Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Skip to content

Commit 34c33a1

Browse files
committed
Add BSD authentication method.
Create a "bsd" auth method that works the same as "password" so far as clients are concerned, but calls the BSD Authentication service to check the password. This is currently only available on OpenBSD. Marisa Emerson, reviewed by Thomas Munro
1 parent af025ee commit 34c33a1

File tree

10 files changed

+191
-0
lines changed

10 files changed

+191
-0
lines changed

configure

+48
Original file line numberDiff line numberDiff line change
@@ -827,6 +827,7 @@ with_python
827827
with_gssapi
828828
with_krb_srvnam
829829
with_pam
830+
with_bsd_auth
830831
with_ldap
831832
with_bonjour
832833
with_openssl
@@ -1516,6 +1517,7 @@ Optional Packages:
15161517
--with-krb-srvnam=NAME default service principal name in Kerberos (GSSAPI)
15171518
[postgres]
15181519
--with-pam build with PAM support
1520+
--with-bsd-auth build with BSD Authentication support
15191521
--with-ldap build with LDAP support
15201522
--with-bonjour build with Bonjour support
15211523
--with-openssl build with OpenSSL support
@@ -5570,6 +5572,41 @@ fi
55705572
$as_echo "$with_pam" >&6; }
55715573

55725574

5575+
#
5576+
# BSD AUTH
5577+
#
5578+
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to build with BSD Authentication support" >&5
5579+
$as_echo_n "checking whether to build with BSD Authentication support... " >&6; }
5580+
5581+
5582+
5583+
# Check whether --with-bsd-auth was given.
5584+
if test "${with_bsd_auth+set}" = set; then :
5585+
withval=$with_bsd_auth;
5586+
case $withval in
5587+
yes)
5588+
5589+
$as_echo "#define USE_BSD_AUTH 1" >>confdefs.h
5590+
5591+
;;
5592+
no)
5593+
:
5594+
;;
5595+
*)
5596+
as_fn_error $? "no argument expected for --with-bsd-auth option" "$LINENO" 5
5597+
;;
5598+
esac
5599+
5600+
else
5601+
with_bsd_auth=no
5602+
5603+
fi
5604+
5605+
5606+
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $with_bsd_auth" >&5
5607+
$as_echo "$with_bsd_auth" >&6; }
5608+
5609+
55735610
#
55745611
# LDAP
55755612
#
@@ -10522,6 +10559,17 @@ fi
1052210559

1052310560
done
1052410561

10562+
fi
10563+
10564+
if test "$with_bsd_auth" = yes ; then
10565+
ac_fn_c_check_header_mongrel "$LINENO" "bsd_auth.h" "ac_cv_header_bsd_auth_h" "$ac_includes_default"
10566+
if test "x$ac_cv_header_bsd_auth_h" = xyes; then :
10567+
10568+
else
10569+
as_fn_error $? "header file <bsd_auth.h> is required for BSD Authentication support" "$LINENO" 5
10570+
fi
10571+
10572+
1052510573
fi
1052610574

1052710575
if test "$with_systemd" = yes ; then

configure.in

+14
Original file line numberDiff line numberDiff line change
@@ -673,6 +673,16 @@ PGAC_ARG_BOOL(with, pam, no,
673673
AC_MSG_RESULT([$with_pam])
674674

675675

676+
#
677+
# BSD AUTH
678+
#
679+
AC_MSG_CHECKING([whether to build with BSD Authentication support])
680+
PGAC_ARG_BOOL(with, bsd-auth, no,
681+
[build with BSD Authentication support],
682+
[AC_DEFINE([USE_BSD_AUTH], 1, [Define to 1 to build with BSD Authentication support. (--with-bsd-auth)])])
683+
AC_MSG_RESULT([$with_bsd_auth])
684+
685+
676686
#
677687
# LDAP
678688
#
@@ -1269,6 +1279,10 @@ if test "$with_pam" = yes ; then
12691279
[AC_MSG_ERROR([header file <security/pam_appl.h> or <pam/pam_appl.h> is required for PAM.])])])
12701280
fi
12711281

1282+
if test "$with_bsd_auth" = yes ; then
1283+
AC_CHECK_HEADER(bsd_auth.h, [], [AC_MSG_ERROR([header file <bsd_auth.h> is required for BSD Authentication support])])
1284+
fi
1285+
12721286
if test "$with_systemd" = yes ; then
12731287
AC_CHECK_HEADER(systemd/sd-daemon.h, [], [AC_MSG_ERROR([header file <systemd/sd-daemon.h> is required for systemd support])])
12741288
fi

doc/src/sgml/client-auth.sgml

+45
Original file line numberDiff line numberDiff line change
@@ -522,6 +522,16 @@ hostnossl <replaceable>database</replaceable> <replaceable>user</replaceable>
522522
</para>
523523
</listitem>
524524
</varlistentry>
525+
526+
<varlistentry>
527+
<term><literal>bsd</></term>
528+
<listitem>
529+
<para>
530+
Authenticate using the BSD Authentication service provided by the
531+
operating system. See <xref linkend="auth-bsd"> for details.
532+
</para>
533+
</listitem>
534+
</varlistentry>
525535
</variablelist>
526536

527537
</para>
@@ -1662,6 +1672,41 @@ host ... ldap ldapurl="ldap://ldap.example.net/dc=example,dc=net?uid?sub"
16621672
</para>
16631673
</note>
16641674
</sect2>
1675+
1676+
<sect2 id="auth-bsd">
1677+
<title>BSD Authentication</title>
1678+
1679+
<indexterm zone="auth-bsd">
1680+
<primary>BSD Authentication</primary>
1681+
</indexterm>
1682+
1683+
<para>
1684+
This authentication method operates similarly to
1685+
<literal>password</literal> except that it uses BSD Authentication
1686+
to verify the password. BSD Authentication is used only
1687+
to validate user name/password pairs. Therefore the user's role must
1688+
already exist in the database before BSD Authentication can be used
1689+
for authentication. The BSD Authentication framework is currently
1690+
only available on OpenBSD.
1691+
</para>
1692+
1693+
<para>
1694+
BSD Authentication in <productname>PostgreSQL</> uses
1695+
the <literal>auth-postgresql</literal> login type and authenticates with
1696+
the <literal>postgresql</literal> login class if that's defined
1697+
in <filename>login.conf</filename>. By default that login class does not
1698+
exist, and <productname>PostgreSQL</> will use the default login class.
1699+
</para>
1700+
1701+
<note>
1702+
<para>
1703+
To use BSD Authentication, the PostgreSQL user account (that is, the
1704+
operating system user running the server) must first be added to
1705+
the <literal>auth</literal> group. The <literal>auth</literal> group
1706+
exists by default on OpenBSD systems.
1707+
</para>
1708+
</note>
1709+
</sect2>
16651710
</sect1>
16661711

16671712
<sect1 id="client-authentication-problems">

doc/src/sgml/installation.sgml

+11
Original file line numberDiff line numberDiff line change
@@ -792,6 +792,17 @@ su - postgres
792792
</listitem>
793793
</varlistentry>
794794

795+
<varlistentry>
796+
<term><option>--with-bsd-auth</option></term>
797+
<listitem>
798+
<para>
799+
Build with BSD Authentication support.
800+
(The BSD Authentication framework is
801+
currently only available on OpenBSD.)
802+
</para>
803+
</listitem>
804+
</varlistentry>
805+
795806
<varlistentry>
796807
<term><option>--with-ldap</option></term>
797808
<listitem>

src/backend/libpq/auth.c

+54
Original file line numberDiff line numberDiff line change
@@ -88,6 +88,17 @@ static Port *pam_port_cludge; /* Workaround for passing "Port *port" into
8888
#endif /* USE_PAM */
8989

9090

91+
/*----------------------------------------------------------------
92+
* BSD authentication
93+
*----------------------------------------------------------------
94+
*/
95+
#ifdef USE_BSD_AUTH
96+
#include <bsd_auth.h>
97+
98+
static int CheckBSDAuth(Port *port, char *user);
99+
#endif /* USE_BSD_AUTH */
100+
101+
91102
/*----------------------------------------------------------------
92103
* LDAP authentication
93104
*----------------------------------------------------------------
@@ -258,6 +269,9 @@ auth_failed(Port *port, int status, char *logdetail)
258269
case uaPAM:
259270
errstr = gettext_noop("PAM authentication failed for user \"%s\"");
260271
break;
272+
case uaBSD:
273+
errstr = gettext_noop("BSD authentication failed for user \"%s\"");
274+
break;
261275
case uaLDAP:
262276
errstr = gettext_noop("LDAP authentication failed for user \"%s\"");
263277
break;
@@ -529,6 +543,14 @@ ClientAuthentication(Port *port)
529543
#endif /* USE_PAM */
530544
break;
531545

546+
case uaBSD:
547+
#ifdef USE_BSD_AUTH
548+
status = CheckBSDAuth(port, port->user_name);
549+
#else
550+
Assert(false);
551+
#endif /* USE_BSD_AUTH */
552+
break;
553+
532554
case uaLDAP:
533555
#ifdef USE_LDAP
534556
status = CheckLDAPAuth(port);
@@ -1856,6 +1878,38 @@ CheckPAMAuth(Port *port, char *user, char *password)
18561878
#endif /* USE_PAM */
18571879

18581880

1881+
/*----------------------------------------------------------------
1882+
* BSD authentication system
1883+
*----------------------------------------------------------------
1884+
*/
1885+
#ifdef USE_BSD_AUTH
1886+
static int
1887+
CheckBSDAuth(Port *port, char *user)
1888+
{
1889+
char *passwd;
1890+
int retval;
1891+
1892+
/* Send regular password request to client, and get the response */
1893+
sendAuthRequest(port, AUTH_REQ_PASSWORD);
1894+
1895+
passwd = recv_password_packet(port);
1896+
if (passwd == NULL)
1897+
return STATUS_EOF;
1898+
1899+
/*
1900+
* Ask the BSD auth system to verify password. Note that auth_userokay
1901+
* will overwrite the password string with zeroes, but it's just a
1902+
* temporary string so we don't care.
1903+
*/
1904+
retval = auth_userokay(user, NULL, "auth-postgresql", passwd);
1905+
1906+
if (!retval)
1907+
return STATUS_ERROR;
1908+
1909+
return STATUS_OK;
1910+
}
1911+
#endif /* USE_BSD_AUTH */
1912+
18591913

18601914
/*----------------------------------------------------------------
18611915
* LDAP authentication system

src/backend/libpq/hba.c

+6
Original file line numberDiff line numberDiff line change
@@ -1189,6 +1189,12 @@ parse_hba_line(List *line, int line_num, char *raw_line)
11891189
parsedline->auth_method = uaPAM;
11901190
#else
11911191
unsupauth = "pam";
1192+
#endif
1193+
else if (strcmp(token->string, "bsd") == 0)
1194+
#ifdef USE_BSD_AUTH
1195+
parsedline->auth_method = uaBSD;
1196+
#else
1197+
unsupauth = "bsd";
11921198
#endif
11931199
else if (strcmp(token->string, "ldap") == 0)
11941200
#ifdef USE_LDAP

src/bin/initdb/initdb.c

+6
Original file line numberDiff line numberDiff line change
@@ -90,6 +90,9 @@ static const char *const auth_methods_host[] = {
9090
#ifdef USE_PAM
9191
"pam", "pam ",
9292
#endif
93+
#ifdef USE_BSD_AUTH
94+
"bsd",
95+
#endif
9396
#ifdef USE_LDAP
9497
"ldap",
9598
#endif
@@ -103,6 +106,9 @@ static const char *const auth_methods_local[] = {
103106
#ifdef USE_PAM
104107
"pam", "pam ",
105108
#endif
109+
#ifdef USE_BSD_AUTH
110+
"bsd",
111+
#endif
106112
#ifdef USE_LDAP
107113
"ldap",
108114
#endif

src/include/libpq/hba.h

+1
Original file line numberDiff line numberDiff line change
@@ -27,6 +27,7 @@ typedef enum UserAuth
2727
uaGSS,
2828
uaSSPI,
2929
uaPAM,
30+
uaBSD,
3031
uaLDAP,
3132
uaCert,
3233
uaRADIUS,

src/include/pg_config.h.in

+3
Original file line numberDiff line numberDiff line change
@@ -793,6 +793,9 @@
793793
/* Define to 1 to build with Bonjour support. (--with-bonjour) */
794794
#undef USE_BONJOUR
795795

796+
/* Define to 1 to build with BSD Authentication support. (--with-bsd-auth) */
797+
#undef USE_BSD_AUTH
798+
796799
/* Define to 1 if you want float4 values to be passed by value.
797800
(--enable-float4-byval) */
798801
#undef USE_FLOAT4_BYVAL

src/include/pg_config.h.win32

+3
Original file line numberDiff line numberDiff line change
@@ -613,6 +613,9 @@
613613
/* Define to 1 to build with Bonjour support. (--with-bonjour) */
614614
/* #undef USE_BONJOUR */
615615

616+
/* Define to 1 to build with BSD Authentication support. (--with-bsd-auth) */
617+
/* #undef USE_BSD_AUTH */
618+
616619
/* Define to 1 if you want 64-bit integer timestamp and interval support.
617620
(--enable-integer-datetimes) */
618621
/* #undef USE_INTEGER_DATETIMES */

0 commit comments

Comments
 (0)