-Edit postgresql-7.0RC5/src/Makefile.global.in. Change PG_KRB_SRVTAB to
-somewhere useful for you, and PG_KRB_SRVNAM to whatever you want your
-postgres kerberos service called.
+From pgsql-patches-owner@hub.org Mon May 8 13:28:54 2000
+Received: from walter.doc.ic.ac.uk (IDENT:VjgMrPQKQlAhOUagIW0/IaLLtzgPtWaj@walter.doc.ic.ac.uk [146.169.2.50])
+ by hub.org (8.9.3/8.9.3) with ESMTP id NAA78580
+ for <pgsql-patches@postgresql.org>; Mon, 8 May 2000 13:27:41 -0400 (EDT)
+ (envelope-from mw@doc.ic.ac.uk)
+Received: from [146.169.51.42] (helo=kungfu.doc.ic.ac.uk ident=mw)
+ by walter.doc.ic.ac.uk with esmtp (Exim 1.890 #1)
+ for pgsql-patches@postgresql.org
+ id 12orKe-0000J8-00; Mon, 8 May 2000 18:28:36 +0100
+Date: Mon, 8 May 2000 18:27:40 +0100 (BST)
+From: Mike Wyer <mw@doc.ic.ac.uk>
+To: pgsql-patches@postgresql.org
+Subject: kerberos 5 patch against 7.0RC5
+Message-ID: <Pine.LNX.4.21.0005081804430.1265-100000@kungfu.doc.ic.ac.uk>
+MIME-Version: 1.0
+Content-Type: TEXT/PLAIN; charset=US-ASCII
+X-Archive-Number: 200005/24
+Status: ORr
+
+You can find it after my sig. Hideous abuse of netiquette, but needs
+must ...
+
+Most (nearly all) of the work was done by David Wragg <dpw@doc.ic.ac.uk>
+
+He patched 6.5.3. I've updated it for 7.0RC5.
+
+It works for MIT kerberos 1.1.1 (and previously for 1.0.6 as well).
+
+I've got the patch against 6.5.3, plus kerberized RPMS.
+
+Install:
+
+Assuming postgresql-7.0RC5 is in /usr/local/src
+
+cd /usr/local/src
+patch -p0 < krb5-patch
+
+Edit postgresql-7.0RC5/src/Makefile.global.in
+Change PG_KRB_SRVTAB to somewhere useful for you, and PG_KRB_SRVNAM to
+whatever you want your postgres kerberos service called.
make and install PostgreSQL.
-Generate the keytab (PG_KRB_SRVTAB): kadmin% ank -randkey
-postgres/server.my.domain.org kadmin% ktadd -k krb5.keytab
-postgres/server.my.domain.org
+Generate the keytab (PG_KRB_SRVTAB):
+kadmin% ank -randkey postgres/server.my.domain.org
+kadmin% ktadd -k krb5.keytab postgres/server.my.domain.org
-Make sure the keytab is read-only to the postgres user. Make sure your
-client binaries can see the new libraries.
+Make sure the keytab is read-only to the postgres user.
+Make sure your client binaries can see the new libraries.
edit pg_hba.conf and change the authentication method to krb5.
mod_perl script. This gives secure database access over the web. No
extra passwords required.
-Mike Wyer <mw@doc.ic.ac.uk>
+Cheers,
+
+Mike Wyer,
+Department of Computing, Imperial College
+--
+Mike Wyer <mw@doc.ic.ac.uk> || "Woof?"
+http://www.doc.ic.ac.uk/~mw || Gaspode the Wonder Dog
+Work: 020 7594 8440 || from "Moving Pictures"
+Mobile: 07879 697119 || by Terry Pratchett
+
+
+===========================8<----------------------------------------------
+
+diff -u -r postgresql-7.0RC5/src/Makefile.global.in postgresql-7.0RC5.krb5/src/Makefile.global.in
+--- postgresql-7.0RC5/src/Makefile.global.in Mon May 8 17:22:40 2000
++++ postgresql-7.0RC5.krb5/src/Makefile.global.in Sat May 6 17:23:49 2000
+@@ -120,7 +120,7 @@
+ # Set KRBVERS to "4" for Kerberos v4, "5" for Kerberos v5.
+ # XXX Edit the default Kerberos variables below!
+ #
+-#KRBVERS= 5
++KRBVERS=5
+
+ # Globally pass Kerberos file locations.
+ # these are used in the postmaster and all libpq applications.
+@@ -132,9 +132,9 @@
+ # PG_KRB_SRVTAB is the location of the server's keytab file.
+ #
+ ifdef KRBVERS
+-KRBINCS= -I/usr/athena/include
+-KRBLIBS= -L/usr/athena/lib
+-KRBFLAGS+= $(KRBINCS) -DPG_KRB_SRVNAM='"postgres_dbms"'
++KRBINCS= -I/usr/krb5/include
++KRBLIBS= -L/usr/krb5/lib
++KRBFLAGS+= $(KRBINCS) -DPG_KRB_SRVNAM='"postgres"'
+ ifeq ($(KRBVERS), 4)
+ KRBFLAGS+= -DKRB4
+ KRBFLAGS+= -DPG_KRB_SRVTAB='"/etc/srvtab"'
+@@ -142,8 +142,8 @@
+ else
+ ifeq ($(KRBVERS), 5)
+ KRBFLAGS+= -DKRB5
+-KRBFLAGS+= -DPG_KRB_SRVTAB='"FILE:/krb5/srvtab.postgres"'
+-KRBLIBS+= -lkrb5 -lcrypto -lcom_err -lisode
++KRBFLAGS+= -DPG_KRB_SRVTAB='"FILE:/usr/local/postgres/krb5.keytab"'
++KRBLIBS+= -lkrb5 -lcrypto -lcom_err
+ endif
+ endif
+ endif
+diff -u -r postgresql-7.0RC5/src/backend/libpq/auth.c postgresql-7.0RC5.krb5/src/backend/libpq/auth.c
+--- postgresql-7.0RC5/src/backend/libpq/auth.c Mon May 8 17:22:40 2000
++++ postgresql-7.0RC5.krb5/src/backend/libpq/auth.c Sat May 6 17:17:13 2000
+@@ -149,7 +149,8 @@
+ *----------------------------------------------------------------
+ */
+
+-#include "krb5/krb5.h"
++#include <krb5.h>
++#include <com_err.h>
+
+ /*
+ * pg_an_to_ln -- return the local name corresponding to an authentication
+@@ -174,130 +175,134 @@
+ return aname;
+ }
+
++
+ /*
+- * pg_krb5_recvauth -- server routine to receive authentication information
+- * from the client
+- *
+- * We still need to compare the username obtained from the client's setup
+- * packet to the authenticated name, as described in pg_krb4_recvauth. This
+- * is a bit more problematic in v5, as described above in pg_an_to_ln.
+- *
+- * In addition, as described above in pg_krb5_sendauth, we still need to
+- * canonicalize the server name v4-style before constructing a principal
+- * from it. Again, this is kind of iffy.
+- *
+- * Finally, we need to tangle with the fact that v5 doesn't let you explicitly
+- * set server keytab file names -- you have to feed lower-level routines a
+- * function to retrieve the contents of a keytab, along with a single argument
+- * that allows them to open the keytab. We assume that a server keytab is
+- * always a real file so we can allow people to specify their own filenames.
+- * (This is important because the POSTGRES keytab needs to be readable by
+- * non-root users/groups; the v4 tools used to force you do dump a whole
+- * host's worth of keys into a file, effectively forcing you to use one file,
+- * but kdb5_edit allows you to select which principals to dump. Yay!)
++ * Various krb5 state which is not connection specfic, and a flag to
++ * indicate whether we have initialised it yet.
+ */
++static int pg_krb5_initialised;
++static krb5_context pg_krb5_context;
++static krb5_keytab pg_krb5_keytab;
++static krb5_principal pg_krb5_server;
++
++
+ static int
+-pg_krb5_recvauth(Port *port)
++pg_krb5_init(void)
+ {
+- char servbuf[MAXHOSTNAMELEN + 1 +
+- sizeof(PG_KRB_SRVNAM)];
+- char *hostp,
+- *kusername = (char *) NULL;
+- krb5_error_code code;
+- krb5_principal client,
+- server;
+- krb5_address sender_addr;
+- krb5_rdreq_key_proc keyproc = (krb5_rdreq_key_proc) NULL;
+- krb5_pointer keyprocarg = (krb5_pointer) NULL;
++ krb5_error_code retval;
+
+- /*
+- * Set up server side -- since we have no ticket file to make this
+- * easy, we construct our own name and parse it. See note on
+- * canonicalization above.
+- */
+- strcpy(servbuf, PG_KRB_SRVNAM);
+- *(hostp = servbuf + (sizeof(PG_KRB_SRVNAM) - 1)) = '/';
+- if (gethostname(++hostp, MAXHOSTNAMELEN) < 0)
+- strcpy(hostp, "localhost");
+- if (hostp = strchr(hostp, '.'))
+- *hostp = '\0';
+- if (code = krb5_parse_name(servbuf, &server))
+- {
++ if (pg_krb5_initialised)
++ return STATUS_OK;
++
++ retval = krb5_init_context(&pg_krb5_context);
++ if (retval) {
+ snprintf(PQerrormsg, PQERRORMSG_LENGTH,
+- "pg_krb5_recvauth: Kerberos error %d in krb5_parse_name\n", code);
+- com_err("pg_krb5_recvauth", code, "in krb5_parse_name");
++ "pg_krb5_init: krb5_init_context returned"
++ " Kerberos error %d\n", retval);
++ com_err("postgres", retval, "while initializing krb5");
+ return STATUS_ERROR;
+ }
+
+- /*
+- * krb5_sendauth needs this to verify the address in the client
+- * authenticator.
+- */
+- sender_addr.addrtype = port->raddr.in.sin_family;
+- sender_addr.length = sizeof(port->raddr.in.sin_addr);
+- sender_addr.contents = (krb5_octet *) & (port->raddr.in.sin_addr);
+-
+- if (strcmp(PG_KRB_SRVTAB, ""))
+- {
+- keyproc = krb5_kt_read_service_key;
+- keyprocarg = PG_KRB_SRVTAB;
++ retval = krb5_kt_resolve(pg_krb5_context, PG_KRB_SRVTAB, &pg_krb5_keytab);
++ if (retval) {
++ snprintf(PQerrormsg, PQERRORMSG_LENGTH,
++ "pg_krb5_init: krb5_kt_resolve returned"
++ " Kerberos error %d\n", retval);
++ com_err("postgres", retval, "while resolving keytab file %s",
++ PG_KRB_SRVTAB);
++ krb5_free_context(pg_krb5_context);
++ return STATUS_ERROR;
+ }
+
+- if (code = krb5_recvauth((krb5_pointer) & port->sock,
+- PG_KRB5_VERSION,
+- server,
+- &sender_addr,
+- (krb5_pointer) NULL,
+- keyproc,
+- keyprocarg,
+- (char *) NULL,
+- (krb5_int32 *) NULL,
+- &client,
+- (krb5_ticket **) NULL,
+- (krb5_authenticator **) NULL))
+- {
++ retval = krb5_sname_to_principal(pg_krb5_context, NULL, PG_KRB_SRVNAM,
++ KRB5_NT_SRV_HST, &pg_krb5_server);
++ if (retval) {
+ snprintf(PQerrormsg, PQERRORMSG_LENGTH,
+- "pg_krb5_recvauth: Kerberos error %d in krb5_recvauth\n", code);
+- com_err("pg_krb5_recvauth", code, "in krb5_recvauth");
+- krb5_free_principal(server);
++ "pg_krb5_init: krb5_sname_to_principal returned"
++ " Kerberos error %d\n", retval);
++ com_err("postgres", retval,
++ "while getting server principal for service %s",
++ PG_KRB_SRVTAB);
++ krb5_kt_close(pg_krb5_context, pg_krb5_keytab);
++ krb5_free_context(pg_krb5_context);
+ return STATUS_ERROR;
+ }
+- krb5_free_principal(server);
++
++ pg_krb5_initialised = 1;
++ return STATUS_OK;
++}
++
++
++/*
++ * pg_krb5_recvauth -- server routine to receive authentication information
++ * from the client
++ *
++ * We still need to compare the username obtained from the client's setup
++ * packet to the authenticated name, as described in pg_krb4_recvauth. This
++ * is a bit more problematic in v5, as described above in pg_an_to_ln.
++ *
++ * We have our own keytab file because postgres is unlikely to run as root,
++ * and so cannot read the default keytab.
++ */
++static int
++pg_krb5_recvauth(Port *port)
++{
++ krb5_error_code retval;
++ int ret;
++ krb5_auth_context auth_context = NULL;
++ krb5_ticket *ticket;
++ char *kusername;
++
++ ret = pg_krb5_init();
++ if (ret != STATUS_OK)
++ return ret;
++
++ retval = krb5_recvauth(pg_krb5_context, &auth_context,
++ (krb5_pointer)&port->sock, PG_KRB_SRVNAM,
++ pg_krb5_server, 0, pg_krb5_keytab, &ticket);
++ if (retval) {
++ snprintf(PQerrormsg, PQERRORMSG_LENGTH,
++ "pg_krb5_recvauth: krb5_recvauth returned"
++ " Kerberos error %d\n", retval);
++ com_err("postgres", retval, "from krb5_recvauth");
++ return STATUS_ERROR;
++ }
+
+ /*
+ * The "client" structure comes out of the ticket and is therefore
+ * authenticated. Use it to check the username obtained from the
+ * postmaster startup packet.
++ *
++ * I have no idea why this is considered necessary.
+ */
+- if ((code = krb5_unparse_name(client, &kusername)))
+- {
++ retval = krb5_unparse_name(pg_krb5_context,
++ ticket->enc_part2->client, &kusername);
++ if (retval) {
+ snprintf(PQerrormsg, PQERRORMSG_LENGTH,
+- "pg_krb5_recvauth: Kerberos error %d in krb5_unparse_name\n", code);
+- com_err("pg_krb5_recvauth", code, "in krb5_unparse_name");
+- krb5_free_principal(client);
+- return STATUS_ERROR;
+- }
+- krb5_free_principal(client);
+- if (!kusername)
+- {
+- snprintf(PQerrormsg, PQERRORMSG_LENGTH,
+- "pg_krb5_recvauth: could not decode username\n");
+- fputs(PQerrormsg, stderr);
+- pqdebug("%s", PQerrormsg);
++ "pg_krb5_recvauth: krb5_unparse_name returned"
++ " Kerberos error %d\n", retval);
++ com_err("postgres", retval, "while unparsing client name");
++ krb5_free_ticket(pg_krb5_context, ticket);
++ krb5_auth_con_free(pg_krb5_context, auth_context);
+ return STATUS_ERROR;
+ }
++
+ kusername = pg_an_to_ln(kusername);
+- if (strncmp(username, kusername, SM_USER))
++ if (strncmp(port->user, kusername, SM_USER))
+ {
+ snprintf(PQerrormsg, PQERRORMSG_LENGTH,
+- "pg_krb5_recvauth: name \"%s\" != \"%s\"\n", port->user, kusername);
+- fputs(PQerrormsg, stderr);
+- pqdebug("%s", PQerrormsg);
+- pfree(kusername);
+- return STATUS_ERROR;
+- }
+- pfree(kusername);
+- return STATUS_OK;
++ "pg_krb5_recvauth: user name \"%s\" != krb5 name \"%s\"\n",
++ port->user, kusername);
++ ret = STATUS_ERROR;
++ }
++ else
++ ret = STATUS_OK;
++
++ krb5_free_ticket(pg_krb5_context, ticket);
++ krb5_auth_con_free(pg_krb5_context, auth_context);
++ free(kusername);
++
++ return ret;
+ }
+
+ #else
+diff -u -r postgresql-7.0RC5/src/interfaces/libpq/Makefile.in postgresql-7.0RC5.krb5/src/interfaces/libpq/Makefile.in
+--- postgresql-7.0RC5/src/interfaces/libpq/Makefile.in Mon May 8 17:22:40 2000
++++ postgresql-7.0RC5.krb5/src/interfaces/libpq/Makefile.in Sat May 6 17:17:13 2000
+@@ -21,6 +21,7 @@
+
+ ifdef KRBVERS
+ CFLAGS+= $(KRBFLAGS)
++SHLIB_LINK += $(KRBLIBS)
+ endif
+
+ OBJS= fe-auth.o fe-connect.o fe-exec.o fe-misc.o fe-print.o fe-lobj.o \
+diff -u -r postgresql-7.0RC5/src/interfaces/libpq/fe-auth.c postgresql-7.0RC5.krb5/src/interfaces/libpq/fe-auth.c
+--- postgresql-7.0RC5/src/interfaces/libpq/fe-auth.c Mon May 8 17:22:40 2000
++++ postgresql-7.0RC5.krb5/src/interfaces/libpq/fe-auth.c Sat May 6 17:17:13 2000
+@@ -39,6 +39,7 @@
+ #include "win32.h"
+ #else
+ #include <unistd.h>
++#include <fcntl.h>
+ #include <sys/param.h> /* for MAXHOSTNAMELEN on most */
+ #ifndef MAXHOSTNAMELEN
+ #include <netdb.h> /* for MAXHOSTNAMELEN on some */
+@@ -234,7 +235,8 @@
+ *----------------------------------------------------------------
+ */
+
+-#include "krb5/krb5.h"
++#include <krb5.h>
++#include <com_err.h>
+
+ /*
+ * pg_an_to_ln -- return the local name corresponding to an authentication
+@@ -250,7 +252,7 @@
+ * and we can't afford to punt.
+ */
+ static char *
+-pg_an_to_ln(const char *aname)
++pg_an_to_ln(char *aname)
+ {
+ char *p;
+
+@@ -261,197 +263,160 @@
+
+
+ /*
+- * pg_krb5_init -- initialization performed before any Kerberos calls are made
+- *
+- * With v5, we can no longer set the ticket (credential cache) file name;
+- * we now have to provide a file handle for the open (well, "resolved")
+- * ticket file everywhere.
+- *
++ * Various krb5 state which is not connection specfic, and a flag to
++ * indicate whether we have initialised it yet.
+ */
++static int pg_krb5_initialised;
++static krb5_context pg_krb5_context;
++static krb5_ccache pg_krb5_ccache;
++static krb5_principal pg_krb5_client;
++static char *pg_krb5_name;
++
++
+ static int
+- krb5_ccache
+-pg_krb5_init(void)
++pg_krb5_init(char *PQerrormsg)
+ {
+- krb5_error_code code;
+- char *realm,
+- *defname;
+- char tktbuf[MAXPGPATH];
+- static krb5_ccache ccache = (krb5_ccache) NULL;
++ krb5_error_code retval;
+
+- if (ccache)
+- return ccache;
++ if (pg_krb5_initialised)
++ return STATUS_OK;
+
+- /*
+- * If the user set PGREALM, then we use a ticket file with a special
+- * name: <usual-ticket-file-name>@<PGREALM-value>
+- */
+- if (!(defname = krb5_cc_default_name()))
+- {
+- (void) sprintf(PQerrormsg,
+- "pg_krb5_init: krb5_cc_default_name failed\n");
+- return (krb5_ccache) NULL;
+- }
+- strcpy(tktbuf, defname);
+- if (realm = getenv("PGREALM"))
+- {
+- strcat(tktbuf, "@");
+- strcat(tktbuf, realm);
++ retval = krb5_init_context(&pg_krb5_context);
++ if (retval) {
++ snprintf(PQerrormsg, PQERRORMSG_LENGTH,
++ "pg_krb5_init: krb5_init_context: %s",
++ error_message(retval));
++ return STATUS_ERROR;
+ }
+
+- if (code = krb5_cc_resolve(tktbuf, &ccache))
+- {
+- (void) sprintf(PQerrormsg,
+- "pg_krb5_init: Kerberos error %d in krb5_cc_resolve\n", code);
+- com_err("pg_krb5_init", code, "in krb5_cc_resolve");
+- return (krb5_ccache) NULL;
+- }
+- return ccache;
++ retval = krb5_cc_default(pg_krb5_context, &pg_krb5_ccache);
++ if (retval) {
++ snprintf(PQerrormsg, PQERRORMSG_LENGTH,
++ "pg_krb5_init: krb5_cc_default: %s",
++ error_message(retval));
++ krb5_free_context(pg_krb5_context);
++ return STATUS_ERROR;
++ }
++
++ retval = krb5_cc_get_principal(pg_krb5_context, pg_krb5_ccache,
++ &pg_krb5_client);
++ if (retval) {
++ snprintf(PQerrormsg, PQERRORMSG_LENGTH,
++ "pg_krb5_init: krb5_cc_get_principal: %s",
++ error_message(retval));
++ krb5_cc_close(pg_krb5_context, pg_krb5_ccache);
++ krb5_free_context(pg_krb5_context);
++ return STATUS_ERROR;
++ }
++
++ retval = krb5_unparse_name(pg_krb5_context, pg_krb5_client, &pg_krb5_name);
++ if (retval) {
++ snprintf(PQerrormsg, PQERRORMSG_LENGTH,
++ "pg_krb5_init: krb5_unparse_name: %s",
++ error_message(retval));
++ krb5_free_principal(pg_krb5_context, pg_krb5_client);
++ krb5_cc_close(pg_krb5_context, pg_krb5_ccache);
++ krb5_free_context(pg_krb5_context);
++ return STATUS_ERROR;
++ }
++
++ pg_krb5_name = pg_an_to_ln(pg_krb5_name);
++
++ pg_krb5_initialised = 1;
++ return STATUS_OK;
+ }
+
++
+ /*
+ * pg_krb5_authname -- returns a pointer to static space containing whatever
+ * name the user has authenticated to the system
+- *
+- * We obtain this information by digging around in the ticket file.
+- */
++ */
+ static const char *
+-pg_krb5_authname(const char *PQerrormsg)
++pg_krb5_authname(char *PQerrormsg)
+ {
+- krb5_ccache ccache;
+- krb5_principal principal;
+- krb5_error_code code;
+- static char *authname = (char *) NULL;
+-
+- if (authname)
+- return authname;
++ if (pg_krb5_init(PQerrormsg) != STATUS_OK)
++ return NULL;
+
+- ccache = pg_krb5_init(); /* don't free this */
+-
+- if (code = krb5_cc_get_principal(ccache, &principal))
+- {
+- (void) sprintf(PQerrormsg,
+- "pg_krb5_authname: Kerberos error %d in krb5_cc_get_principal\n", code);
+- com_err("pg_krb5_authname", code, "in krb5_cc_get_principal");
+- return (char *) NULL;
+- }
+- if (code = krb5_unparse_name(principal, &authname))
+- {
+- (void) sprintf(PQerrormsg,
+- "pg_krb5_authname: Kerberos error %d in krb5_unparse_name\n", code);
+- com_err("pg_krb5_authname", code, "in krb5_unparse_name");
+- krb5_free_principal(principal);
+- return (char *) NULL;
+- }
+- krb5_free_principal(principal);
+- return pg_an_to_ln(authname);
++ return pg_krb5_name;
+ }
+
++
+ /*
+ * pg_krb5_sendauth -- client routine to send authentication information to
+ * the server
+- *
+- * This routine does not do mutual authentication, nor does it return enough
+- * information to do encrypted connections. But then, if we want to do
+- * encrypted connections, we'll have to redesign the whole RPC mechanism
+- * anyway.
+- *
+- * Server hostnames are canonicalized v4-style, i.e., all domain suffixes
+- * are simply chopped off. Hence, we are assuming that you've entered your
+- * server instances as
+- * <value-of-PG_KRB_SRVNAM>/<canonicalized-hostname>
+- * in the PGREALM (or local) database. This is probably a bad assumption.
+ */
+ static int
+-pg_krb5_sendauth(const char *PQerrormsg, int sock,
++pg_krb5_sendauth(char *PQerrormsg, int sock,
+ struct sockaddr_in * laddr,
+ struct sockaddr_in * raddr,
+ const char *hostname)
+ {
+- char servbuf[MAXHOSTNAMELEN + 1 +
+- sizeof(PG_KRB_SRVNAM)];
+- const char *hostp;
+- const char *realm;
+- krb5_error_code code;
+- krb5_principal client,
+- server;
+- krb5_ccache ccache;
+- krb5_error *error = (krb5_error *) NULL;
+-
+- ccache = pg_krb5_init(); /* don't free this */
+-
+- /*
+- * set up client -- this is easy, we can get it out of the ticket
+- * file.
+- */
+- if (code = krb5_cc_get_principal(ccache, &client))
+- {
+- (void) sprintf(PQerrormsg,
+- "pg_krb5_sendauth: Kerberos error %d in krb5_cc_get_principal\n", code);
+- com_err("pg_krb5_sendauth", code, "in krb5_cc_get_principal");
++ krb5_error_code retval;
++ int ret;
++ krb5_principal server;
++ krb5_auth_context auth_context = NULL;
++ krb5_error *err_ret = NULL;
++ int flags;
++
++ ret = pg_krb5_init(PQerrormsg);
++ if (ret != STATUS_OK)
++ return ret;
++
++ retval = krb5_sname_to_principal(pg_krb5_context, hostname, PG_KRB_SRVNAM,
++ KRB5_NT_SRV_HST, &server);
++ if (retval) {
++ snprintf(PQerrormsg, PQERRORMSG_LENGTH,
++ "pg_krb5_sendauth: krb5_sname_to_principal: %s",
++ error_message(retval));
+ return STATUS_ERROR;
+ }
+
+- /*
+- * set up server -- canonicalize as described above
++ /*
++ * libpq uses a non-blocking socket. But kerberos needs a blocking
++ * socket, and we have to block somehow to do mutual authentication
++ * anyway. So we temporarily make it blocking.
+ */
+- strcpy(servbuf, PG_KRB_SRVNAM);
+- *(hostp = servbuf + (sizeof(PG_KRB_SRVNAM) - 1)) = '/';
+- if (hostname || *hostname)
+- strncpy(++hostp, hostname, MAXHOSTNAMELEN);
+- else
+- {
+- if (gethostname(++hostp, MAXHOSTNAMELEN) < 0)
+- strcpy(hostp, "localhost");
+- }
+- if (hostp = strchr(hostp, '.'))
+- *hostp = '\0';
+- if (realm = getenv("PGREALM"))
+- {
+- strcat(servbuf, "@");
+- strcat(servbuf, realm);
+- }
+- if (code = krb5_parse_name(servbuf, &server))
+- {
+- (void) sprintf(PQerrormsg,
+- "pg_krb5_sendauth: Kerberos error %d in krb5_parse_name\n", code);
+- com_err("pg_krb5_sendauth", code, "in krb5_parse_name");
+- krb5_free_principal(client);
++ flags = fcntl(sock, F_GETFL);
++ if (flags < 0 || fcntl(sock, F_SETFL, (long)(flags & ~O_NONBLOCK))) {
++ snprintf(PQerrormsg, PQERRORMSG_LENGTH,
++ "pg_krb5_sendauth: fcntl: %s", strerror(errno));
++ krb5_free_principal(pg_krb5_context, server);
+ return STATUS_ERROR;
+ }
+
+- /*
+- * The only thing we want back from krb5_sendauth is an error status
+- * and any error messages.
+- */
+- if (code = krb5_sendauth((krb5_pointer) & sock,
+- PG_KRB5_VERSION,
+- client,
+- server,
+- (krb5_flags) 0,
+- (krb5_checksum *) NULL,
+- (krb5_creds *) NULL,
+- ccache,
+- (krb5_int32 *) NULL,
+- (krb5_keyblock **) NULL,
+- &error,
+- (krb5_ap_rep_enc_part **) NULL))
+- {
+- if ((code == KRB5_SENDAUTH_REJECTED) && error)
+- {
+- (void) sprintf(PQerrormsg,
+- "pg_krb5_sendauth: authentication rejected: \"%*s\"\n",
+- error->text.length, error->text.data);
++ retval = krb5_sendauth(pg_krb5_context, &auth_context,
++ (krb5_pointer) &sock, PG_KRB_SRVNAM,
++ pg_krb5_client, server,
++ AP_OPTS_MUTUAL_REQUIRED,
++ NULL, 0, /* no creds, use ccache instead */
++ pg_krb5_ccache, &err_ret, NULL, NULL);
++ if (retval) {
++ if (retval == KRB5_SENDAUTH_REJECTED && err_ret) {
++ snprintf(PQerrormsg, PQERRORMSG_LENGTH,
++ "pg_krb5_sendauth: authentication rejected: \"%*s\"",
++ err_ret->text.length, err_ret->text.data);
+ }
+- else
+- {
+- (void) sprintf(PQerrormsg,
+- "pg_krb5_sendauth: Kerberos error %d in krb5_sendauth\n", code);
+- com_err("pg_krb5_sendauth", code, "in krb5_sendauth");
++ else {
++ snprintf(PQerrormsg, PQERRORMSG_LENGTH,
++ "pg_krb5_sendauth: krb5_sendauth: %s",
++ error_message(retval));
+ }
++
++ if (err_ret)
++ krb5_free_error(pg_krb5_context, err_ret);
++
++ ret = STATUS_ERROR;
++ }
++
++ krb5_free_principal(pg_krb5_context, server);
++
++ if (fcntl(sock, F_SETFL, (long)flags)) {
++ snprintf(PQerrormsg, PQERRORMSG_LENGTH,
++ "pg_krb5_sendauth: fcntl: %s", strerror(errno));
++ ret = STATUS_ERROR;
+ }
+- krb5_free_principal(client);
+- krb5_free_principal(server);
+- return code ? STATUS_ERROR : STATUS_OK;
++
++ return ret;
+ }
+
+ #endif /* KRB5 */
+diff -u -r postgresql-7.0RC5/src/interfaces/libpq/libpq-int.h postgresql-7.0RC5.krb5/src/interfaces/libpq/libpq-int.h
+--- postgresql-7.0RC5/src/interfaces/libpq/libpq-int.h Mon May 8 17:22:40 2000
++++ postgresql-7.0RC5.krb5/src/interfaces/libpq/libpq-int.h Sat May 6 17:49:38 2000
+@@ -50,6 +50,7 @@
+ * POSTGRES backend dependent Constants.
+ */
+
++#define PQERRORMSG_LENGTH 1024
+ #define CMDSTATUS_LEN 40
+
+ /*
+
+
OSDN Git Service
