diff options
| author | Stephen Frost <sfrost@snowman.net> | 2023-04-07 21:58:04 -0400 |
|---|---|---|
| committer | Stephen Frost <sfrost@snowman.net> | 2023-04-07 21:58:04 -0400 |
| commit | 3d4fa227bce4294ce1cc214b4a9d3b7caa3f0454 (patch) | |
| tree | f113304aa44d7738041273a8f1ead0a53af0d320 /src/interfaces/libpq/fe-secure-gssapi.c | |
| parent | edc627ae27632ae2be0e435aca02ed38005cb55f (diff) | |
| download | postgresql-3d4fa227bce4294ce1cc214b4a9d3b7caa3f0454.tar.gz postgresql-3d4fa227bce4294ce1cc214b4a9d3b7caa3f0454.zip | |
Add support for Kerberos credential delegation
Support GSSAPI/Kerberos credentials being delegated to the server by a
client. With this, a user authenticating to PostgreSQL using Kerberos
(GSSAPI) credentials can choose to delegate their credentials to the
PostgreSQL server (which can choose to accept them, or not), allowing
the server to then use those delegated credentials to connect to
another service, such as with postgres_fdw or dblink or theoretically
any other service which is able to be authenticated using Kerberos.
Both postgres_fdw and dblink are changed to allow non-superuser
password-less connections but only when GSSAPI credentials have been
delegated to the server by the client and GSSAPI is used to
authenticate to the remote system.
Authors: Stephen Frost, Peifeng Qiu
Reviewed-By: David Christensen
Discussion: https://postgr.es/m/CO1PR05MB8023CC2CB575E0FAAD7DF4F8A8E29@CO1PR05MB8023.namprd05.prod.outlook.com
Diffstat (limited to 'src/interfaces/libpq/fe-secure-gssapi.c')
| -rw-r--r-- | src/interfaces/libpq/fe-secure-gssapi.c | 23 |
1 files changed, 21 insertions, 2 deletions
diff --git a/src/interfaces/libpq/fe-secure-gssapi.c b/src/interfaces/libpq/fe-secure-gssapi.c index 038e847b7e9..bf87ae3fd1a 100644 --- a/src/interfaces/libpq/fe-secure-gssapi.c +++ b/src/interfaces/libpq/fe-secure-gssapi.c @@ -477,7 +477,8 @@ pqsecure_open_gss(PGconn *conn) { ssize_t ret; OM_uint32 major, - minor; + minor, + gss_flags = GSS_REQUIRED_FLAGS; uint32 netlen; PostgresPollingStatusType result; gss_buffer_desc input = GSS_C_EMPTY_BUFFER, @@ -621,13 +622,30 @@ pqsecure_open_gss(PGconn *conn) if (ret != STATUS_OK) return PGRES_POLLING_FAILED; + if (conn->gssdeleg && pg_strcasecmp(conn->gssdeleg, "enable") == 0) + { + /* Acquire credentials if possbile */ + if (conn->gcred == GSS_C_NO_CREDENTIAL) + (void) pg_GSS_have_cred_cache(&conn->gcred); + + /* + * We have credentials and gssdeleg is enabled, so request credential + * delegation. This may or may not actually result in credentials + * being delegated- it depends on if the forwardable flag has been set + * in the credential and if the server is configured to accept + * delegated credentials. + */ + if (conn->gcred != GSS_C_NO_CREDENTIAL) + gss_flags |= GSS_C_DELEG_FLAG; + } + /* * Call GSS init context, either with an empty input, or with a complete * packet from the server. */ major = gss_init_sec_context(&minor, conn->gcred, &conn->gctx, conn->gtarg_nam, GSS_C_NO_OID, - GSS_REQUIRED_FLAGS, 0, 0, &input, NULL, + gss_flags, 0, 0, &input, NULL, &output, NULL, NULL); /* GSS Init Sec Context uses the whole packet, so clear it */ @@ -647,6 +665,7 @@ pqsecure_open_gss(PGconn *conn) * to do GSS wrapping/unwrapping. */ conn->gssenc = true; + conn->gssapi_used = true; /* Clean up */ gss_release_cred(&minor, &conn->gcred); |