5
  /*
   * MIT Kerberos authentication system - protocol version 5
--- 87,108 ----
   * isn't any authentication system.
   */
  static const struct authsvc authsvcs[] = {
  #ifdef KRB5
  	{"krb5", STARTUP_KRB5_MSG, 1},
  	{"kerberos", STARTUP_KRB5_MSG, 1},
  #endif   /* KRB5 */
  	{UNAUTHNAME, STARTUP_MSG,
! #ifdef KRB5
  		0
! #else							/* !KRB5 */
  		1
! #endif   /* !KRB5 */
  	},
  	{"password", STARTUP_PASSWORD_MSG, 0}
  };
  
  static const int n_authsvcs = sizeof(authsvcs) / sizeof(struct authsvc);
  
  #ifdef KRB5
  /*
   * MIT Kerberos authentication system - protocol version 5
***************
*** 597,603 ****
  fe_sendauth(AuthRequest areq, PGconn *conn, const char *hostname,
  			const char *password, char *PQerrormsg)
  {
! #if !defined(KRB4) && !defined(KRB5)
  	(void) hostname;			/* not used */
  #endif
  
--- 462,468 ----
  fe_sendauth(AuthRequest areq, PGconn *conn, const char *hostname,
  			const char *password, char *PQerrormsg)
  {
! #ifndef KRB5
  	(void) hostname;			/* not used */
  #endif
  
***************
*** 607,630 ****
  			break;
  
  		case AUTH_REQ_KRB4:
- #ifdef KRB4
- 			pglock_thread();
- 			if (pg_krb4_sendauth(PQerrormsg, conn->sock,
- 							   (struct sockaddr_in *) & conn->laddr.addr,
- 							   (struct sockaddr_in *) & conn->raddr.addr,
- 								 hostname, conn->krbsrvname) != STATUS_OK)
- 			{
- 				/* PQerrormsg already filled in */
- 				pgunlock_thread();
- 				return STATUS_ERROR;
- 			}
- 			pgunlock_thread();
- 			break;
- #else
  			snprintf(PQerrormsg, PQERRORMSG_LENGTH,
  			 libpq_gettext("Kerberos 4 authentication not supported\n"));
  			return STATUS_ERROR;
- #endif
  
  		case AUTH_REQ_KRB5:
  #ifdef KRB5
--- 472,480 ----
***************
*** 754,770 ****
  
  	pglock_thread();
  
- #ifdef KRB4
- 	if (authsvc == STARTUP_KRB4_MSG)
- 		name = pg_krb4_authname(PQerrormsg);
- #endif
  #ifdef KRB5
  	if (authsvc == STARTUP_KRB5_MSG)
  		name = pg_krb5_authname(PQerrormsg);
  #endif
  
  	if (authsvc == STARTUP_MSG
- 		|| (authsvc == STARTUP_KRB4_MSG && !name)
  		|| (authsvc == STARTUP_KRB5_MSG && !name))
  	{
  #ifdef WIN32
--- 604,615 ----
***************
*** 776,782 ****
  #endif
  	}
  
! 	if (authsvc != STARTUP_MSG && authsvc != STARTUP_KRB4_MSG && authsvc != STARTUP_KRB5_MSG)
  		snprintf(PQerrormsg, PQERRORMSG_LENGTH,
  				 libpq_gettext("fe_getauthname: invalid authentication system: %d\n"),
  				 authsvc);
--- 621,627 ----
  #endif
  	}
  
! 	if (authsvc != STARTUP_MSG && authsvc != STARTUP_KRB5_MSG)
  		snprintf(PQerrormsg, PQERRORMSG_LENGTH,
  				 libpq_gettext("fe_getauthname: invalid authentication system: %d\n"),
  				 authsvc);
Index: src/interfaces/libpq/fe-auth.h
===================================================================
RCS file: /projects/cvsroot/pgsql/src/interfaces/libpq/fe-auth.h,v
retrieving revision 1.20
diff -c -r1.20 fe-auth.h
*** src/interfaces/libpq/fe-auth.h	31 Dec 2004 22:03:50 -0000	1.20
--- src/interfaces/libpq/fe-auth.h	21 Jun 2005 20:27:49 -0000
***************
*** 27,37 ****
  #define UNAUTHNAME				"unauth"
  
  /* what a frontend uses by default */
! #if !defined(KRB4) && !defined(KRB5)
  #define DEFAULT_CLIENT_AUTHSVC	UNAUTHNAME
! #else							/* KRB4 || KRB5 */
  #define DEFAULT_CLIENT_AUTHSVC	"kerberos"
! #endif   /* KRB4 || KRB5 */
  
  extern int fe_sendauth(AuthRequest areq, PGconn *conn, const char *hostname,
  			const char *password, char *PQerrormsg);
--- 27,37 ----
  #define UNAUTHNAME				"unauth"
  
  /* what a frontend uses by default */
! #ifndef KRB5
  #define DEFAULT_CLIENT_AUTHSVC	UNAUTHNAME
! #else							/* KRB5 */
  #define DEFAULT_CLIENT_AUTHSVC	"kerberos"
! #endif   /* KRB5 */
  
  extern int fe_sendauth(AuthRequest areq, PGconn *conn, const char *hostname,
  			const char *password, char *PQerrormsg);
***************
*** 39,45 ****
  extern void fe_setauthsvc(const char *name, char *PQerrormsg);
  extern char *fe_getauthname(char *PQerrormsg);
  
! #define PG_KRB4_VERSION "PGVER4.1"		/* at most KRB_SENDAUTH_VLEN chars */
! #define PG_KRB5_VERSION "PGVER5.1"
  
  #endif   /* FE_AUTH_H */
--- 39,44 ----
  extern void fe_setauthsvc(const char *name, char *PQerrormsg);
  extern char *fe_getauthname(char *PQerrormsg);
  
! #define PG_KRB5_VERSION "PGVER5.1"      /* at most KRB_SENDAUTH_VLEN chars */
  
  #endif   /* FE_AUTH_H */
Index: src/interfaces/libpq/fe-connect.c
===================================================================
RCS file: /projects/cvsroot/pgsql/src/interfaces/libpq/fe-connect.c,v
retrieving revision 1.312
diff -c -r1.312 fe-connect.c
*** src/interfaces/libpq/fe-connect.c	19 Jun 2005 13:10:55 -0000	1.312
--- src/interfaces/libpq/fe-connect.c	21 Jun 2005 20:27:49 -0000
***************
*** 170,176 ****
  	{"sslmode", "PGSSLMODE", DefaultSSLMode, NULL,
  	"SSL-Mode", "", 8},			/* sizeof("disable") == 8 */
  
! #if defined(KRB4) || defined(KRB5)
  	/* Kerberos authentication supports specifying the service name */
  	{"krbsrvname", "PGKRBSRVNAME", PG_KRB_SRVNAM, NULL,
  	 "Kerberos-service-name", "", 20},
--- 170,176 ----
  	{"sslmode", "PGSSLMODE", DefaultSSLMode, NULL,
  	"SSL-Mode", "", 8},			/* sizeof("disable") == 8 */
  
! #ifdef KRB5
  	/* Kerberos authentication supports specifying the service name */
  	{"krbsrvname", "PGKRBSRVNAME", PG_KRB_SRVNAM, NULL,
  	 "Kerberos-service-name", "", 20},
***************
*** 401,407 ****
  		conn->sslmode = strdup("require");
  	}
  #endif
! #if defined(KRB4) || defined(KRB5)
  	tmp = conninfo_getval(connOptions, "krbsrvname");
  	conn->krbsrvname = tmp ? strdup(tmp) : NULL;
  #endif
--- 401,407 ----
  		conn->sslmode = strdup("require");
  	}
  #endif
! #ifdef KRB5
  	tmp = conninfo_getval(connOptions, "krbsrvname");
  	conn->krbsrvname = tmp ? strdup(tmp) : NULL;
  #endif
***************
*** 1916,1922 ****
  		free(conn->pgpass);
  	if (conn->sslmode)
  		free(conn->sslmode);
! #if defined(KRB4) || defined(KRB5)
  	if (conn->krbsrvname)
  		free(conn->krbsrvname);
  #endif
--- 1916,1922 ----
  		free(conn->pgpass);
  	if (conn->sslmode)
  		free(conn->sslmode);
! #ifdef KRB5
  	if (conn->krbsrvname)
  		free(conn->krbsrvname);
  #endif
Index: src/interfaces/libpq/libpq-int.h
===================================================================
RCS file: /projects/cvsroot/pgsql/src/interfaces/libpq/libpq-int.h,v
retrieving revision 1.103
diff -c -r1.103 libpq-int.h
*** src/interfaces/libpq/libpq-int.h	13 Jun 2005 02:26:53 -0000	1.103
--- src/interfaces/libpq/libpq-int.h	21 Jun 2005 20:27:49 -0000
***************
*** 262,268 ****
  	char	   *pguser;			/* Postgres username and password, if any */
  	char	   *pgpass;
  	char	   *sslmode;		/* SSL mode (require,prefer,allow,disable) */
! #if defined(KRB5) || defined(KRB4)
  	char       *krbsrvname;     /* Kerberos service name */
  #endif
  
--- 262,268 ----
  	char	   *pguser;			/* Postgres username and password, if any */
  	char	   *pgpass;
  	char	   *sslmode;		/* SSL mode (require,prefer,allow,disable) */
! #ifdef KRB5
  	char       *krbsrvname;     /* Kerberos service name */
  #endif
  
