Re: [HACKERS] Proposal: BSD Authentication support
>Our usual wording is "the PostgreSQL user account". Perhaps we should >be more explicit about the fact that membership of this Unix group is >needed on *OpenBSD*, since other current or future BSD forks could >vary. I see that the specific reason this is needed on this OpenBSD >5.8 box is so that it can fork/exec the setuid login_XXX binaries that >live under /usr/libexec/auth. The BSD Authentication framework currently only exists on OpenBSD. I've added some explicit documentation that this mechanism is currently only supported on OpenBSD and I've tried to be a bit more explicit about the auth group as suggested by Peter. >auth_userokay is called with a type of "pg-auth". I noticed from >looking at man page and source of some other applications that the >convention is usually a hardcoded string like "auth-myserver", >"auth-sockd", "auth-ssh", "auth-doas", "auth-popa3d" etc. So perhaps >we should have "auth-postgresql" (or "auth-postgres" or "auth-pgsql") >here? And as Peter E already said, that string should probably be >documented: it looks a bit like it is useful for allowing the >available authentication styles to be restricted or defaulted >specifically for PostgreSQL in login.conf based on that string. >(Though when I tried to set that up, it seemed to ignore my >possibly-incorrectly-specified rule asking it to use "reject" so I may >have misunderstood.) This is correct, although so far I've only tested using the default login class. The attached patch includes some more explicit documentation about this string. >The style argument is hard coded as NULL, as I see is the case in some >other applications. From the man page: "If style is not NULL, it >specifies the desired style of authentication to be used. If it is >NULL then the default style for the user is used. In this case, name >may include the desired style by appending it to the user's name with >a single colon (‘:’) as a separator." I wonder if such >user-controllable styles are OK (though I guess would require username >mapping to strip them off if we do want that as a feature). I wonder >if it should be possible to provide the style argument that we pass to >auth_userokay explicitly in pg_hba.conf, so that the DBA could >explicitly say BSD auth with style=radius. I've so far only tested passwd authentication. I'd be interested to test some of the other authentication styles, I think this would be a useful feature. bsd_auth.patch Description: Binary data -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
Re: [HACKERS] Proposal: BSD Authentication support
I've attached the latest version of this patch. I've fixed up an issue
with the configuration scripts that I missed.
On 08/01/16 12:40, Marisa Emerson wrote:
There's a port for PAM, but we would prefer to use BSD Auth as its quite
a lot cleaner and is standard on OpenBSD.
I've attached an updated patch that includes documentation. It has been
tested against OpenBSD 5.8. I'll add this thread to the commitfest.
On 07/01/16 23:26, Greg Stark wrote:
This sounds like a sensible thing to me. I'm actually surprised, it
sounds like something we would have already seen. Do some people just
use PAM on OpenBSD? Are both supported?
You should add the patch to https://commitfest.postgresql.org to
ensure it doesn't slip through the cracks. It's too late for January
though there's nothing stopping people from commenting on or even
committing patches outside the commitfest.
diff --git a/configure b/configure
index 5772d0e..84c1c3e 100755
--- a/configure
+++ b/configure
@@ -826,6 +826,7 @@ with_python
with_gssapi
with_krb_srvnam
with_pam
+with_bsd_auth
with_ldap
with_bonjour
with_openssl
@@ -1514,6 +1515,7 @@ Optional Packages:
--with-krb-srvnam=NAME default service principal name in Kerberos (GSSAPI)
[postgres]
--with-pam build with PAM support
+ --with-bsd-auth build with BSD Authentication support
--with-ldap build with LDAP support
--with-bonjour build with Bonjour support
--with-openssl build with OpenSSL support
@@ -5557,6 +5559,41 @@ $as_echo "$with_pam" >&6; }
#
+# BSD AUTH
+#
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to build with BSD support" >&5
+$as_echo_n "checking whether to build with BSD support... " >&6; }
+
+
+
+# Check whether --with-bsd-auth was given.
+if test "${with_bsd_auth+set}" = set; then :
+ withval=$with_bsd_auth;
+ case $withval in
+yes)
+
+$as_echo "#define USE_BSD_AUTH 1" >>confdefs.h
+
+ ;;
+no)
+ :
+ ;;
+*)
+ as_fn_error $? "no argument expected for --with-bsd-auth option" "$LINENO" 5
+ ;;
+ esac
+
+else
+ with_bsd_auth=no
+
+fi
+
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $with_bsd_auth" >&5
+$as_echo "$with_bsd_auth" >&6; }
+
+
+#
# LDAP
#
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to build with LDAP support" >&5
@@ -10475,6 +10512,23 @@ done
fi
+if test "$with_bsd_auth" = yes ; then
+ for ac_header in bsd_auth.h
+do :
+ ac_fn_c_check_header_mongrel "$LINENO" "bsd_auth.h" "ac_cv_header_bsd_auth_h" "$ac_includes_default"
+if test "x$ac_cv_header_bsd_auth_h" = xyes; then :
+ cat >>confdefs.h <<_ACEOF
+#define HAVE_BSD_AUTH_H 1
+_ACEOF
+
+else
+ as_fn_error $? "header file is required for BSD Authentication support" "$LINENO" 5
+fi
+
+done
+
+fi
+
if test "$with_libxml" = yes ; then
ac_fn_c_check_header_mongrel "$LINENO" "libxml/parser.h" "ac_cv_header_libxml_parser_h" "$ac_includes_default"
if test "x$ac_cv_header_libxml_parser_h" = xyes; then :
diff --git a/configure.in b/configure.in
index 44f832f..8eb98a8 100644
--- a/configure.in
+++ b/configure.in
@@ -663,6 +663,16 @@ AC_MSG_RESULT([$with_pam])
#
+# BSD AUTH
+#
+AC_MSG_CHECKING([whether to build with BSD support])
+PGAC_ARG_BOOL(with, bsd-auth, no,
+ [build with BSD Authentication support],
+ [AC_DEFINE([USE_BSD_AUTH], 1, [Define to 1 to build with BSD support. (--with-bsd-auth)])])
+AC_MSG_RESULT([$with_bsd_auth])
+
+
+#
# LDAP
#
AC_MSG_CHECKING([whether to build with LDAP support])
@@ -1249,6 +1259,10 @@ if test "$with_pam" = yes ; then
[AC_MSG_ERROR([header file or is required for PAM.])])])
fi
+if test "$with_bsd_auth" = yes ; then
+ AC_CHECK_HEADERS(bsd_auth.h, [], [AC_MSG_ERROR([header file is required for BSD Authentication support])])
+fi
+
if test "$with_libxml" = yes ; then
AC_CHECK_HEADER(libxml/parser.h, [], [AC_MSG_ERROR([header file is required for XML support])])
fi
diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml
index 3b2935c..ffb5178 100644
--- a/doc/src/sgml/client-auth.sgml
+++ b/doc/src/sgml/client-auth.sgml
@@ -522,6 +522,17 @@ hostnossl database user
+
+
+ bsd
+
+
+ Authenticate using BSD Authentication (BSD Auth) provided
+ by the operating system. See
+ for details.
+
+
+
@@ -1647,6 +1658,30 @@ host ... ldap ldapurl="ldap://ldap.example.net/dc=example,dc=net?uid?sub";
Re: [HACKERS] Proposal: BSD Authentication support
There's a port for PAM, but we would prefer to use BSD Auth as its quite
a lot cleaner and is standard on OpenBSD.
I've attached an updated patch that includes documentation. It has been
tested against OpenBSD 5.8. I'll add this thread to the commitfest.
On 07/01/16 23:26, Greg Stark wrote:
This sounds like a sensible thing to me. I'm actually surprised, it
sounds like something we would have already seen. Do some people just
use PAM on OpenBSD? Are both supported?
You should add the patch to https://commitfest.postgresql.org to
ensure it doesn't slip through the cracks. It's too late for January
though there's nothing stopping people from commenting on or even
committing patches outside the commitfest.
diff --git a/configure b/configure
index 5772d0e..c982e2b 100755
--- a/configure
+++ b/configure
@@ -826,6 +826,7 @@ with_python
with_gssapi
with_krb_srvnam
with_pam
+with_bsd_auth
with_ldap
with_bonjour
with_openssl
@@ -1514,6 +1515,7 @@ Optional Packages:
--with-krb-srvnam=NAME default service principal name in Kerberos (GSSAPI)
[postgres]
--with-pam build with PAM support
+ --with-bsd-auth build with BSD Authentication support
--with-ldap build with LDAP support
--with-bonjour build with Bonjour support
--with-openssl build with OpenSSL support
@@ -5557,6 +5559,41 @@ $as_echo "$with_pam" >&6; }
#
+# BSD
+#
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to build with BSD support" >&5
+$as_echo_n "checking whether to build with BSD support... " >&6; }
+
+
+
+# Check whether --with-bsd-auth was given.
+if test "${with_bsd_auth+set}" = set; then :
+ withval=$with_bsd_auth;
+ case $withval in
+yes)
+
+$as_echo "#define USE_BSD_AUTH 1" >>confdefs.h
+
+ ;;
+no)
+ :
+ ;;
+*)
+ as_fn_error $? "no argument expected for --with-bsd-auth option" "$LINENO" 5
+ ;;
+ esac
+
+else
+ with_bsd_auth=no
+
+fi
+
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $with_bsd" >&5
+$as_echo "$with_bsd" >&6; }
+
+
+#
# LDAP
#
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to build with LDAP support" >&5
@@ -10475,6 +10512,23 @@ done
fi
+if test "$with_bsd" = yes ; then
+ for ac_header in bsd_auth.h
+do :
+ ac_fn_c_check_header_mongrel "$LINENO" "bsd_auth.h" "ac_cv_header_bsd_auth_h" "$ac_includes_default"
+if test "x$ac_cv_header_bsd_auth_h" = xyes; then :
+ cat >>confdefs.h <<_ACEOF
+#define HAVE_BSD_AUTH_H 1
+_ACEOF
+
+else
+ as_fn_error $? "header file is required for BSD Authentication support" "$LINENO" 5
+fi
+
+done
+
+fi
+
if test "$with_libxml" = yes ; then
ac_fn_c_check_header_mongrel "$LINENO" "libxml/parser.h" "ac_cv_header_libxml_parser_h" "$ac_includes_default"
if test "x$ac_cv_header_libxml_parser_h" = xyes; then :
diff --git a/configure.in b/configure.in
index 44f832f..d5fb726 100644
--- a/configure.in
+++ b/configure.in
@@ -663,6 +663,16 @@ AC_MSG_RESULT([$with_pam])
#
+# BSD AUTH
+#
+AC_MSG_CHECKING([whether to build with BSD support])
+PGAC_ARG_BOOL(with, bsd-auth, no,
+ [build with BSD Authentication support],
+ [AC_DEFINE([USE_BSD_AUTH], 1, [Define to 1 to build with BSD support. (--with-bsd-auth)])])
+AC_MSG_RESULT([$with_bsd])
+
+
+#
# LDAP
#
AC_MSG_CHECKING([whether to build with LDAP support])
@@ -1249,6 +1259,10 @@ if test "$with_pam" = yes ; then
[AC_MSG_ERROR([header file or is required for PAM.])])])
fi
+if test "$with_bsd" = yes ; then
+ AC_CHECK_HEADERS(bsd_auth.h, [], [AC_MSG_ERROR([header file is required for BSD Authentication support])])
+fi
+
if test "$with_libxml" = yes ; then
AC_CHECK_HEADER(libxml/parser.h, [], [AC_MSG_ERROR([header file is required for XML support])])
fi
diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml
index 3b2935c..b2c8a43 100644
--- a/doc/src/sgml/client-auth.sgml
+++ b/doc/src/sgml/client-auth.sgml
@@ -522,6 +522,17 @@ hostnossl database user
+
+
+ bsd
+
+
+ Authenticate using BSD Authentication (BSD Auth) provided
+ by the operating system. See
+ for details.
+
+
+
@@ -1647,6 +1658,33 @@ host ... ldap ldapurl="ldap://ldap.example.net/dc=example,dc=net?uid?sub";
+
+
+ BSD Authentication
+
+
+BSD
+
+
+
+This authentication method operates similarly to
+password except that it uses BSD
+Authentication as the authentication mechanism. BSD Authentication
+is used only to validate user name/password pairs.
+Therefore the user must already exist in the database before BSD
+Authentication can be used for authentication. For more information
+about BSD Authentication, please read the
+http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man3/auth_call.3?query=bsd_auth";>
+
