diff options
| author | Magnus Hagander <magnus@hagander.net> | 2014-01-15 17:24:01 +0100 |
|---|---|---|
| committer | Magnus Hagander <magnus@hagander.net> | 2014-01-19 17:05:01 +0100 |
| commit | 98de86e4221a418d670db86bf28ff15e880beadc (patch) | |
| tree | aeba76356dfe639d4e9aff48875062f1defb16cc | |
| parent | 4b8f2859ccc4fe1e9b66fbdb332b830b69a9d6cf (diff) | |
| download | postgresql-98de86e4221a418d670db86bf28ff15e880beadc.tar.gz postgresql-98de86e4221a418d670db86bf28ff15e880beadc.zip | |
Remove support for native krb5 authentication
krb5 has been deprecated since 8.3, and the recommended way to do
Kerberos authentication is using the GSSAPI authentication method
(which is still fully supported).
libpq retains the ability to identify krb5 authentication, but only
gives an error message about it being unsupported. Since all authentication
is initiated from the backend, there is no need to keep it at all
in the backend.
| -rwxr-xr-x | configure | 314 | ||||
| -rw-r--r-- | configure.in | 54 | ||||
| -rw-r--r-- | doc/src/sgml/client-auth.sgml | 253 | ||||
| -rw-r--r-- | doc/src/sgml/config.sgml | 6 | ||||
| -rw-r--r-- | doc/src/sgml/install-windows.sgml | 2 | ||||
| -rw-r--r-- | doc/src/sgml/installation.sgml | 20 | ||||
| -rw-r--r-- | doc/src/sgml/libpq.sgml | 9 | ||||
| -rw-r--r-- | doc/src/sgml/passwordcheck.sgml | 2 | ||||
| -rw-r--r-- | doc/src/sgml/protocol.sgml | 3 | ||||
| -rw-r--r-- | src/backend/libpq/auth.c | 217 | ||||
| -rw-r--r-- | src/backend/libpq/hba.c | 35 | ||||
| -rw-r--r-- | src/backend/libpq/pg_hba.conf.sample | 2 | ||||
| -rw-r--r-- | src/bin/initdb/initdb.c | 3 | ||||
| -rw-r--r-- | src/include/libpq/hba.h | 1 | ||||
| -rw-r--r-- | src/include/libpq/pqcomm.h | 2 | ||||
| -rw-r--r-- | src/include/pg_config.h.in | 18 | ||||
| -rw-r--r-- | src/include/pg_config.h.win32 | 15 | ||||
| -rw-r--r-- | src/interfaces/libpq/fe-auth.c | 264 | ||||
| -rw-r--r-- | src/interfaces/libpq/fe-connect.c | 4 | ||||
| -rw-r--r-- | src/interfaces/libpq/libpq-int.h | 2 | ||||
| -rw-r--r-- | src/tools/msvc/Solution.pm | 6 | ||||
| -rw-r--r-- | src/tools/msvc/config_default.pl | 1 |
22 files changed, 91 insertions, 1142 deletions
diff --git a/configure b/configure index 8760643a750..e1ff704ca57 100755 --- a/configure +++ b/configure @@ -817,7 +817,6 @@ with_tclconfig with_perl with_python with_gssapi -with_krb5 with_krb_srvnam with_pam with_ldap @@ -1502,8 +1501,7 @@ Optional Packages: --with-perl build Perl modules (PL/Perl) --with-python build Python modules (PL/Python) --with-gssapi build with GSSAPI support - --with-krb5 build with Kerberos 5 support - --with-krb-srvnam=NAME default service principal name in Kerberos + --with-krb-srvnam=NAME default service principal name in Kerberos (GSSAPI) [postgres] --with-pam build with PAM support --with-ldap build with LDAP support @@ -5336,43 +5334,6 @@ fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $with_gssapi" >&5 $as_echo "$with_gssapi" >&6; } -# -# Kerberos 5 -# -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to build with Kerberos 5 support" >&5 -$as_echo_n "checking whether to build with Kerberos 5 support... " >&6; } - - - -# Check whether --with-krb5 was given. -if test "${with_krb5+set}" = set; then : - withval=$with_krb5; - case $withval in - yes) - - -$as_echo "#define KRB5 1" >>confdefs.h - - krb_srvtab="FILE:\$(sysconfdir)/krb5.keytab" - - ;; - no) - : - ;; - *) - as_fn_error $? "no argument expected for --with-krb5 option" "$LINENO" 5 - ;; - esac - -else - with_krb5=no - -fi - - -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $with_krb5" >&5 -$as_echo "$with_krb5" >&6; } - @@ -8395,186 +8356,6 @@ fi fi fi -if test "$with_krb5" = yes ; then - if test "$PORTNAME" != "win32"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing com_err" >&5 -$as_echo_n "checking for library containing com_err... " >&6; } -if ${ac_cv_search_com_err+:} false; then : - $as_echo_n "(cached) " >&6 -else - ac_func_search_save_LIBS=$LIBS -cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -/* Override any GCC internal prototype to avoid an error. - Use char because int might match the return type of a GCC - builtin and then its argument prototype would still apply. */ -#ifdef __cplusplus -extern "C" -#endif -char com_err (); -int -main () -{ -return com_err (); - ; - return 0; -} -_ACEOF -for ac_lib in '' krb5 'krb5 -lcrypto -ldes -lasn1 -lroken' com_err 'com_err -lssl -lcrypto'; do - if test -z "$ac_lib"; then - ac_res="none required" - else - ac_res=-l$ac_lib - LIBS="-l$ac_lib $ac_func_search_save_LIBS" - fi - if ac_fn_c_try_link "$LINENO"; then : - ac_cv_search_com_err=$ac_res -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext - if ${ac_cv_search_com_err+:} false; then : - break -fi -done -if ${ac_cv_search_com_err+:} false; then : - -else - ac_cv_search_com_err=no -fi -rm conftest.$ac_ext -LIBS=$ac_func_search_save_LIBS -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_com_err" >&5 -$as_echo "$ac_cv_search_com_err" >&6; } -ac_res=$ac_cv_search_com_err -if test "$ac_res" != no; then : - test "$ac_res" = "none required" || LIBS="$ac_res $LIBS" - -else - as_fn_error $? "could not find function 'com_err' required for Kerberos 5" "$LINENO" 5 -fi - - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing krb5_sendauth" >&5 -$as_echo_n "checking for library containing krb5_sendauth... " >&6; } -if ${ac_cv_search_krb5_sendauth+:} false; then : - $as_echo_n "(cached) " >&6 -else - ac_func_search_save_LIBS=$LIBS -cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -/* Override any GCC internal prototype to avoid an error. - Use char because int might match the return type of a GCC - builtin and then its argument prototype would still apply. */ -#ifdef __cplusplus -extern "C" -#endif -char krb5_sendauth (); -int -main () -{ -return krb5_sendauth (); - ; - return 0; -} -_ACEOF -for ac_lib in '' krb5 'krb5 -lcrypto -ldes -lasn1 -lroken'; do - if test -z "$ac_lib"; then - ac_res="none required" - else - ac_res=-l$ac_lib - LIBS="-l$ac_lib $ac_func_search_save_LIBS" - fi - if ac_fn_c_try_link "$LINENO"; then : - ac_cv_search_krb5_sendauth=$ac_res -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext - if ${ac_cv_search_krb5_sendauth+:} false; then : - break -fi -done -if ${ac_cv_search_krb5_sendauth+:} false; then : - -else - ac_cv_search_krb5_sendauth=no -fi -rm conftest.$ac_ext -LIBS=$ac_func_search_save_LIBS -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_krb5_sendauth" >&5 -$as_echo "$ac_cv_search_krb5_sendauth" >&6; } -ac_res=$ac_cv_search_krb5_sendauth -if test "$ac_res" != no; then : - test "$ac_res" = "none required" || LIBS="$ac_res $LIBS" - -else - as_fn_error $? "could not find function 'krb5_sendauth' required for Kerberos 5" "$LINENO" 5 -fi - - else - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing com_err" >&5 -$as_echo_n "checking for library containing com_err... " >&6; } -if ${ac_cv_search_com_err+:} false; then : - $as_echo_n "(cached) " >&6 -else - ac_func_search_save_LIBS=$LIBS -cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -/* Override any GCC internal prototype to avoid an error. - Use char because int might match the return type of a GCC - builtin and then its argument prototype would still apply. */ -#ifdef __cplusplus -extern "C" -#endif -char com_err (); -int -main () -{ -return com_err (); - ; - return 0; -} -_ACEOF -for ac_lib in '' 'comerr32 -lkrb5_32'; do - if test -z "$ac_lib"; then - ac_res="none required" - else - ac_res=-l$ac_lib - LIBS="-l$ac_lib $ac_func_search_save_LIBS" - fi - if ac_fn_c_try_link "$LINENO"; then : - ac_cv_search_com_err=$ac_res -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext - if ${ac_cv_search_com_err+:} false; then : - break -fi -done -if ${ac_cv_search_com_err+:} false; then : - -else - ac_cv_search_com_err=no -fi -rm conftest.$ac_ext -LIBS=$ac_func_search_save_LIBS -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_com_err" >&5 -$as_echo "$ac_cv_search_com_err" >&6; } -ac_res=$ac_cv_search_com_err -if test "$ac_res" != no; then : - test "$ac_res" = "none required" || LIBS="$ac_res $LIBS" - -else - as_fn_error $? "could not find function 'com_err' required for Kerberos 5" "$LINENO" 5 -fi - - fi -fi - if test "$with_openssl" = yes ; then if test "$PORTNAME" != "win32"; then { $as_echo "$as_me:${as_lineno-$LINENO}: checking for CRYPTO_new_ex_data in -lcrypto" >&5 @@ -9496,17 +9277,6 @@ done fi -if test "$with_krb5" = yes ; then - ac_fn_c_check_header_mongrel "$LINENO" "krb5.h" "ac_cv_header_krb5_h" "$ac_includes_default" -if test "x$ac_cv_header_krb5_h" = xyes; then : - -else - as_fn_error $? "header file <krb5.h> is required for Kerberos 5" "$LINENO" 5 -fi - - -fi - if test "$with_openssl" = yes ; then ac_fn_c_check_header_mongrel "$LINENO" "openssl/ssl.h" "ac_cv_header_openssl_ssl_h" "$ac_includes_default" if test "x$ac_cv_header_openssl_ssl_h" = xyes; then : @@ -10772,88 +10542,6 @@ fi fi -if test "$with_krb5" = yes; then -# Check for differences between MIT and Heimdal (KTH) releases - ac_fn_c_check_member "$LINENO" "krb5_ticket" "enc_part2" "ac_cv_member_krb5_ticket_enc_part2" "#include <krb5.h> -" -if test "x$ac_cv_member_krb5_ticket_enc_part2" = xyes; then : - -cat >>confdefs.h <<_ACEOF -#define HAVE_KRB5_TICKET_ENC_PART2 1 -_ACEOF - - -else - ac_fn_c_check_member "$LINENO" "krb5_ticket" "client" "ac_cv_member_krb5_ticket_client" "#include <krb5.h> -" -if test "x$ac_cv_member_krb5_ticket_client" = xyes; then : - -cat >>confdefs.h <<_ACEOF -#define HAVE_KRB5_TICKET_CLIENT 1 -_ACEOF - - -else - as_fn_error $? "could not determine how to get client name from Kerberos 5 ticket" "$LINENO" 5 -fi - -fi - - ac_fn_c_check_member "$LINENO" "krb5_error" "text.data" "ac_cv_member_krb5_error_text_data" "#include <krb5.h> -" -if test "x$ac_cv_member_krb5_error_text_data" = xyes; then : - -cat >>confdefs.h <<_ACEOF -#define HAVE_KRB5_ERROR_TEXT_DATA 1 -_ACEOF - - -else - ac_fn_c_check_member "$LINENO" "krb5_error" "e_data" "ac_cv_member_krb5_error_e_data" "#include <krb5.h> -" -if test "x$ac_cv_member_krb5_error_e_data" = xyes; then : - -cat >>confdefs.h <<_ACEOF -#define HAVE_KRB5_ERROR_E_DATA 1 -_ACEOF - - -else - as_fn_error $? "could not determine how to extract Kerberos 5 error messages" "$LINENO" 5 -fi - -fi - - -# Win32 requires headers to be loaded for __stdcall, so can't use -# AC_CHECK_FUNCS here. - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for krb5_free_unparsed_name" >&5 -$as_echo_n "checking for krb5_free_unparsed_name... " >&6; } - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -#include <krb5.h> -int -main () -{ -krb5_free_unparsed_name(NULL,NULL); - ; - return 0; -} -_ACEOF -if ac_fn_c_try_link "$LINENO"; then : - -$as_echo "#define HAVE_KRB5_FREE_UNPARSED_NAME 1" >>confdefs.h - -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 -$as_echo "yes" >&6; } -else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -$as_echo "no" >&6; } -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext -fi - # On PPC, check if assembler supports LWARX instruction's mutex hint bit case $host_cpu in ppc*|powerpc*) diff --git a/configure.in b/configure.in index 63c8d425eb2..3826237410f 100644 --- a/configure.in +++ b/configure.in @@ -608,17 +608,6 @@ PGAC_ARG_BOOL(with, gssapi, no, [build with GSSAPI support], ]) AC_MSG_RESULT([$with_gssapi]) -# -# Kerberos 5 -# -AC_MSG_CHECKING([whether to build with Kerberos 5 support]) -PGAC_ARG_BOOL(with, krb5, no, [build with Kerberos 5 support], -[ - AC_DEFINE(KRB5, 1, [Define to build with Kerberos 5 support. (--with-krb5)]) - krb_srvtab="FILE:\$(sysconfdir)/krb5.keytab" -]) -AC_MSG_RESULT([$with_krb5]) - AC_SUBST(krb_srvtab) @@ -627,11 +616,11 @@ AC_SUBST(krb_srvtab) # Kerberos configuration parameters # PGAC_ARG_REQ(with, krb-srvnam, - [NAME], [default service principal name in Kerberos [postgres]], + [NAME], [default service principal name in Kerberos (GSSAPI) [postgres]], [], [with_krb_srvnam="postgres"]) AC_DEFINE_UNQUOTED([PG_KRB_SRVNAM], ["$with_krb_srvnam"], - [Define to the name of the default PostgreSQL service principal in Kerberos. (--with-krb-srvnam=NAME)]) + [Define to the name of the default PostgreSQL service principal in Kerberos (GSSAPI). (--with-krb-srvnam=NAME)]) # @@ -929,18 +918,6 @@ if test "$with_gssapi" = yes ; then fi fi -if test "$with_krb5" = yes ; then - if test "$PORTNAME" != "win32"; then - AC_SEARCH_LIBS(com_err, [krb5 'krb5 -lcrypto -ldes -lasn1 -lroken' com_err 'com_err -lssl -lcrypto'], [], - [AC_MSG_ERROR([could not find function 'com_err' required for Kerberos 5])]) - AC_SEARCH_LIBS(krb5_sendauth, [krb5 'krb5 -lcrypto -ldes -lasn1 -lroken'], [], - [AC_MSG_ERROR([could not find function 'krb5_sendauth' required for Kerberos 5])]) - else - AC_SEARCH_LIBS(com_err, 'comerr32 -lkrb5_32', [], - [AC_MSG_ERROR([could not find function 'com_err' required for Kerberos 5])]) - fi -fi - if test "$with_openssl" = yes ; then dnl Order matters! if test "$PORTNAME" != "win32"; then @@ -1061,10 +1038,6 @@ if test "$with_gssapi" = yes ; then [AC_CHECK_HEADERS(gssapi.h, [], [AC_MSG_ERROR([gssapi.h header file is required for GSSAPI])])]) fi -if test "$with_krb5" = yes ; then - AC_CHECK_HEADER(krb5.h, [], [AC_MSG_ERROR([header file <krb5.h> is required for Kerberos 5])]) -fi - if test "$with_openssl" = yes ; then AC_CHECK_HEADER(openssl/ssl.h, [], [AC_MSG_ERROR([header file <openssl/ssl.h> is required for OpenSSL])]) AC_CHECK_HEADER(openssl/err.h, [], [AC_MSG_ERROR([header file <openssl/err.h> is required for OpenSSL])]) @@ -1160,29 +1133,6 @@ Use --without-zlib to disable zlib support.])], [#include <zlib.h>]) fi -if test "$with_krb5" = yes; then -# Check for differences between MIT and Heimdal (KTH) releases - AC_CHECK_MEMBERS(krb5_ticket.enc_part2, [], - [AC_CHECK_MEMBERS(krb5_ticket.client, [], - [AC_MSG_ERROR([could not determine how to get client name from Kerberos 5 ticket])], - [#include <krb5.h>])], - [#include <krb5.h>]) - AC_CHECK_MEMBERS(krb5_error.text.data, [], - [AC_CHECK_MEMBERS(krb5_error.e_data, [], - [AC_MSG_ERROR([could not determine how to extract Kerberos 5 error messages])], - [#include <krb5.h>])], - [#include <krb5.h>]) - -# Win32 requires headers to be loaded for __stdcall, so can't use -# AC_CHECK_FUNCS here. - AC_MSG_CHECKING(for krb5_free_unparsed_name) - AC_TRY_LINK([#include <krb5.h>], - [krb5_free_unparsed_name(NULL,NULL);], - [AC_DEFINE(HAVE_KRB5_FREE_UNPARSED_NAME, 1, [Define to 1 if you have krb5_free_unparsed_name.]) -AC_MSG_RESULT(yes)], - [AC_MSG_RESULT(no)]) -fi - # On PPC, check if assembler supports LWARX instruction's mutex hint bit case $host_cpu in ppc*|powerpc*) diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml index 9fc583ce574..14870401fb8 100644 --- a/doc/src/sgml/client-auth.sgml +++ b/doc/src/sgml/client-auth.sgml @@ -451,17 +451,6 @@ hostnossl <replaceable>database</replaceable> <replaceable>user</replaceable> </varlistentry> <varlistentry> - <term><literal>krb5</></term> - <listitem> - <para> - Use Kerberos V5 to authenticate the user. This is only - available for TCP/IP connections. See <xref - linkend="kerberos-auth"> for details. - </para> - </listitem> - </varlistentry> - - <varlistentry> <term><literal>ident</></term> <listitem> <para> @@ -650,13 +639,13 @@ host all all .example.com md5 # In the absence of preceding "host" lines, these two lines will # reject all connections from 192.168.54.1 (since that entry will be -# matched first), but allow Kerberos 5 connections from anywhere else +# matched first), but allow GSSAPI connections from anywhere else # on the Internet. The zero mask causes no bits of the host IP # address to be considered, so it matches any host. # # TYPE DATABASE USER ADDRESS METHOD host all all 192.168.54.1/32 reject -host all all 0.0.0.0/0 krb5 +host all all 0.0.0.0/0 gss # Allow users from 192.168.x.x hosts to connect to any database, if # they pass the ident check. If, for example, ident says the user is @@ -925,16 +914,74 @@ omicron bryanh guest1 </para> <para> + GSSAPI support has to be enabled when <productname>PostgreSQL</> is built; + see <xref linkend="installation"> for more information. + </para> + + <para> When <productname>GSSAPI</productname> uses <productname>Kerberos</productname>, it uses a standard principal in the format - <literal><replaceable>servicename</>/<replaceable>hostname</>@<replaceable>realm</></literal>. For information about the parts of the principal, and - how to set up the required keys, see <xref linkend="kerberos-auth">. + <literal><replaceable>servicename</>/<replaceable>hostname</>@<replaceable>realm</></literal>. + <replaceable>servicename</> can be set on the server side using the + <xref linkend="guc-krb-srvname"> configuration parameter, and on the + client side using the <literal>krbsrvname</> connection parameter. (See + also <xref linkend="libpq-paramkeywords">.) The installation default can be + changed from the default <literal>postgres</literal> at build time using + <literal>./configure --with-krb-srvnam=</><replaceable>whatever</>. + In most environments, + this parameter never needs to be changed. However, it is necessary + when supporting multiple <productname>PostgreSQL</> installations + on the same host. + Some Kerberos implementations might also require a different service name, + such as Microsoft Active Directory which requires the service name + to be in upper case (<literal>POSTGRES</literal>). + </para> + <para> + <replaceable>hostname</> is the fully qualified host name of the + server machine. The service principal's realm is the preferred realm + of the server machine. </para> <para> - GSSAPI support has to be enabled when <productname>PostgreSQL</> is built; - see <xref linkend="installation"> for more information. + Client principals must have their <productname>PostgreSQL</> database user + name as their first component, for example + <literal>pgusername@realm</>. Alternatively, you can use a user name + mapping to map from the first component of the principal name to the + database user name. By default, the realm of the client is + not checked by <productname>PostgreSQL</>. If you have cross-realm + authentication enabled and need to verify the realm, use the + <literal>krb_realm</> parameter, or enable <literal>include_realm</> + and use user name mapping to check the realm. + </para> + + <para> + Make sure that your server keytab file is readable (and preferably + only readable) by the <productname>PostgreSQL</productname> server + account. (See also <xref linkend="postgres-user">.) The location + of the key file is specified by the <xref + linkend="guc-krb-server-keyfile"> configuration + parameter. The default is + <filename>/usr/local/pgsql/etc/krb5.keytab</> (or whatever + directory was specified as <varname>sysconfdir</> at build time). + </para> + <para> + The keytab file is generated by the Kerberos software; see the + Kerberos documentation for details. The following example is + for MIT-compatible Kerberos 5 implementations: +<screen> +<prompt>kadmin% </><userinput>ank -randkey postgres/server.my.domain.org</> +<prompt>kadmin% </><userinput>ktadd -k krb5.keytab postgres/server.my.domain.org</> +</screen> + </para> + + <para> + When connecting to the database make sure you have a ticket for a + principal matching the requested database user name. For example, for + database user name <literal>fred</>, principal + <literal>fred@EXAMPLE.COM</> would be able to connect. To also allow + principal <literal>fred/users.example.com@EXAMPLE.COM</>, use a user name + map, as described in <xref linkend="auth-username-maps">. </para> <para> @@ -1050,178 +1097,6 @@ omicron bryanh guest1 </para> </sect2> - <sect2 id="kerberos-auth"> - <title>Kerberos Authentication</title> - - <indexterm zone="kerberos-auth"> - <primary>Kerberos</primary> - </indexterm> - - <note> - <para> - Native Kerberos authentication has been deprecated and should be used - only for backward compatibility. New and upgraded installations are - encouraged to use the industry-standard <productname>GSSAPI</productname> - authentication method (see <xref linkend="gssapi-auth">) instead. - </para> - </note> - - <para> - <productname>Kerberos</productname> is an industry-standard secure - authentication system suitable for distributed computing over a public - network. A description of the <productname>Kerberos</productname> system - is beyond the scope of this document; in full generality it can be - quite complex (yet powerful). The - <ulink url="http://www.cmf.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html"> - Kerberos <acronym>FAQ</></ulink> or - <ulink url="http://web.mit.edu/kerberos/www/">MIT Kerberos page</ulink> - can be good starting points for exploration. - Several sources for <productname>Kerberos</> distributions exist. - <productname>Kerberos</productname> provides secure authentication but - does not encrypt queries or data passed over the network; for that - use <acronym>SSL</acronym>. - </para> - - <para> - <productname>PostgreSQL</> supports Kerberos version 5. Kerberos - support has to be enabled when <productname>PostgreSQL</> is built; - see <xref linkend="installation"> for more information. - </para> - - <para> - <productname>PostgreSQL</> operates like a normal Kerberos service. - The name of the service principal is - <literal><replaceable>servicename</>/<replaceable>hostname</>@<replaceable>realm</></literal>. - </para> - - <para> - <replaceable>servicename</> can be set on the server side using the - <xref linkend="guc-krb-srvname"> configuration parameter, and on the - client side using the <literal>krbsrvname</> connection parameter. (See - also <xref linkend="libpq-paramkeywords">.) The installation default can be - changed from the default <literal>postgres</literal> at build time using - <literal>./configure --with-krb-srvnam=</><replaceable>whatever</>. - In most environments, - this parameter never needs to be changed. However, it is necessary - when supporting multiple <productname>PostgreSQL</> installations - on the same host. - Some Kerberos implementations might also require a different service name, - such as Microsoft Active Directory which requires the service name - to be in upper case (<literal>POSTGRES</literal>). - </para> - - <para> - <replaceable>hostname</> is the fully qualified host name of the - server machine. The service principal's realm is the preferred realm - of the server machine. - </para> - - <para> - Client principals must have their <productname>PostgreSQL</> database user - name as their first component, for example - <literal>pgusername@realm</>. Alternatively, you can use a user name - mapping to map from the first component of the principal name to the - database user name. By default, the realm of the client is - not checked by <productname>PostgreSQL</>. If you have cross-realm - authentication enabled and need to verify the realm, use the - <literal>krb_realm</> parameter, or enable <literal>include_realm</> - and use user name mapping to check the realm. - </para> - - <para> - Make sure that your server keytab file is readable (and preferably - only readable) by the <productname>PostgreSQL</productname> server - account. (See also <xref linkend="postgres-user">.) The location - of the key file is specified by the <xref - linkend="guc-krb-server-keyfile"> configuration - parameter. The default is - <filename>/usr/local/pgsql/etc/krb5.keytab</> (or whatever - directory was specified as <varname>sysconfdir</> at build time). - </para> - - <para> - The keytab file is generated by the Kerberos software; see the - Kerberos documentation for details. The following example is - for MIT-compatible Kerberos 5 implementations: -<screen> -<prompt>kadmin% </><userinput>ank -randkey postgres/server.my.domain.org</> -<prompt>kadmin% </><userinput>ktadd -k krb5.keytab postgres/server.my.domain.org</> -</screen> - </para> - - <para> - When connecting to the database make sure you have a ticket for a - principal matching the requested database user name. For example, for - database user name <literal>fred</>, principal - <literal>fred@EXAMPLE.COM</> would be able to connect. To also allow - principal <literal>fred/users.example.com@EXAMPLE.COM</>, use a user name - map, as described in <xref linkend="auth-username-maps">. - </para> - - <para> - If you use <ulink url="http://modauthkerb.sf.net"> - <application>mod_auth_kerb</application></ulink> - and <application>mod_perl</application> on your - <productname>Apache</productname> web server, you can use - <literal>AuthType KerberosV5SaveCredentials</literal> with a - <application>mod_perl</application> script. This gives secure - database access over the web, with no additional passwords required. - </para> - - <para> - The following configuration options are supported for - <productname>Kerberos</productname>: - <variablelist> - <varlistentry> - <term><literal>map</literal></term> - <listitem> - <para> - Allows for mapping between system and database user names. See - <xref linkend="auth-username-maps"> for details. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term><literal>include_realm</literal></term> - <listitem> - <para> - If set to 1, the realm name from the authenticated user - principal is included in the system user name that's passed through - user name mapping (<xref linkend="auth-username-maps">). This is - useful for handling users from multiple realms. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term><literal>krb_realm</literal></term> - <listitem> - <para> - Sets the realm to match user principal names against. If this parameter - is set, only users of that realm will be accepted. If it is not set, - users of any realm can connect, subject to whatever user name mapping - is done. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term><literal>krb_server_hostname</literal></term> - <listitem> - <para> - Sets the host name part of the service principal. - This, combined with <varname>krb_srvname</>, is used to generate - the complete service principal, that is - <varname>krb_srvname</><literal>/</><varname>krb_server_hostname</><literal>@</>REALM. - If not set, the default is the server host name. - </para> - </listitem> - </varlistentry> - </variablelist> - </para> - </sect2> - <sect2 id="auth-ident"> <title>Ident Authentication</title> diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml index 0f2f2bf925b..3c4bb9becaa 100644 --- a/doc/src/sgml/config.sgml +++ b/doc/src/sgml/config.sgml @@ -964,7 +964,7 @@ include 'filename' <listitem> <para> Sets the location of the Kerberos server key file. See - <xref linkend="kerberos-auth"> or <xref linkend="gssapi-auth"> + <xref linkend="gssapi-auth"> for details. This parameter can only be set in the <filename>postgresql.conf</> file or on the server command line. </para> @@ -978,7 +978,7 @@ include 'filename' </indexterm> <listitem> <para> - Sets the Kerberos service name. See <xref linkend="kerberos-auth"> + Sets the Kerberos service name. See <xref linkend="gssapi-auth"> for details. This parameter can only be set in the <filename>postgresql.conf</> file or on the server command line. </para> @@ -992,7 +992,7 @@ include 'filename' </indexterm> <listitem> <para> - Sets whether Kerberos and GSSAPI user names should be treated + Sets whether GSSAPI user names should be treated case-insensitively. The default is <literal>off</> (case sensitive). This parameter can only be set in the <filename>postgresql.conf</> file or on the server command line. diff --git a/doc/src/sgml/install-windows.sgml b/doc/src/sgml/install-windows.sgml index 4c9ce5b1455..f3b1a12b05f 100644 --- a/doc/src/sgml/install-windows.sgml +++ b/doc/src/sgml/install-windows.sgml @@ -269,7 +269,7 @@ $ENV{PATH}=$ENV{PATH} . ';c:\some\where\bison\bin'; <varlistentry> <term><productname>MIT Kerberos</productname></term> <listitem><para> - Required for Kerberos authentication support. MIT Kerberos can be + Required for GSSAPI authentication support. MIT Kerberos can be downloaded from <ulink url="http://web.mit.edu/Kerberos/dist/index.html"></>. </para></listitem> diff --git a/doc/src/sgml/installation.sgml b/doc/src/sgml/installation.sgml index fc6559d7084..a4cdf5f1042 100644 --- a/doc/src/sgml/installation.sgml +++ b/doc/src/sgml/installation.sgml @@ -772,27 +772,11 @@ su - postgres </varlistentry> <varlistentry> - <term><option>--with-krb5</option></term> - <listitem> - <para> - Build with support for Kerberos 5 authentication. On many - systems, the Kerberos system is not installed in a location - that is searched by default (e.g., <filename>/usr/include</>, - <filename>/usr/lib</>), so you must use the options - <option>--with-includes</> and <option>--with-libraries</> in - addition to this option. <filename>configure</> will check - for the required header files and libraries to make sure that - your Kerberos installation is sufficient before proceeding. - </para> - </listitem> - </varlistentry> - - <varlistentry> <term><option>--with-krb-srvnam=<replaceable>NAME</></option></term> <listitem> <para> - The default name of the Kerberos service principal (also used - by GSSAPI). + The default name of the Kerberos service principal used + by GSSAPI. <literal>postgres</literal> is the default. There's usually no reason to change this unless you have a Windows environment, in which case it must be set to upper case diff --git a/doc/src/sgml/libpq.sgml b/doc/src/sgml/libpq.sgml index 15bc42cd61c..3ab06a1a1b7 100644 --- a/doc/src/sgml/libpq.sgml +++ b/doc/src/sgml/libpq.sgml @@ -896,7 +896,7 @@ postgresql://%2Fvar%2Flib%2Fpostgresql/dbname Using <literal>hostaddr</> instead of <literal>host</> allows the application to avoid a host name look-up, which might be important in applications with time constraints. However, a host name is - required for Kerberos, GSSAPI, or SSPI authentication + required for GSSAPI or SSPI authentication methods, as well as for <literal>verify-full</> SSL certificate verification. The following rules are used: <itemizedlist> @@ -1331,11 +1331,10 @@ postgresql://%2Fvar%2Flib%2Fpostgresql/dbname <term><literal>krbsrvname</literal></term> <listitem> <para> - Kerberos service name to use when authenticating with Kerberos 5 - or GSSAPI. + Kerberos service name to use when authenticating with GSSAPI. This must match the service name specified in the server configuration for Kerberos authentication to succeed. (See also - <xref linkend="kerberos-auth"> and <xref linkend="gssapi-auth">.) + <xref linkend="gssapi-auth">.) </para> </listitem> </varlistentry> @@ -6652,7 +6651,7 @@ myEventProc(PGEventId evtId, void *evtInfo, void *passThrough) <application>libpq</application> applications will attempt authentication with servers for this realm and use separate ticket files to avoid conflicts with local ticket files. This - environment variable is only used if Kerberos authentication is + environment variable is only used if GSSAPI authentication is selected by the server. </para> </listitem> diff --git a/doc/src/sgml/passwordcheck.sgml b/doc/src/sgml/passwordcheck.sgml index 415749d5424..6e6e4ef4356 100644 --- a/doc/src/sgml/passwordcheck.sgml +++ b/doc/src/sgml/passwordcheck.sgml @@ -48,7 +48,7 @@ module, because in that case it can only try to guess the password. For this reason, <filename>passwordcheck</filename> is not recommended if your security requirements are high. - It is more secure to use an external authentication method such as Kerberos + It is more secure to use an external authentication method such as GSSAPI (see <xref linkend="client-authentication">) than to rely on passwords within the database. </para> diff --git a/doc/src/sgml/protocol.sgml b/doc/src/sgml/protocol.sgml index 0b2e60eeb13..7d99976a49c 100644 --- a/doc/src/sgml/protocol.sgml +++ b/doc/src/sgml/protocol.sgml @@ -271,7 +271,8 @@ authentication dialog (not described here, part of the Kerberos specification) with the server. If this is successful, the server responds with an AuthenticationOk, - otherwise it responds with an ErrorResponse. + otherwise it responds with an ErrorResponse. This is no + longer supported. This is not supported any more. </para> </listitem> </varlistentry> diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c index 85899159843..882dc8faf1b 100644 --- a/src/backend/libpq/auth.c +++ b/src/backend/libpq/auth.c @@ -134,29 +134,6 @@ bool pg_krb_caseins_users; /*---------------------------------------------------------------- - * MIT Kerberos authentication system - protocol version 5 - *---------------------------------------------------------------- - */ -#ifdef KRB5 -static int pg_krb5_recvauth(Port *port); - -#include <krb5.h> -/* Some old versions of Kerberos do not include <com_err.h> in <krb5.h> */ -#if !defined(__COM_ERR_H) && !defined(__COM_ERR_H__) -#include <com_err.h> -#endif -/* - * Various krb5 state which is not connection specific, and a flag to - * indicate whether we have initialised it yet. - */ -static int pg_krb5_initialised; -static krb5_context pg_krb5_context; -static krb5_keytab pg_krb5_keytab; -static krb5_principal pg_krb5_server; -#endif /* KRB5 */ - - -/*---------------------------------------------------------------- * GSSAPI Authentication *---------------------------------------------------------------- */ @@ -257,9 +234,6 @@ auth_failed(Port *port, int status) case uaImplicitReject: errstr = gettext_noop("authentication failed for user \"%s\": host rejected"); break; - case uaKrb5: - errstr = gettext_noop("Kerberos 5 authentication failed for user \"%s\""); - break; case uaTrust: errstr = gettext_noop("\"trust\" authentication failed for user \"%s\""); break; @@ -497,15 +471,6 @@ ClientAuthentication(Port *port) break; } - case uaKrb5: -#ifdef KRB5 - sendAuthRequest(port, AUTH_REQ_KRB5); - status = pg_krb5_recvauth(port); -#else - Assert(false); -#endif - break; - case uaGSS: #ifdef ENABLE_GSS sendAuthRequest(port, AUTH_REQ_GSS); @@ -735,188 +700,6 @@ recv_and_check_password_packet(Port *port) } -/*---------------------------------------------------------------- - * MIT Kerberos authentication system - protocol version 5 - *---------------------------------------------------------------- - */ -#ifdef KRB5 - -static int -pg_krb5_init(Port *port) -{ - krb5_error_code retval; - char *khostname; - - if (pg_krb5_initialised) - return STATUS_OK; - - retval = krb5_init_context(&pg_krb5_context); - if (retval) - { - ereport(LOG, - (errmsg("Kerberos initialization returned error %d", - retval))); - com_err("postgres", retval, "while initializing krb5"); - return STATUS_ERROR; - } - - retval = krb5_kt_resolve(pg_krb5_context, pg_krb_server_keyfile, &pg_krb5_keytab); - if (retval) - { - ereport(LOG, - (errmsg("Kerberos keytab resolving returned error %d", - retval))); - com_err("postgres", retval, "while resolving keytab file \"%s\"", - pg_krb_server_keyfile); - krb5_free_context(pg_krb5_context); - return STATUS_ERROR; - } - - /* - * If no hostname was specified, pg_krb_server_hostname is already NULL. - * If it's set to blank, force it to NULL. - */ - khostname = port->hba->krb_server_hostname; - if (khostname && khostname[0] == '\0') - khostname = NULL; - - retval = krb5_sname_to_principal(pg_krb5_context, - khostname, - pg_krb_srvnam, - KRB5_NT_SRV_HST, - &pg_krb5_server); - if (retval) - { - ereport(LOG, - (errmsg("Kerberos sname_to_principal(\"%s\", \"%s\") returned error %d", - khostname ? khostname : "server hostname", pg_krb_srvnam, retval))); - com_err("postgres", retval, - "while getting server principal for server \"%s\" for service \"%s\"", - khostname ? khostname : "server hostname", pg_krb_srvnam); - krb5_kt_close(pg_krb5_context, pg_krb5_keytab); - krb5_free_context(pg_krb5_context); - return STATUS_ERROR; - } - - pg_krb5_initialised = 1; - return STATUS_OK; -} - - -/* - * pg_krb5_recvauth -- server routine to receive authentication information - * from the client - * - * We still need to compare the username obtained from the client's setup - * packet to the authenticated name. - * - * We have our own keytab file because postgres is unlikely to run as root, - * and so cannot read the default keytab. - */ -static int -pg_krb5_recvauth(Port *port) -{ - krb5_error_code retval; - int ret; - krb5_auth_context auth_context = NULL; - krb5_ticket *ticket; - char *kusername; - char *cp; - - ret = pg_krb5_init(port); - if (ret != STATUS_OK) - return ret; - - retval = krb5_recvauth(pg_krb5_context, &auth_context, - (krb5_pointer) & port->sock, pg_krb_srvnam, - pg_krb5_server, 0, pg_krb5_keytab, &ticket); - if (retval) - { - ereport(LOG, - (errmsg("Kerberos recvauth returned error %d", - retval))); - com_err("postgres", retval, "from krb5_recvauth"); - return STATUS_ERROR; - } - - /* - * The "client" structure comes out of the ticket and is therefore - * authenticated. Use it to check the username obtained from the - * postmaster startup packet. - */ -#if defined(HAVE_KRB5_TICKET_ENC_PART2) - retval = krb5_unparse_name(pg_krb5_context, - ticket->enc_part2->client, &kusername); -#elif defined(HAVE_KRB5_TICKET_CLIENT) - retval = krb5_unparse_name(pg_krb5_context, - ticket->client, &kusername); -#else -#error "bogus configuration" -#endif - if (retval) - { - ereport(LOG, - (errmsg("Kerberos unparse_name returned error %d", - retval))); - com_err("postgres", retval, "while unparsing client name"); - krb5_free_ticket(pg_krb5_context, ticket); - krb5_auth_con_free(pg_krb5_context, auth_context); - return STATUS_ERROR; - } - - cp = strchr(kusername, '@'); - if (cp) - { - /* - * If we are not going to include the realm in the username that is - * passed to the ident map, destructively modify it here to remove the - * realm. Then advance past the separator to check the realm. - */ - if (!port->hba->include_realm) - *cp = '\0'; - cp++; - - if (port->hba->krb_realm != NULL && strlen(port->hba->krb_realm)) - { - /* Match realm against configured */ - if (pg_krb_caseins_users) - ret = pg_strcasecmp(port->hba->krb_realm, cp); - else - ret = strcmp(port->hba->krb_realm, cp); - - if (ret) - { - elog(DEBUG2, - "krb5 realm (%s) and configured realm (%s) don't match", - cp, port->hba->krb_realm); - - krb5_free_ticket(pg_krb5_context, ticket); - krb5_auth_con_free(pg_krb5_context, auth_context); - return STATUS_ERROR; - } - } - } - else if (port->hba->krb_realm && strlen(port->hba->krb_realm)) - { - elog(DEBUG2, - "krb5 did not return realm but realm matching was requested"); - - krb5_free_ticket(pg_krb5_context, ticket); - krb5_auth_con_free(pg_krb5_context, auth_context); - return STATUS_ERROR; - } - - ret = check_usermap(port->hba->usermap, port->user_name, kusername, - pg_krb_caseins_users); - - krb5_free_ticket(pg_krb5_context, ticket); - krb5_auth_con_free(pg_krb5_context, auth_context); - free(kusername); - - return ret; -} -#endif /* KRB5 */ - /*---------------------------------------------------------------- * GSSAPI authentication system diff --git a/src/backend/libpq/hba.c b/src/backend/libpq/hba.c index ae25cf873f5..77434f410ae 100644 --- a/src/backend/libpq/hba.c +++ b/src/backend/libpq/hba.c @@ -1177,12 +1177,6 @@ parse_hba_line(List *line, int line_num, char *raw_line) parsedline->auth_method = uaPeer; else if (strcmp(token->string, "password") == 0) parsedline->auth_method = uaPassword; - else if (strcmp(token->string, "krb5") == 0) -#ifdef KRB5 - parsedline->auth_method = uaKrb5; -#else - unsupauth = "krb5"; -#endif else if (strcmp(token->string, "gss") == 0) #ifdef ENABLE_GSS parsedline->auth_method = uaGSS; @@ -1262,17 +1256,6 @@ parse_hba_line(List *line, int line_num, char *raw_line) /* Invalid authentication combinations */ if (parsedline->conntype == ctLocal && - parsedline->auth_method == uaKrb5) - { - ereport(LOG, - (errcode(ERRCODE_CONFIG_FILE_ERROR), - errmsg("krb5 authentication is not supported on local sockets"), - errcontext("line %d of configuration file \"%s\"", - line_num, HbaFileName))); - return NULL; - } - - if (parsedline->conntype == ctLocal && parsedline->auth_method == uaGSS) { ereport(LOG, @@ -1417,11 +1400,10 @@ parse_hba_auth_opt(char *name, char *val, HbaLine *hbaline, int line_num) { if (hbaline->auth_method != uaIdent && hbaline->auth_method != uaPeer && - hbaline->auth_method != uaKrb5 && hbaline->auth_method != uaGSS && hbaline->auth_method != uaSSPI && hbaline->auth_method != uaCert) - INVALID_AUTH_OPTION("map", gettext_noop("ident, peer, krb5, gssapi, sspi, and cert")); + INVALID_AUTH_OPTION("map", gettext_noop("ident, peer, gssapi, sspi, and cert")); hbaline->usermap = pstrdup(val); } else if (strcmp(name, "clientcert") == 0) @@ -1578,25 +1560,18 @@ parse_hba_auth_opt(char *name, char *val, HbaLine *hbaline, int line_num) REQUIRE_AUTH_OPTION(uaLDAP, "ldapsuffix", "ldap"); hbaline->ldapsuffix = pstrdup(val); } - else if (strcmp(name, "krb_server_hostname") == 0) - { - REQUIRE_AUTH_OPTION(uaKrb5, "krb_server_hostname", "krb5"); - hbaline->krb_server_hostname = pstrdup(val); - } else if (strcmp(name, "krb_realm") == 0) { - if (hbaline->auth_method != uaKrb5 && - hbaline->auth_method != uaGSS && + if (hbaline->auth_method != uaGSS && hbaline->auth_method != uaSSPI) - INVALID_AUTH_OPTION("krb_realm", gettext_noop("krb5, gssapi, and sspi")); + INVALID_AUTH_OPTION("krb_realm", gettext_noop("gssapi and sspi")); hbaline->krb_realm = pstrdup(val); } else if (strcmp(name, "include_realm") == 0) { - if (hbaline->auth_method != uaKrb5 && - hbaline->auth_method != uaGSS && + if (hbaline->auth_method != uaGSS && hbaline->auth_method != uaSSPI) - INVALID_AUTH_OPTION("include_realm", gettext_noop("krb5, gssapi, and sspi")); + INVALID_AUTH_OPTION("include_realm", gettext_noop("gssapi and sspi")); if (strcmp(val, "1") == 0) hbaline->include_realm = true; else diff --git a/src/backend/libpq/pg_hba.conf.sample b/src/backend/libpq/pg_hba.conf.sample index a12ba26ad57..86a89edf9ad 100644 --- a/src/backend/libpq/pg_hba.conf.sample +++ b/src/backend/libpq/pg_hba.conf.sample @@ -43,7 +43,7 @@ # directly connected to. # # METHOD can be "trust", "reject", "md5", "password", "gss", "sspi", -# "krb5", "ident", "peer", "pam", "ldap", "radius" or "cert". Note that +# "ident", "peer", "pam", "ldap", "radius" or "cert". Note that # "password" sends passwords in clear text; "md5" is preferred since # it sends encrypted passwords. # diff --git a/src/bin/initdb/initdb.c b/src/bin/initdb/initdb.c index a9aa7a487f6..7e934b75abb 100644 --- a/src/bin/initdb/initdb.c +++ b/src/bin/initdb/initdb.c @@ -76,9 +76,6 @@ static const char *auth_methods_host[] = {"trust", "reject", "md5", "password", #ifdef ENABLE_SSPI "sspi", #endif -#ifdef KRB5 - "krb5", -#endif #ifdef USE_PAM "pam", "pam ", #endif diff --git a/src/include/libpq/hba.h b/src/include/libpq/hba.h index 73ae5105eb9..5a103aed195 100644 --- a/src/include/libpq/hba.h +++ b/src/include/libpq/hba.h @@ -20,7 +20,6 @@ typedef enum UserAuth { uaReject, uaImplicitReject, - uaKrb5, uaTrust, uaIdent, uaPassword, diff --git a/src/include/libpq/pqcomm.h b/src/include/libpq/pqcomm.h index 0be839c23cc..969fe5e105d 100644 --- a/src/include/libpq/pqcomm.h +++ b/src/include/libpq/pqcomm.h @@ -164,7 +164,7 @@ extern bool Db_user_namespace; #define AUTH_REQ_OK 0 /* User is authenticated */ #define AUTH_REQ_KRB4 1 /* Kerberos V4. Not supported any more. */ -#define AUTH_REQ_KRB5 2 /* Kerberos V5 */ +#define AUTH_REQ_KRB5 2 /* Kerberos V5. Not supported any more. */ #define AUTH_REQ_PASSWORD 3 /* Password */ #define AUTH_REQ_CRYPT 4 /* crypt password. Not supported any more. */ #define AUTH_REQ_MD5 5 /* md5 password */ diff --git a/src/include/pg_config.h.in b/src/include/pg_config.h.in index 64717dfcd41..0bade28b972 100644 --- a/src/include/pg_config.h.in +++ b/src/include/pg_config.h.in @@ -260,21 +260,6 @@ /* Define to 1 if you have isinf(). */ #undef HAVE_ISINF -/* Define to 1 if `e_data' is a member of `krb5_error'. */ -#undef HAVE_KRB5_ERROR_E_DATA - -/* Define to 1 if `text.data' is a member of `krb5_error'. */ -#undef HAVE_KRB5_ERROR_TEXT_DATA - -/* Define to 1 if you have krb5_free_unparsed_name. */ -#undef HAVE_KRB5_FREE_UNPARSED_NAME - -/* Define to 1 if `client' is a member of `krb5_ticket'. */ -#undef HAVE_KRB5_TICKET_CLIENT - -/* Define to 1 if `enc_part2' is a member of `krb5_ticket'. */ -#undef HAVE_KRB5_TICKET_ENC_PART2 - /* Define to 1 if you have the <langinfo.h> header file. */ #undef HAVE_LANGINFO_H @@ -656,9 +641,6 @@ /* Define to the appropriate snprintf format for 64-bit ints. */ #undef INT64_FORMAT -/* Define to build with Kerberos 5 support. (--with-krb5) */ -#undef KRB5 - /* Define to 1 if `locale_t' requires <xlocale.h>. */ #undef LOCALE_T_IN_XLOCALE diff --git a/src/include/pg_config.h.win32 b/src/include/pg_config.h.win32 index b69414fd484..19ef4c1a9fb 100644 --- a/src/include/pg_config.h.win32 +++ b/src/include/pg_config.h.win32 @@ -193,18 +193,6 @@ /* Define to 1 if you have isinf(). */ #define HAVE_ISINF 1 -/* Define to 1 if `e_data' is member of `krb5_error'. */ -/* #undef HAVE_KRB5_ERROR_E_DATA */ - -/* Define to 1 if `text.data' is member of `krb5_error'. */ -/* #undef HAVE_KRB5_ERROR_TEXT_DATA */ - -/* Define to 1 if `client' is member of `krb5_ticket'. */ -/* #undef HAVE_KRB5_TICKET_CLIENT */ - -/* Define to 1 if `enc_part2' is member of `krb5_ticket'. */ -/* #undef HAVE_KRB5_TICKET_ENC_PART2 */ - /* Define to 1 if you have the <langinfo.h> header file. */ /* #undef HAVE_LANGINFO_H */ @@ -541,9 +529,6 @@ /* Define to the appropriate snprintf format for 64-bit ints, if any. */ #define INT64_FORMAT "%lld" -/* Define to build with Kerberos 5 support. (--with-krb5) */ -/* #undef KRB5 */ - /* Define to 1 if `locale_t' requires <xlocale.h>. */ /* #undef LOCALE_T_IN_XLOCALE */ diff --git a/src/interfaces/libpq/fe-auth.c b/src/interfaces/libpq/fe-auth.c index 91f7c501c78..e10c9709108 100644 --- a/src/interfaces/libpq/fe-auth.c +++ b/src/interfaces/libpq/fe-auth.c @@ -43,258 +43,6 @@ #include "libpq/md5.h" -#ifdef KRB5 -/* - * MIT Kerberos authentication system - protocol version 5 - */ - -#include <krb5.h> -/* Some old versions of Kerberos do not include <com_err.h> in <krb5.h> */ -#if !defined(__COM_ERR_H) && !defined(__COM_ERR_H__) -#include <com_err.h> -#endif - -/* - * Heimdal doesn't have a free function for unparsed names. Just pass it to - * standard free() which should work in these cases. - */ -#ifndef HAVE_KRB5_FREE_UNPARSED_NAME -static void -krb5_free_unparsed_name(krb5_context context, char *val) -{ - free(val); -} -#endif - -/* - * pg_an_to_ln -- return the local name corresponding to an authentication - * name - * - * XXX Assumes that the first aname component is the user name. This is NOT - * necessarily so, since an aname can actually be something out of your - * worst X.400 nightmare, like - * ORGANIZATION=U. C. Berkeley/NAME=Paul M. Aoki@CS.BERKELEY.EDU - * Note that the MIT an_to_ln code does the same thing if you don't - * provide an aname mapping database...it may be a better idea to use - * krb5_an_to_ln, except that it punts if multiple components are found, - * and we can't afford to punt. - * - * For WIN32, convert username to lowercase because the Win32 kerberos library - * generates tickets with the username as the user entered it instead of as - * it is entered in the directory. - */ -static char * -pg_an_to_ln(char *aname) -{ - char *p; - - if ((p = strchr(aname, '/')) || (p = strchr(aname, '@'))) - *p = '\0'; -#ifdef WIN32 - for (p = aname; *p; p++) - *p = pg_tolower((unsigned char) *p); -#endif - - return aname; -} - - -/* - * Various krb5 state which is not connection specific, and a flag to - * indicate whether we have initialised it yet. - */ -/* -static int pg_krb5_initialised; -static krb5_context pg_krb5_context; -static krb5_ccache pg_krb5_ccache; -static krb5_principal pg_krb5_client; -static char *pg_krb5_name; -*/ - -struct krb5_info -{ - int pg_krb5_initialised; - krb5_context pg_krb5_context; - krb5_ccache pg_krb5_ccache; - krb5_principal pg_krb5_client; - char *pg_krb5_name; -}; - - -static int -pg_krb5_init(PQExpBuffer errorMessage, struct krb5_info * info) -{ - krb5_error_code retval; - - if (info->pg_krb5_initialised) - return STATUS_OK; - - retval = krb5_init_context(&(info->pg_krb5_context)); - if (retval) - { - printfPQExpBuffer(errorMessage, - "pg_krb5_init: krb5_init_context: %s\n", - error_message(retval)); - return STATUS_ERROR; - } - - retval = krb5_cc_default(info->pg_krb5_context, &(info->pg_krb5_ccache)); - if (retval) - { - printfPQExpBuffer(errorMessage, - "pg_krb5_init: krb5_cc_default: %s\n", - error_message(retval)); - krb5_free_context(info->pg_krb5_context); - return STATUS_ERROR; - } - - retval = krb5_cc_get_principal(info->pg_krb5_context, info->pg_krb5_ccache, - &(info->pg_krb5_client)); - if (retval) - { - printfPQExpBuffer(errorMessage, - "pg_krb5_init: krb5_cc_get_principal: %s\n", - error_message(retval)); - krb5_cc_close(info->pg_krb5_context, info->pg_krb5_ccache); - krb5_free_context(info->pg_krb5_context); - return STATUS_ERROR; - } - - retval = krb5_unparse_name(info->pg_krb5_context, info->pg_krb5_client, &(info->pg_krb5_name)); - if (retval) - { - printfPQExpBuffer(errorMessage, - "pg_krb5_init: krb5_unparse_name: %s\n", - error_message(retval)); - krb5_free_principal(info->pg_krb5_context, info->pg_krb5_client); - krb5_cc_close(info->pg_krb5_context, info->pg_krb5_ccache); - krb5_free_context(info->pg_krb5_context); - return STATUS_ERROR; - } - - info->pg_krb5_name = pg_an_to_ln(info->pg_krb5_name); - - info->pg_krb5_initialised = 1; - return STATUS_OK; -} - -static void -pg_krb5_destroy(struct krb5_info * info) -{ - krb5_free_principal(info->pg_krb5_context, info->pg_krb5_client); - krb5_cc_close(info->pg_krb5_context, info->pg_krb5_ccache); - krb5_free_unparsed_name(info->pg_krb5_context, info->pg_krb5_name); - krb5_free_context(info->pg_krb5_context); -} - - -/* - * pg_krb5_sendauth -- client routine to send authentication information to - * the server - */ -static int -pg_krb5_sendauth(PGconn *conn) -{ - krb5_error_code retval; - int ret; - krb5_principal server; - krb5_auth_context auth_context = NULL; - krb5_error *err_ret = NULL; - struct krb5_info info; - - info.pg_krb5_initialised = 0; - - if (!(conn->pghost && conn->pghost[0] != '\0')) - { - printfPQExpBuffer(&conn->errorMessage, - libpq_gettext("host name must be specified\n")); - return STATUS_ERROR; - } - - ret = pg_krb5_init(&conn->errorMessage, &info); - if (ret != STATUS_OK) - return ret; - - retval = krb5_sname_to_principal(info.pg_krb5_context, conn->pghost, - conn->krbsrvname, - KRB5_NT_SRV_HST, &server); - if (retval) - { - printfPQExpBuffer(&conn->errorMessage, - "pg_krb5_sendauth: krb5_sname_to_principal: %s\n", - error_message(retval)); - pg_krb5_destroy(&info); - return STATUS_ERROR; - } - - /* - * libpq uses a non-blocking socket. But kerberos needs a blocking socket, - * and we have to block somehow to do mutual authentication anyway. So we - * temporarily make it blocking. - */ - if (!pg_set_block(conn->sock)) - { - char sebuf[256]; - - printfPQExpBuffer(&conn->errorMessage, - libpq_gettext("could not set socket to blocking mode: %s\n"), pqStrerror(errno, sebuf, sizeof(sebuf))); - krb5_free_principal(info.pg_krb5_context, server); - pg_krb5_destroy(&info); - return STATUS_ERROR; - } - - retval = krb5_sendauth(info.pg_krb5_context, &auth_context, - (krb5_pointer) & conn->sock, (char *) conn->krbsrvname, - info.pg_krb5_client, server, - AP_OPTS_MUTUAL_REQUIRED, - NULL, 0, /* no creds, use ccache instead */ - info.pg_krb5_ccache, &err_ret, NULL, NULL); - if (retval) - { - if (retval == KRB5_SENDAUTH_REJECTED && err_ret) - { -#if defined(HAVE_KRB5_ERROR_TEXT_DATA) - printfPQExpBuffer(&conn->errorMessage, - libpq_gettext("Kerberos 5 authentication rejected: %*s\n"), - (int) err_ret->text.length, err_ret->text.data); -#elif defined(HAVE_KRB5_ERROR_E_DATA) - printfPQExpBuffer(&conn->errorMessage, - libpq_gettext("Kerberos 5 authentication rejected: %*s\n"), - (int) err_ret->e_data->length, - (const char *) err_ret->e_data->data); -#else -#error "bogus configuration" -#endif - } - else - { - printfPQExpBuffer(&conn->errorMessage, - "krb5_sendauth: %s\n", error_message(retval)); - } - - if (err_ret) - krb5_free_error(info.pg_krb5_context, err_ret); - - ret = STATUS_ERROR; - } - - krb5_free_principal(info.pg_krb5_context, server); - - if (!pg_set_noblock(conn->sock)) - { - char sebuf[256]; - - printfPQExpBuffer(&conn->errorMessage, - libpq_gettext("could not restore nonblocking mode on socket: %s\n"), - pqStrerror(errno, sebuf, sizeof(sebuf))); - ret = STATUS_ERROR; - } - pg_krb5_destroy(&info); - - return ret; -} -#endif /* KRB5 */ - #ifdef ENABLE_GSS /* * GSSAPI authentication system. @@ -816,21 +564,9 @@ pg_fe_sendauth(AuthRequest areq, PGconn *conn) return STATUS_ERROR; case AUTH_REQ_KRB5: -#ifdef KRB5 - pglock_thread(); - if (pg_krb5_sendauth(conn) != STATUS_OK) - { - /* Error message already filled in */ - pgunlock_thread(); - return STATUS_ERROR; - } - pgunlock_thread(); - break; -#else printfPQExpBuffer(&conn->errorMessage, libpq_gettext("Kerberos 5 authentication not supported\n")); return STATUS_ERROR; -#endif #if defined(ENABLE_GSS) || defined(ENABLE_SSPI) case AUTH_REQ_GSS: diff --git a/src/interfaces/libpq/fe-connect.c b/src/interfaces/libpq/fe-connect.c index 3a9ddf19d7d..fa88c874945 100644 --- a/src/interfaces/libpq/fe-connect.c +++ b/src/interfaces/libpq/fe-connect.c @@ -278,7 +278,7 @@ static const internalPQconninfoOption PQconninfoOptions[] = { "Require-Peer", "", 10, offsetof(struct pg_conn, requirepeer)}, -#if defined(KRB5) || defined(ENABLE_GSS) || defined(ENABLE_SSPI) +#if defined(ENABLE_GSS) || defined(ENABLE_SSPI) /* Kerberos and GSSAPI authentication support specifying the service name */ {"krbsrvname", "PGKRBSRVNAME", PG_KRB_SRVNAM, NULL, "Kerberos-service-name", "", 20, @@ -2823,7 +2823,7 @@ freePGconn(PGconn *conn) free(conn->sslcompression); if (conn->requirepeer) free(conn->requirepeer); -#if defined(KRB5) || defined(ENABLE_GSS) || defined(ENABLE_SSPI) +#if defined(ENABLE_GSS) || defined(ENABLE_SSPI) if (conn->krbsrvname) free(conn->krbsrvname); #endif diff --git a/src/interfaces/libpq/libpq-int.h b/src/interfaces/libpq/libpq-int.h index 0fb926bbd45..22bbe4a48eb 100644 --- a/src/interfaces/libpq/libpq-int.h +++ b/src/interfaces/libpq/libpq-int.h @@ -331,7 +331,7 @@ struct pg_conn char *sslcrl; /* certificate revocation list filename */ char *requirepeer; /* required peer credentials for local sockets */ -#if defined(KRB5) || defined(ENABLE_GSS) || defined(ENABLE_SSPI) +#if defined(ENABLE_GSS) || defined(ENABLE_SSPI) char *krbsrvname; /* Kerberos service name */ #endif diff --git a/src/tools/msvc/Solution.pm b/src/tools/msvc/Solution.pm index bc52086fc8a..7921596a48f 100644 --- a/src/tools/msvc/Solution.pm +++ b/src/tools/msvc/Solution.pm @@ -221,10 +221,6 @@ s{PG_VERSION_STR "[^"]+"}{__STRINGIFY(x) #x\n#define __STRINGIFY2(z) __STRINGIFY } if ($self->{options}->{krb5}) { - print O "#define KRB5 1\n"; - print O "#define HAVE_KRB5_ERROR_TEXT_DATA 1\n"; - print O "#define HAVE_KRB5_TICKET_ENC_PART2 1\n"; - print O "#define HAVE_KRB5_FREE_UNPARSED_NAME 1\n"; print O "#define ENABLE_GSS 1\n"; } if (my $port = $self->{options}->{"--with-pgport"}) @@ -625,7 +621,7 @@ sub GetFakeConfigure $cfg .= ' --with-ossp-uuid' if ($self->{options}->{uuid}); $cfg .= ' --with-libxml' if ($self->{options}->{xml}); $cfg .= ' --with-libxslt' if ($self->{options}->{xslt}); - $cfg .= ' --with-krb5' if ($self->{options}->{krb5}); + $cfg .= ' --with-gssapi' if ($self->{options}->{krb5}); $cfg .= ' --with-tcl' if ($self->{options}->{tcl}); $cfg .= ' --with-perl' if ($self->{options}->{perl}); $cfg .= ' --with-python' if ($self->{options}->{python}); diff --git a/src/tools/msvc/config_default.pl b/src/tools/msvc/config_default.pl index 2489d3827fd..ebb47ab40e3 100644 --- a/src/tools/msvc/config_default.pl +++ b/src/tools/msvc/config_default.pl @@ -15,7 +15,6 @@ our $config = { tcl => undef, # --with-tls=<path> perl => undef, # --with-perl python => undef, # --with-python=<path> - krb5 => undef, # --with-krb5=<path> openssl => undef, # --with-ssl=<path> uuid => undef, # --with-ossp-uuid xml => undef, # --with-libxml=<path> |