diff options
| -rwxr-xr-x | configure | 48 | ||||
| -rw-r--r-- | configure.in | 14 | ||||
| -rw-r--r-- | doc/src/sgml/client-auth.sgml | 45 | ||||
| -rw-r--r-- | doc/src/sgml/installation.sgml | 11 | ||||
| -rw-r--r-- | src/backend/libpq/auth.c | 54 | ||||
| -rw-r--r-- | src/backend/libpq/hba.c | 6 | ||||
| -rw-r--r-- | src/bin/initdb/initdb.c | 6 | ||||
| -rw-r--r-- | src/include/libpq/hba.h | 1 | ||||
| -rw-r--r-- | src/include/pg_config.h.in | 3 | ||||
| -rw-r--r-- | src/include/pg_config.h.win32 | 3 |
10 files changed, 191 insertions, 0 deletions
diff --git a/configure b/configure index 24655dc0961..e09eb5fb531 100755 --- a/configure +++ b/configure @@ -827,6 +827,7 @@ with_python with_gssapi with_krb_srvnam with_pam +with_bsd_auth with_ldap with_bonjour with_openssl @@ -1516,6 +1517,7 @@ Optional Packages: --with-krb-srvnam=NAME default service principal name in Kerberos (GSSAPI) [postgres] --with-pam build with PAM support + --with-bsd-auth build with BSD Authentication support --with-ldap build with LDAP support --with-bonjour build with Bonjour support --with-openssl build with OpenSSL support @@ -5571,6 +5573,41 @@ $as_echo "$with_pam" >&6; } # +# BSD AUTH +# +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to build with BSD Authentication support" >&5 +$as_echo_n "checking whether to build with BSD Authentication support... " >&6; } + + + +# Check whether --with-bsd-auth was given. +if test "${with_bsd_auth+set}" = set; then : + withval=$with_bsd_auth; + case $withval in + yes) + +$as_echo "#define USE_BSD_AUTH 1" >>confdefs.h + + ;; + no) + : + ;; + *) + as_fn_error $? "no argument expected for --with-bsd-auth option" "$LINENO" 5 + ;; + esac + +else + with_bsd_auth=no + +fi + + +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $with_bsd_auth" >&5 +$as_echo "$with_bsd_auth" >&6; } + + +# # LDAP # { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to build with LDAP support" >&5 @@ -10524,6 +10561,17 @@ done fi +if test "$with_bsd_auth" = yes ; then + ac_fn_c_check_header_mongrel "$LINENO" "bsd_auth.h" "ac_cv_header_bsd_auth_h" "$ac_includes_default" +if test "x$ac_cv_header_bsd_auth_h" = xyes; then : + +else + as_fn_error $? "header file <bsd_auth.h> is required for BSD Authentication support" "$LINENO" 5 +fi + + +fi + if test "$with_systemd" = yes ; then ac_fn_c_check_header_mongrel "$LINENO" "systemd/sd-daemon.h" "ac_cv_header_systemd_sd_daemon_h" "$ac_includes_default" if test "x$ac_cv_header_systemd_sd_daemon_h" = xyes; then : diff --git a/configure.in b/configure.in index c564a7695fa..bc925d0e1bc 100644 --- a/configure.in +++ b/configure.in @@ -674,6 +674,16 @@ AC_MSG_RESULT([$with_pam]) # +# BSD AUTH +# +AC_MSG_CHECKING([whether to build with BSD Authentication support]) +PGAC_ARG_BOOL(with, bsd-auth, no, + [build with BSD Authentication support], + [AC_DEFINE([USE_BSD_AUTH], 1, [Define to 1 to build with BSD Authentication support. (--with-bsd-auth)])]) +AC_MSG_RESULT([$with_bsd_auth]) + + +# # LDAP # AC_MSG_CHECKING([whether to build with LDAP support]) @@ -1269,6 +1279,10 @@ if test "$with_pam" = yes ; then [AC_MSG_ERROR([header file <security/pam_appl.h> or <pam/pam_appl.h> is required for PAM.])])]) fi +if test "$with_bsd_auth" = yes ; then + AC_CHECK_HEADER(bsd_auth.h, [], [AC_MSG_ERROR([header file <bsd_auth.h> is required for BSD Authentication support])]) +fi + if test "$with_systemd" = yes ; then AC_CHECK_HEADER(systemd/sd-daemon.h, [], [AC_MSG_ERROR([header file <systemd/sd-daemon.h> is required for systemd support])]) fi diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml index 7b204fb48e7..28973e2c2b4 100644 --- a/doc/src/sgml/client-auth.sgml +++ b/doc/src/sgml/client-auth.sgml @@ -522,6 +522,16 @@ hostnossl <replaceable>database</replaceable> <replaceable>user</replaceable> </para> </listitem> </varlistentry> + + <varlistentry> + <term><literal>bsd</></term> + <listitem> + <para> + Authenticate using the BSD Authentication service provided by the + operating system. See <xref linkend="auth-bsd"> for details. + </para> + </listitem> + </varlistentry> </variablelist> </para> @@ -1662,6 +1672,41 @@ host ... ldap ldapurl="ldap://ldap.example.net/dc=example,dc=net?uid?sub" </para> </note> </sect2> + + <sect2 id="auth-bsd"> + <title>BSD Authentication</title> + + <indexterm zone="auth-bsd"> + <primary>BSD Authentication</primary> + </indexterm> + + <para> + This authentication method operates similarly to + <literal>password</literal> except that it uses BSD Authentication + to verify the password. BSD Authentication is used only + to validate user name/password pairs. Therefore the user's role must + already exist in the database before BSD Authentication can be used + for authentication. The BSD Authentication framework is currently + only available on OpenBSD. + </para> + + <para> + BSD Authentication in <productname>PostgreSQL</> uses + the <literal>auth-postgresql</literal> login type and authenticates with + the <literal>postgresql</literal> login class if that's defined + in <filename>login.conf</filename>. By default that login class does not + exist, and <productname>PostgreSQL</> will use the default login class. + </para> + + <note> + <para> + To use BSD Authentication, the PostgreSQL user account (that is, the + operating system user running the server) must first be added to + the <literal>auth</literal> group. The <literal>auth</literal> group + exists by default on OpenBSD systems. + </para> + </note> + </sect2> </sect1> <sect1 id="client-authentication-problems"> diff --git a/doc/src/sgml/installation.sgml b/doc/src/sgml/installation.sgml index 1564b8ea04e..a9968756e65 100644 --- a/doc/src/sgml/installation.sgml +++ b/doc/src/sgml/installation.sgml @@ -793,6 +793,17 @@ su - postgres </varlistentry> <varlistentry> + <term><option>--with-bsd-auth</option></term> + <listitem> + <para> + Build with BSD Authentication support. + (The BSD Authentication framework is + currently only available on OpenBSD.) + </para> + </listitem> + </varlistentry> + + <varlistentry> <term><option>--with-ldap</option></term> <listitem> <para> diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c index 630762cc6b9..dbba712352f 100644 --- a/src/backend/libpq/auth.c +++ b/src/backend/libpq/auth.c @@ -89,6 +89,17 @@ static Port *pam_port_cludge; /* Workaround for passing "Port *port" into /*---------------------------------------------------------------- + * BSD authentication + *---------------------------------------------------------------- + */ +#ifdef USE_BSD_AUTH +#include <bsd_auth.h> + +static int CheckBSDAuth(Port *port, char *user); +#endif /* USE_BSD_AUTH */ + + +/*---------------------------------------------------------------- * LDAP authentication *---------------------------------------------------------------- */ @@ -258,6 +269,9 @@ auth_failed(Port *port, int status, char *logdetail) case uaPAM: errstr = gettext_noop("PAM authentication failed for user \"%s\""); break; + case uaBSD: + errstr = gettext_noop("BSD authentication failed for user \"%s\""); + break; case uaLDAP: errstr = gettext_noop("LDAP authentication failed for user \"%s\""); break; @@ -529,6 +543,14 @@ ClientAuthentication(Port *port) #endif /* USE_PAM */ break; + case uaBSD: +#ifdef USE_BSD_AUTH + status = CheckBSDAuth(port, port->user_name); +#else + Assert(false); +#endif /* USE_BSD_AUTH */ + break; + case uaLDAP: #ifdef USE_LDAP status = CheckLDAPAuth(port); @@ -1856,6 +1878,38 @@ CheckPAMAuth(Port *port, char *user, char *password) #endif /* USE_PAM */ +/*---------------------------------------------------------------- + * BSD authentication system + *---------------------------------------------------------------- + */ +#ifdef USE_BSD_AUTH +static int +CheckBSDAuth(Port *port, char *user) +{ + char *passwd; + int retval; + + /* Send regular password request to client, and get the response */ + sendAuthRequest(port, AUTH_REQ_PASSWORD); + + passwd = recv_password_packet(port); + if (passwd == NULL) + return STATUS_EOF; + + /* + * Ask the BSD auth system to verify password. Note that auth_userokay + * will overwrite the password string with zeroes, but it's just a + * temporary string so we don't care. + */ + retval = auth_userokay(user, NULL, "auth-postgresql", passwd); + + if (!retval) + return STATUS_ERROR; + + return STATUS_OK; +} +#endif /* USE_BSD_AUTH */ + /*---------------------------------------------------------------- * LDAP authentication system diff --git a/src/backend/libpq/hba.c b/src/backend/libpq/hba.c index 5a397464d75..a4c415da77a 100644 --- a/src/backend/libpq/hba.c +++ b/src/backend/libpq/hba.c @@ -1190,6 +1190,12 @@ parse_hba_line(List *line, int line_num, char *raw_line) #else unsupauth = "pam"; #endif + else if (strcmp(token->string, "bsd") == 0) +#ifdef USE_BSD_AUTH + parsedline->auth_method = uaBSD; +#else + unsupauth = "bsd"; +#endif else if (strcmp(token->string, "ldap") == 0) #ifdef USE_LDAP parsedline->auth_method = uaLDAP; diff --git a/src/bin/initdb/initdb.c b/src/bin/initdb/initdb.c index 18a3826b003..299ddfe86ac 100644 --- a/src/bin/initdb/initdb.c +++ b/src/bin/initdb/initdb.c @@ -90,6 +90,9 @@ static const char *const auth_methods_host[] = { #ifdef USE_PAM "pam", "pam ", #endif +#ifdef USE_BSD_AUTH + "bsd", +#endif #ifdef USE_LDAP "ldap", #endif @@ -103,6 +106,9 @@ static const char *const auth_methods_local[] = { #ifdef USE_PAM "pam", "pam ", #endif +#ifdef USE_BSD_AUTH + "bsd", +#endif #ifdef USE_LDAP "ldap", #endif diff --git a/src/include/libpq/hba.h b/src/include/libpq/hba.h index b306baf1a56..58f90fec80d 100644 --- a/src/include/libpq/hba.h +++ b/src/include/libpq/hba.h @@ -27,6 +27,7 @@ typedef enum UserAuth uaGSS, uaSSPI, uaPAM, + uaBSD, uaLDAP, uaCert, uaRADIUS, diff --git a/src/include/pg_config.h.in b/src/include/pg_config.h.in index c72635ca963..b621ff2af57 100644 --- a/src/include/pg_config.h.in +++ b/src/include/pg_config.h.in @@ -793,6 +793,9 @@ /* Define to 1 to build with Bonjour support. (--with-bonjour) */ #undef USE_BONJOUR +/* Define to 1 to build with BSD Authentication support. (--with-bsd-auth) */ +#undef USE_BSD_AUTH + /* Define to 1 if you want float4 values to be passed by value. (--enable-float4-byval) */ #undef USE_FLOAT4_BYVAL diff --git a/src/include/pg_config.h.win32 b/src/include/pg_config.h.win32 index eba36df92e0..c135e5146b4 100644 --- a/src/include/pg_config.h.win32 +++ b/src/include/pg_config.h.win32 @@ -613,6 +613,9 @@ /* Define to 1 to build with Bonjour support. (--with-bonjour) */ /* #undef USE_BONJOUR */ +/* Define to 1 to build with BSD Authentication support. (--with-bsd-auth) */ +/* #undef USE_BSD_AUTH */ + /* Define to 1 if you want 64-bit integer timestamp and interval support. (--enable-integer-datetimes) */ /* #undef USE_INTEGER_DATETIMES */ |