diff options
Diffstat (limited to 'src/backend')
| -rw-r--r-- | src/backend/libpq/auth.c | 100 | ||||
| -rw-r--r-- | src/backend/libpq/hba.c | 7 | ||||
| -rw-r--r-- | src/backend/libpq/pg_hba.conf.sample | 2 |
3 files changed, 7 insertions, 102 deletions
diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c index a50227068ba..6ca9212c882 100644 --- a/src/backend/libpq/auth.c +++ b/src/backend/libpq/auth.c @@ -8,7 +8,7 @@ * * * IDENTIFICATION - * $PostgreSQL: pgsql/src/backend/libpq/auth.c,v 1.125 2005/06/14 17:43:13 momjian Exp $ + * $PostgreSQL: pgsql/src/backend/libpq/auth.c,v 1.126 2005/06/27 02:04:24 neilc Exp $ * *------------------------------------------------------------------------- */ @@ -69,83 +69,6 @@ static Port *pam_port_cludge; /* Workaround for passing "Port *port" * into pam_passwd_conv_proc */ #endif /* USE_PAM */ -#ifdef KRB4 -/*---------------------------------------------------------------- - * MIT Kerberos authentication system - protocol version 4 - *---------------------------------------------------------------- - */ - -#include "krb.h" - -/* - * pg_krb4_recvauth -- server routine to receive authentication information - * from the client - * - * Nothing unusual here, except that we compare the username obtained from - * the client's setup packet to the authenticated name. (We have to retain - * the name in the setup packet since we have to retain the ability to handle - * unauthenticated connections.) - */ -static int -pg_krb4_recvauth(Port *port) -{ - long krbopts = 0; /* one-way authentication */ - KTEXT_ST clttkt; - char instance[INST_SZ + 1], - version[KRB_SENDAUTH_VLEN + 1]; - AUTH_DAT auth_data; - Key_schedule key_sched; - int status; - - strcpy(instance, "*"); /* don't care, but arg gets expanded - * anyway */ - status = krb_recvauth(krbopts, - port->sock, - &clttkt, - pg_krb_srvnam, - instance, - &port->raddr.in, - &port->laddr.in, - &auth_data, - pg_krb_server_keyfile, - key_sched, - version); - if (status != KSUCCESS) - { - ereport(LOG, - (errmsg("Kerberos error: %s", krb_err_txt[status]))); - return STATUS_ERROR; - } - if (strncmp(version, PG_KRB4_VERSION, KRB_SENDAUTH_VLEN) != 0) - { - ereport(LOG, - (errmsg("unexpected Kerberos protocol version received from client (received \"%s\", expected \"%s\")", - version, PG_KRB4_VERSION))); - return STATUS_ERROR; - } - if (strncmp(port->user_name, auth_data.pname, SM_DATABASE_USER) != 0) - { - ereport(LOG, - (errmsg("unexpected Kerberos user name received from client (received \"%s\", expected \"%s\")", - port->user_name, auth_data.pname))); - return STATUS_ERROR; - } - return STATUS_OK; -} - -#else - -static int -pg_krb4_recvauth(Port *port) -{ - ereport(LOG, - (errcode(ERRCODE_FEATURE_NOT_SUPPORTED), - errmsg("Kerberos 4 not implemented on this server"))); - return STATUS_ERROR; -} -#endif /* KRB4 */ - - #ifdef KRB5 /*---------------------------------------------------------------- * MIT Kerberos authentication system - protocol version 5 @@ -252,8 +175,7 @@ pg_krb5_init(void) * from the client * * We still need to compare the username obtained from the client's setup - * packet to the authenticated name, as described in pg_krb4_recvauth. This - * is a bit more problematic in v5, as described above in pg_an_to_ln. + * packet to the authenticated name. * * We have our own keytab file because postgres is unlikely to run as root, * and so cannot read the default keytab. @@ -380,9 +302,6 @@ auth_failed(Port *port, int status) case uaReject: errstr = gettext_noop("authentication failed for user \"%s\": host rejected"); break; - case uaKrb4: - errstr = gettext_noop("Kerberos 4 authentication failed for user \"%s\""); - break; case uaKrb5: errstr = gettext_noop("Kerberos 5 authentication failed for user \"%s\""); break; @@ -461,27 +380,16 @@ ClientAuthentication(Port *port) (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION), errmsg("no pg_hba.conf entry for host \"%s\", user \"%s\", database \"%s\", %s", hostinfo, port->user_name, port->database_name, - port->ssl ? _("SSL on") : _("SSL off")))); + port->ssl ? _("SSL on") : _("SSL off")))); #else ereport(FATAL, (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION), errmsg("no pg_hba.conf entry for host \"%s\", user \"%s\", database \"%s\"", - hostinfo, port->user_name, port->database_name))); + hostinfo, port->user_name, port->database_name))); #endif break; } - case uaKrb4: - /* Kerberos 4 only seems to work with AF_INET. */ - if (port->raddr.addr.ss_family != AF_INET - || port->laddr.addr.ss_family != AF_INET) - ereport(FATAL, - (errcode(ERRCODE_FEATURE_NOT_SUPPORTED), - errmsg("Kerberos 4 only supports IPv4 connections"))); - sendAuthRequest(port, AUTH_REQ_KRB4); - status = pg_krb4_recvauth(port); - break; - case uaKrb5: sendAuthRequest(port, AUTH_REQ_KRB5); status = pg_krb5_recvauth(port); diff --git a/src/backend/libpq/hba.c b/src/backend/libpq/hba.c index bd9b84cffea..ab5d7e41674 100644 --- a/src/backend/libpq/hba.c +++ b/src/backend/libpq/hba.c @@ -10,7 +10,7 @@ * * * IDENTIFICATION - * $PostgreSQL: pgsql/src/backend/libpq/hba.c,v 1.141 2005/06/21 01:20:09 neilc Exp $ + * $PostgreSQL: pgsql/src/backend/libpq/hba.c,v 1.142 2005/06/27 02:04:25 neilc Exp $ * *------------------------------------------------------------------------- */ @@ -607,8 +607,6 @@ parse_hba_auth(ListCell **line_item, UserAuth *userauth_p, *userauth_p = uaIdent; else if (strcmp(token, "password") == 0) *userauth_p = uaPassword; - else if (strcmp(token, "krb4") == 0) - *userauth_p = uaKrb4; else if (strcmp(token, "krb5") == 0) *userauth_p = uaKrb5; else if (strcmp(token, "reject") == 0) @@ -694,8 +692,7 @@ parse_hba(List *line, int line_num, hbaPort *port, goto hba_syntax; /* Disallow auth methods that always need TCP/IP sockets to work */ - if (port->auth_method == uaKrb4 || - port->auth_method == uaKrb5) + if (port->auth_method == uaKrb5) goto hba_syntax; /* Does not match if connection isn't AF_UNIX */ diff --git a/src/backend/libpq/pg_hba.conf.sample b/src/backend/libpq/pg_hba.conf.sample index e13c78c5225..b47ca578ae1 100644 --- a/src/backend/libpq/pg_hba.conf.sample +++ b/src/backend/libpq/pg_hba.conf.sample @@ -35,7 +35,7 @@ # an IP address and netmask in separate columns to specify the set of hosts. # # METHOD can be "trust", "reject", "md5", "crypt", "password", -# "krb4", "krb5", "ident", or "pam". Note that "password" sends passwords +# "krb5", "ident", or "pam". Note that "password" sends passwords # in clear text; "md5" is preferred since it sends encrypted passwords. # # OPTION is the ident map or the name of the PAM service, depending on METHOD. |