aboutsummaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/backend/libpq/auth.c217
-rw-r--r--src/backend/libpq/hba.c35
-rw-r--r--src/backend/libpq/pg_hba.conf.sample2
-rw-r--r--src/bin/initdb/initdb.c3
-rw-r--r--src/include/libpq/hba.h1
-rw-r--r--src/include/libpq/pqcomm.h2
-rw-r--r--src/include/pg_config.h.in18
-rw-r--r--src/include/pg_config.h.win3215
-rw-r--r--src/interfaces/libpq/fe-auth.c264
-rw-r--r--src/interfaces/libpq/fe-connect.c4
-rw-r--r--src/interfaces/libpq/libpq-int.h2
-rw-r--r--src/tools/msvc/Solution.pm6
-rw-r--r--src/tools/msvc/config_default.pl1
13 files changed, 11 insertions, 559 deletions
diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c
index 85899159843..882dc8faf1b 100644
--- a/src/backend/libpq/auth.c
+++ b/src/backend/libpq/auth.c
@@ -134,29 +134,6 @@ bool pg_krb_caseins_users;
/*----------------------------------------------------------------
- * MIT Kerberos authentication system - protocol version 5
- *----------------------------------------------------------------
- */
-#ifdef KRB5
-static int pg_krb5_recvauth(Port *port);
-
-#include <krb5.h>
-/* Some old versions of Kerberos do not include <com_err.h> in <krb5.h> */
-#if !defined(__COM_ERR_H) && !defined(__COM_ERR_H__)
-#include <com_err.h>
-#endif
-/*
- * Various krb5 state which is not connection specific, and a flag to
- * indicate whether we have initialised it yet.
- */
-static int pg_krb5_initialised;
-static krb5_context pg_krb5_context;
-static krb5_keytab pg_krb5_keytab;
-static krb5_principal pg_krb5_server;
-#endif /* KRB5 */
-
-
-/*----------------------------------------------------------------
* GSSAPI Authentication
*----------------------------------------------------------------
*/
@@ -257,9 +234,6 @@ auth_failed(Port *port, int status)
case uaImplicitReject:
errstr = gettext_noop("authentication failed for user \"%s\": host rejected");
break;
- case uaKrb5:
- errstr = gettext_noop("Kerberos 5 authentication failed for user \"%s\"");
- break;
case uaTrust:
errstr = gettext_noop("\"trust\" authentication failed for user \"%s\"");
break;
@@ -497,15 +471,6 @@ ClientAuthentication(Port *port)
break;
}
- case uaKrb5:
-#ifdef KRB5
- sendAuthRequest(port, AUTH_REQ_KRB5);
- status = pg_krb5_recvauth(port);
-#else
- Assert(false);
-#endif
- break;
-
case uaGSS:
#ifdef ENABLE_GSS
sendAuthRequest(port, AUTH_REQ_GSS);
@@ -735,188 +700,6 @@ recv_and_check_password_packet(Port *port)
}
-/*----------------------------------------------------------------
- * MIT Kerberos authentication system - protocol version 5
- *----------------------------------------------------------------
- */
-#ifdef KRB5
-
-static int
-pg_krb5_init(Port *port)
-{
- krb5_error_code retval;
- char *khostname;
-
- if (pg_krb5_initialised)
- return STATUS_OK;
-
- retval = krb5_init_context(&pg_krb5_context);
- if (retval)
- {
- ereport(LOG,
- (errmsg("Kerberos initialization returned error %d",
- retval)));
- com_err("postgres", retval, "while initializing krb5");
- return STATUS_ERROR;
- }
-
- retval = krb5_kt_resolve(pg_krb5_context, pg_krb_server_keyfile, &pg_krb5_keytab);
- if (retval)
- {
- ereport(LOG,
- (errmsg("Kerberos keytab resolving returned error %d",
- retval)));
- com_err("postgres", retval, "while resolving keytab file \"%s\"",
- pg_krb_server_keyfile);
- krb5_free_context(pg_krb5_context);
- return STATUS_ERROR;
- }
-
- /*
- * If no hostname was specified, pg_krb_server_hostname is already NULL.
- * If it's set to blank, force it to NULL.
- */
- khostname = port->hba->krb_server_hostname;
- if (khostname && khostname[0] == '\0')
- khostname = NULL;
-
- retval = krb5_sname_to_principal(pg_krb5_context,
- khostname,
- pg_krb_srvnam,
- KRB5_NT_SRV_HST,
- &pg_krb5_server);
- if (retval)
- {
- ereport(LOG,
- (errmsg("Kerberos sname_to_principal(\"%s\", \"%s\") returned error %d",
- khostname ? khostname : "server hostname", pg_krb_srvnam, retval)));
- com_err("postgres", retval,
- "while getting server principal for server \"%s\" for service \"%s\"",
- khostname ? khostname : "server hostname", pg_krb_srvnam);
- krb5_kt_close(pg_krb5_context, pg_krb5_keytab);
- krb5_free_context(pg_krb5_context);
- return STATUS_ERROR;
- }
-
- pg_krb5_initialised = 1;
- return STATUS_OK;
-}
-
-
-/*
- * pg_krb5_recvauth -- server routine to receive authentication information
- * from the client
- *
- * We still need to compare the username obtained from the client's setup
- * packet to the authenticated name.
- *
- * We have our own keytab file because postgres is unlikely to run as root,
- * and so cannot read the default keytab.
- */
-static int
-pg_krb5_recvauth(Port *port)
-{
- krb5_error_code retval;
- int ret;
- krb5_auth_context auth_context = NULL;
- krb5_ticket *ticket;
- char *kusername;
- char *cp;
-
- ret = pg_krb5_init(port);
- if (ret != STATUS_OK)
- return ret;
-
- retval = krb5_recvauth(pg_krb5_context, &auth_context,
- (krb5_pointer) & port->sock, pg_krb_srvnam,
- pg_krb5_server, 0, pg_krb5_keytab, &ticket);
- if (retval)
- {
- ereport(LOG,
- (errmsg("Kerberos recvauth returned error %d",
- retval)));
- com_err("postgres", retval, "from krb5_recvauth");
- return STATUS_ERROR;
- }
-
- /*
- * The "client" structure comes out of the ticket and is therefore
- * authenticated. Use it to check the username obtained from the
- * postmaster startup packet.
- */
-#if defined(HAVE_KRB5_TICKET_ENC_PART2)
- retval = krb5_unparse_name(pg_krb5_context,
- ticket->enc_part2->client, &kusername);
-#elif defined(HAVE_KRB5_TICKET_CLIENT)
- retval = krb5_unparse_name(pg_krb5_context,
- ticket->client, &kusername);
-#else
-#error "bogus configuration"
-#endif
- if (retval)
- {
- ereport(LOG,
- (errmsg("Kerberos unparse_name returned error %d",
- retval)));
- com_err("postgres", retval, "while unparsing client name");
- krb5_free_ticket(pg_krb5_context, ticket);
- krb5_auth_con_free(pg_krb5_context, auth_context);
- return STATUS_ERROR;
- }
-
- cp = strchr(kusername, '@');
- if (cp)
- {
- /*
- * If we are not going to include the realm in the username that is
- * passed to the ident map, destructively modify it here to remove the
- * realm. Then advance past the separator to check the realm.
- */
- if (!port->hba->include_realm)
- *cp = '\0';
- cp++;
-
- if (port->hba->krb_realm != NULL && strlen(port->hba->krb_realm))
- {
- /* Match realm against configured */
- if (pg_krb_caseins_users)
- ret = pg_strcasecmp(port->hba->krb_realm, cp);
- else
- ret = strcmp(port->hba->krb_realm, cp);
-
- if (ret)
- {
- elog(DEBUG2,
- "krb5 realm (%s) and configured realm (%s) don't match",
- cp, port->hba->krb_realm);
-
- krb5_free_ticket(pg_krb5_context, ticket);
- krb5_auth_con_free(pg_krb5_context, auth_context);
- return STATUS_ERROR;
- }
- }
- }
- else if (port->hba->krb_realm && strlen(port->hba->krb_realm))
- {
- elog(DEBUG2,
- "krb5 did not return realm but realm matching was requested");
-
- krb5_free_ticket(pg_krb5_context, ticket);
- krb5_auth_con_free(pg_krb5_context, auth_context);
- return STATUS_ERROR;
- }
-
- ret = check_usermap(port->hba->usermap, port->user_name, kusername,
- pg_krb_caseins_users);
-
- krb5_free_ticket(pg_krb5_context, ticket);
- krb5_auth_con_free(pg_krb5_context, auth_context);
- free(kusername);
-
- return ret;
-}
-#endif /* KRB5 */
-
/*----------------------------------------------------------------
* GSSAPI authentication system
diff --git a/src/backend/libpq/hba.c b/src/backend/libpq/hba.c
index ae25cf873f5..77434f410ae 100644
--- a/src/backend/libpq/hba.c
+++ b/src/backend/libpq/hba.c
@@ -1177,12 +1177,6 @@ parse_hba_line(List *line, int line_num, char *raw_line)
parsedline->auth_method = uaPeer;
else if (strcmp(token->string, "password") == 0)
parsedline->auth_method = uaPassword;
- else if (strcmp(token->string, "krb5") == 0)
-#ifdef KRB5
- parsedline->auth_method = uaKrb5;
-#else
- unsupauth = "krb5";
-#endif
else if (strcmp(token->string, "gss") == 0)
#ifdef ENABLE_GSS
parsedline->auth_method = uaGSS;
@@ -1262,17 +1256,6 @@ parse_hba_line(List *line, int line_num, char *raw_line)
/* Invalid authentication combinations */
if (parsedline->conntype == ctLocal &&
- parsedline->auth_method == uaKrb5)
- {
- ereport(LOG,
- (errcode(ERRCODE_CONFIG_FILE_ERROR),
- errmsg("krb5 authentication is not supported on local sockets"),
- errcontext("line %d of configuration file \"%s\"",
- line_num, HbaFileName)));
- return NULL;
- }
-
- if (parsedline->conntype == ctLocal &&
parsedline->auth_method == uaGSS)
{
ereport(LOG,
@@ -1417,11 +1400,10 @@ parse_hba_auth_opt(char *name, char *val, HbaLine *hbaline, int line_num)
{
if (hbaline->auth_method != uaIdent &&
hbaline->auth_method != uaPeer &&
- hbaline->auth_method != uaKrb5 &&
hbaline->auth_method != uaGSS &&
hbaline->auth_method != uaSSPI &&
hbaline->auth_method != uaCert)
- INVALID_AUTH_OPTION("map", gettext_noop("ident, peer, krb5, gssapi, sspi, and cert"));
+ INVALID_AUTH_OPTION("map", gettext_noop("ident, peer, gssapi, sspi, and cert"));
hbaline->usermap = pstrdup(val);
}
else if (strcmp(name, "clientcert") == 0)
@@ -1578,25 +1560,18 @@ parse_hba_auth_opt(char *name, char *val, HbaLine *hbaline, int line_num)
REQUIRE_AUTH_OPTION(uaLDAP, "ldapsuffix", "ldap");
hbaline->ldapsuffix = pstrdup(val);
}
- else if (strcmp(name, "krb_server_hostname") == 0)
- {
- REQUIRE_AUTH_OPTION(uaKrb5, "krb_server_hostname", "krb5");
- hbaline->krb_server_hostname = pstrdup(val);
- }
else if (strcmp(name, "krb_realm") == 0)
{
- if (hbaline->auth_method != uaKrb5 &&
- hbaline->auth_method != uaGSS &&
+ if (hbaline->auth_method != uaGSS &&
hbaline->auth_method != uaSSPI)
- INVALID_AUTH_OPTION("krb_realm", gettext_noop("krb5, gssapi, and sspi"));
+ INVALID_AUTH_OPTION("krb_realm", gettext_noop("gssapi and sspi"));
hbaline->krb_realm = pstrdup(val);
}
else if (strcmp(name, "include_realm") == 0)
{
- if (hbaline->auth_method != uaKrb5 &&
- hbaline->auth_method != uaGSS &&
+ if (hbaline->auth_method != uaGSS &&
hbaline->auth_method != uaSSPI)
- INVALID_AUTH_OPTION("include_realm", gettext_noop("krb5, gssapi, and sspi"));
+ INVALID_AUTH_OPTION("include_realm", gettext_noop("gssapi and sspi"));
if (strcmp(val, "1") == 0)
hbaline->include_realm = true;
else
diff --git a/src/backend/libpq/pg_hba.conf.sample b/src/backend/libpq/pg_hba.conf.sample
index a12ba26ad57..86a89edf9ad 100644
--- a/src/backend/libpq/pg_hba.conf.sample
+++ b/src/backend/libpq/pg_hba.conf.sample
@@ -43,7 +43,7 @@
# directly connected to.
#
# METHOD can be "trust", "reject", "md5", "password", "gss", "sspi",
-# "krb5", "ident", "peer", "pam", "ldap", "radius" or "cert". Note that
+# "ident", "peer", "pam", "ldap", "radius" or "cert". Note that
# "password" sends passwords in clear text; "md5" is preferred since
# it sends encrypted passwords.
#
diff --git a/src/bin/initdb/initdb.c b/src/bin/initdb/initdb.c
index a9aa7a487f6..7e934b75abb 100644
--- a/src/bin/initdb/initdb.c
+++ b/src/bin/initdb/initdb.c
@@ -76,9 +76,6 @@ static const char *auth_methods_host[] = {"trust", "reject", "md5", "password",
#ifdef ENABLE_SSPI
"sspi",
#endif
-#ifdef KRB5
- "krb5",
-#endif
#ifdef USE_PAM
"pam", "pam ",
#endif
diff --git a/src/include/libpq/hba.h b/src/include/libpq/hba.h
index 73ae5105eb9..5a103aed195 100644
--- a/src/include/libpq/hba.h
+++ b/src/include/libpq/hba.h
@@ -20,7 +20,6 @@ typedef enum UserAuth
{
uaReject,
uaImplicitReject,
- uaKrb5,
uaTrust,
uaIdent,
uaPassword,
diff --git a/src/include/libpq/pqcomm.h b/src/include/libpq/pqcomm.h
index 0be839c23cc..969fe5e105d 100644
--- a/src/include/libpq/pqcomm.h
+++ b/src/include/libpq/pqcomm.h
@@ -164,7 +164,7 @@ extern bool Db_user_namespace;
#define AUTH_REQ_OK 0 /* User is authenticated */
#define AUTH_REQ_KRB4 1 /* Kerberos V4. Not supported any more. */
-#define AUTH_REQ_KRB5 2 /* Kerberos V5 */
+#define AUTH_REQ_KRB5 2 /* Kerberos V5. Not supported any more. */
#define AUTH_REQ_PASSWORD 3 /* Password */
#define AUTH_REQ_CRYPT 4 /* crypt password. Not supported any more. */
#define AUTH_REQ_MD5 5 /* md5 password */
diff --git a/src/include/pg_config.h.in b/src/include/pg_config.h.in
index 64717dfcd41..0bade28b972 100644
--- a/src/include/pg_config.h.in
+++ b/src/include/pg_config.h.in
@@ -260,21 +260,6 @@
/* Define to 1 if you have isinf(). */
#undef HAVE_ISINF
-/* Define to 1 if `e_data' is a member of `krb5_error'. */
-#undef HAVE_KRB5_ERROR_E_DATA
-
-/* Define to 1 if `text.data' is a member of `krb5_error'. */
-#undef HAVE_KRB5_ERROR_TEXT_DATA
-
-/* Define to 1 if you have krb5_free_unparsed_name. */
-#undef HAVE_KRB5_FREE_UNPARSED_NAME
-
-/* Define to 1 if `client' is a member of `krb5_ticket'. */
-#undef HAVE_KRB5_TICKET_CLIENT
-
-/* Define to 1 if `enc_part2' is a member of `krb5_ticket'. */
-#undef HAVE_KRB5_TICKET_ENC_PART2
-
/* Define to 1 if you have the <langinfo.h> header file. */
#undef HAVE_LANGINFO_H
@@ -656,9 +641,6 @@
/* Define to the appropriate snprintf format for 64-bit ints. */
#undef INT64_FORMAT
-/* Define to build with Kerberos 5 support. (--with-krb5) */
-#undef KRB5
-
/* Define to 1 if `locale_t' requires <xlocale.h>. */
#undef LOCALE_T_IN_XLOCALE
diff --git a/src/include/pg_config.h.win32 b/src/include/pg_config.h.win32
index b69414fd484..19ef4c1a9fb 100644
--- a/src/include/pg_config.h.win32
+++ b/src/include/pg_config.h.win32
@@ -193,18 +193,6 @@
/* Define to 1 if you have isinf(). */
#define HAVE_ISINF 1
-/* Define to 1 if `e_data' is member of `krb5_error'. */
-/* #undef HAVE_KRB5_ERROR_E_DATA */
-
-/* Define to 1 if `text.data' is member of `krb5_error'. */
-/* #undef HAVE_KRB5_ERROR_TEXT_DATA */
-
-/* Define to 1 if `client' is member of `krb5_ticket'. */
-/* #undef HAVE_KRB5_TICKET_CLIENT */
-
-/* Define to 1 if `enc_part2' is member of `krb5_ticket'. */
-/* #undef HAVE_KRB5_TICKET_ENC_PART2 */
-
/* Define to 1 if you have the <langinfo.h> header file. */
/* #undef HAVE_LANGINFO_H */
@@ -541,9 +529,6 @@
/* Define to the appropriate snprintf format for 64-bit ints, if any. */
#define INT64_FORMAT "%lld"
-/* Define to build with Kerberos 5 support. (--with-krb5) */
-/* #undef KRB5 */
-
/* Define to 1 if `locale_t' requires <xlocale.h>. */
/* #undef LOCALE_T_IN_XLOCALE */
diff --git a/src/interfaces/libpq/fe-auth.c b/src/interfaces/libpq/fe-auth.c
index 91f7c501c78..e10c9709108 100644
--- a/src/interfaces/libpq/fe-auth.c
+++ b/src/interfaces/libpq/fe-auth.c
@@ -43,258 +43,6 @@
#include "libpq/md5.h"
-#ifdef KRB5
-/*
- * MIT Kerberos authentication system - protocol version 5
- */
-
-#include <krb5.h>
-/* Some old versions of Kerberos do not include <com_err.h> in <krb5.h> */
-#if !defined(__COM_ERR_H) && !defined(__COM_ERR_H__)
-#include <com_err.h>
-#endif
-
-/*
- * Heimdal doesn't have a free function for unparsed names. Just pass it to
- * standard free() which should work in these cases.
- */
-#ifndef HAVE_KRB5_FREE_UNPARSED_NAME
-static void
-krb5_free_unparsed_name(krb5_context context, char *val)
-{
- free(val);
-}
-#endif
-
-/*
- * pg_an_to_ln -- return the local name corresponding to an authentication
- * name
- *
- * XXX Assumes that the first aname component is the user name. This is NOT
- * necessarily so, since an aname can actually be something out of your
- * worst X.400 nightmare, like
- * ORGANIZATION=U. C. Berkeley/NAME=Paul M. Aoki@CS.BERKELEY.EDU
- * Note that the MIT an_to_ln code does the same thing if you don't
- * provide an aname mapping database...it may be a better idea to use
- * krb5_an_to_ln, except that it punts if multiple components are found,
- * and we can't afford to punt.
- *
- * For WIN32, convert username to lowercase because the Win32 kerberos library
- * generates tickets with the username as the user entered it instead of as
- * it is entered in the directory.
- */
-static char *
-pg_an_to_ln(char *aname)
-{
- char *p;
-
- if ((p = strchr(aname, '/')) || (p = strchr(aname, '@')))
- *p = '\0';
-#ifdef WIN32
- for (p = aname; *p; p++)
- *p = pg_tolower((unsigned char) *p);
-#endif
-
- return aname;
-}
-
-
-/*
- * Various krb5 state which is not connection specific, and a flag to
- * indicate whether we have initialised it yet.
- */
-/*
-static int pg_krb5_initialised;
-static krb5_context pg_krb5_context;
-static krb5_ccache pg_krb5_ccache;
-static krb5_principal pg_krb5_client;
-static char *pg_krb5_name;
-*/
-
-struct krb5_info
-{
- int pg_krb5_initialised;
- krb5_context pg_krb5_context;
- krb5_ccache pg_krb5_ccache;
- krb5_principal pg_krb5_client;
- char *pg_krb5_name;
-};
-
-
-static int
-pg_krb5_init(PQExpBuffer errorMessage, struct krb5_info * info)
-{
- krb5_error_code retval;
-
- if (info->pg_krb5_initialised)
- return STATUS_OK;
-
- retval = krb5_init_context(&(info->pg_krb5_context));
- if (retval)
- {
- printfPQExpBuffer(errorMessage,
- "pg_krb5_init: krb5_init_context: %s\n",
- error_message(retval));
- return STATUS_ERROR;
- }
-
- retval = krb5_cc_default(info->pg_krb5_context, &(info->pg_krb5_ccache));
- if (retval)
- {
- printfPQExpBuffer(errorMessage,
- "pg_krb5_init: krb5_cc_default: %s\n",
- error_message(retval));
- krb5_free_context(info->pg_krb5_context);
- return STATUS_ERROR;
- }
-
- retval = krb5_cc_get_principal(info->pg_krb5_context, info->pg_krb5_ccache,
- &(info->pg_krb5_client));
- if (retval)
- {
- printfPQExpBuffer(errorMessage,
- "pg_krb5_init: krb5_cc_get_principal: %s\n",
- error_message(retval));
- krb5_cc_close(info->pg_krb5_context, info->pg_krb5_ccache);
- krb5_free_context(info->pg_krb5_context);
- return STATUS_ERROR;
- }
-
- retval = krb5_unparse_name(info->pg_krb5_context, info->pg_krb5_client, &(info->pg_krb5_name));
- if (retval)
- {
- printfPQExpBuffer(errorMessage,
- "pg_krb5_init: krb5_unparse_name: %s\n",
- error_message(retval));
- krb5_free_principal(info->pg_krb5_context, info->pg_krb5_client);
- krb5_cc_close(info->pg_krb5_context, info->pg_krb5_ccache);
- krb5_free_context(info->pg_krb5_context);
- return STATUS_ERROR;
- }
-
- info->pg_krb5_name = pg_an_to_ln(info->pg_krb5_name);
-
- info->pg_krb5_initialised = 1;
- return STATUS_OK;
-}
-
-static void
-pg_krb5_destroy(struct krb5_info * info)
-{
- krb5_free_principal(info->pg_krb5_context, info->pg_krb5_client);
- krb5_cc_close(info->pg_krb5_context, info->pg_krb5_ccache);
- krb5_free_unparsed_name(info->pg_krb5_context, info->pg_krb5_name);
- krb5_free_context(info->pg_krb5_context);
-}
-
-
-/*
- * pg_krb5_sendauth -- client routine to send authentication information to
- * the server
- */
-static int
-pg_krb5_sendauth(PGconn *conn)
-{
- krb5_error_code retval;
- int ret;
- krb5_principal server;
- krb5_auth_context auth_context = NULL;
- krb5_error *err_ret = NULL;
- struct krb5_info info;
-
- info.pg_krb5_initialised = 0;
-
- if (!(conn->pghost && conn->pghost[0] != '\0'))
- {
- printfPQExpBuffer(&conn->errorMessage,
- libpq_gettext("host name must be specified\n"));
- return STATUS_ERROR;
- }
-
- ret = pg_krb5_init(&conn->errorMessage, &info);
- if (ret != STATUS_OK)
- return ret;
-
- retval = krb5_sname_to_principal(info.pg_krb5_context, conn->pghost,
- conn->krbsrvname,
- KRB5_NT_SRV_HST, &server);
- if (retval)
- {
- printfPQExpBuffer(&conn->errorMessage,
- "pg_krb5_sendauth: krb5_sname_to_principal: %s\n",
- error_message(retval));
- pg_krb5_destroy(&info);
- return STATUS_ERROR;
- }
-
- /*
- * libpq uses a non-blocking socket. But kerberos needs a blocking socket,
- * and we have to block somehow to do mutual authentication anyway. So we
- * temporarily make it blocking.
- */
- if (!pg_set_block(conn->sock))
- {
- char sebuf[256];
-
- printfPQExpBuffer(&conn->errorMessage,
- libpq_gettext("could not set socket to blocking mode: %s\n"), pqStrerror(errno, sebuf, sizeof(sebuf)));
- krb5_free_principal(info.pg_krb5_context, server);
- pg_krb5_destroy(&info);
- return STATUS_ERROR;
- }
-
- retval = krb5_sendauth(info.pg_krb5_context, &auth_context,
- (krb5_pointer) & conn->sock, (char *) conn->krbsrvname,
- info.pg_krb5_client, server,
- AP_OPTS_MUTUAL_REQUIRED,
- NULL, 0, /* no creds, use ccache instead */
- info.pg_krb5_ccache, &err_ret, NULL, NULL);
- if (retval)
- {
- if (retval == KRB5_SENDAUTH_REJECTED && err_ret)
- {
-#if defined(HAVE_KRB5_ERROR_TEXT_DATA)
- printfPQExpBuffer(&conn->errorMessage,
- libpq_gettext("Kerberos 5 authentication rejected: %*s\n"),
- (int) err_ret->text.length, err_ret->text.data);
-#elif defined(HAVE_KRB5_ERROR_E_DATA)
- printfPQExpBuffer(&conn->errorMessage,
- libpq_gettext("Kerberos 5 authentication rejected: %*s\n"),
- (int) err_ret->e_data->length,
- (const char *) err_ret->e_data->data);
-#else
-#error "bogus configuration"
-#endif
- }
- else
- {
- printfPQExpBuffer(&conn->errorMessage,
- "krb5_sendauth: %s\n", error_message(retval));
- }
-
- if (err_ret)
- krb5_free_error(info.pg_krb5_context, err_ret);
-
- ret = STATUS_ERROR;
- }
-
- krb5_free_principal(info.pg_krb5_context, server);
-
- if (!pg_set_noblock(conn->sock))
- {
- char sebuf[256];
-
- printfPQExpBuffer(&conn->errorMessage,
- libpq_gettext("could not restore nonblocking mode on socket: %s\n"),
- pqStrerror(errno, sebuf, sizeof(sebuf)));
- ret = STATUS_ERROR;
- }
- pg_krb5_destroy(&info);
-
- return ret;
-}
-#endif /* KRB5 */
-
#ifdef ENABLE_GSS
/*
* GSSAPI authentication system.
@@ -816,21 +564,9 @@ pg_fe_sendauth(AuthRequest areq, PGconn *conn)
return STATUS_ERROR;
case AUTH_REQ_KRB5:
-#ifdef KRB5
- pglock_thread();
- if (pg_krb5_sendauth(conn) != STATUS_OK)
- {
- /* Error message already filled in */
- pgunlock_thread();
- return STATUS_ERROR;
- }
- pgunlock_thread();
- break;
-#else
printfPQExpBuffer(&conn->errorMessage,
libpq_gettext("Kerberos 5 authentication not supported\n"));
return STATUS_ERROR;
-#endif
#if defined(ENABLE_GSS) || defined(ENABLE_SSPI)
case AUTH_REQ_GSS:
diff --git a/src/interfaces/libpq/fe-connect.c b/src/interfaces/libpq/fe-connect.c
index 3a9ddf19d7d..fa88c874945 100644
--- a/src/interfaces/libpq/fe-connect.c
+++ b/src/interfaces/libpq/fe-connect.c
@@ -278,7 +278,7 @@ static const internalPQconninfoOption PQconninfoOptions[] = {
"Require-Peer", "", 10,
offsetof(struct pg_conn, requirepeer)},
-#if defined(KRB5) || defined(ENABLE_GSS) || defined(ENABLE_SSPI)
+#if defined(ENABLE_GSS) || defined(ENABLE_SSPI)
/* Kerberos and GSSAPI authentication support specifying the service name */
{"krbsrvname", "PGKRBSRVNAME", PG_KRB_SRVNAM, NULL,
"Kerberos-service-name", "", 20,
@@ -2823,7 +2823,7 @@ freePGconn(PGconn *conn)
free(conn->sslcompression);
if (conn->requirepeer)
free(conn->requirepeer);
-#if defined(KRB5) || defined(ENABLE_GSS) || defined(ENABLE_SSPI)
+#if defined(ENABLE_GSS) || defined(ENABLE_SSPI)
if (conn->krbsrvname)
free(conn->krbsrvname);
#endif
diff --git a/src/interfaces/libpq/libpq-int.h b/src/interfaces/libpq/libpq-int.h
index 0fb926bbd45..22bbe4a48eb 100644
--- a/src/interfaces/libpq/libpq-int.h
+++ b/src/interfaces/libpq/libpq-int.h
@@ -331,7 +331,7 @@ struct pg_conn
char *sslcrl; /* certificate revocation list filename */
char *requirepeer; /* required peer credentials for local sockets */
-#if defined(KRB5) || defined(ENABLE_GSS) || defined(ENABLE_SSPI)
+#if defined(ENABLE_GSS) || defined(ENABLE_SSPI)
char *krbsrvname; /* Kerberos service name */
#endif
diff --git a/src/tools/msvc/Solution.pm b/src/tools/msvc/Solution.pm
index bc52086fc8a..7921596a48f 100644
--- a/src/tools/msvc/Solution.pm
+++ b/src/tools/msvc/Solution.pm
@@ -221,10 +221,6 @@ s{PG_VERSION_STR "[^"]+"}{__STRINGIFY(x) #x\n#define __STRINGIFY2(z) __STRINGIFY
}
if ($self->{options}->{krb5})
{
- print O "#define KRB5 1\n";
- print O "#define HAVE_KRB5_ERROR_TEXT_DATA 1\n";
- print O "#define HAVE_KRB5_TICKET_ENC_PART2 1\n";
- print O "#define HAVE_KRB5_FREE_UNPARSED_NAME 1\n";
print O "#define ENABLE_GSS 1\n";
}
if (my $port = $self->{options}->{"--with-pgport"})
@@ -625,7 +621,7 @@ sub GetFakeConfigure
$cfg .= ' --with-ossp-uuid' if ($self->{options}->{uuid});
$cfg .= ' --with-libxml' if ($self->{options}->{xml});
$cfg .= ' --with-libxslt' if ($self->{options}->{xslt});
- $cfg .= ' --with-krb5' if ($self->{options}->{krb5});
+ $cfg .= ' --with-gssapi' if ($self->{options}->{krb5});
$cfg .= ' --with-tcl' if ($self->{options}->{tcl});
$cfg .= ' --with-perl' if ($self->{options}->{perl});
$cfg .= ' --with-python' if ($self->{options}->{python});
diff --git a/src/tools/msvc/config_default.pl b/src/tools/msvc/config_default.pl
index 2489d3827fd..ebb47ab40e3 100644
--- a/src/tools/msvc/config_default.pl
+++ b/src/tools/msvc/config_default.pl
@@ -15,7 +15,6 @@ our $config = {
tcl => undef, # --with-tls=<path>
perl => undef, # --with-perl
python => undef, # --with-python=<path>
- krb5 => undef, # --with-krb5=<path>
openssl => undef, # --with-ssl=<path>
uuid => undef, # --with-ossp-uuid
xml => undef, # --with-libxml=<path>