From be83aac6d26ecca0bd27801132b9606ffda480f2 Mon Sep 17 00:00:00 2001 From: Bruce Momjian Date: Wed, 26 Sep 2001 19:54:12 +0000 Subject: [PATCH] Disable local creds on OpenBSD because it doesn't support it. Document supported platforms in pg_hba.conf. --- src/backend/libpq/auth.c | 4 ++-- src/backend/libpq/hba.c | 4 ++-- src/backend/libpq/pg_hba.conf.sample | 27 +++++++++++++++------------ src/interfaces/libpq/fe-auth.c | 16 +++++++--------- 4 files changed, 26 insertions(+), 25 deletions(-) diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c index 96bb8f0c57..78bff875ad 100644 --- a/src/backend/libpq/auth.c +++ b/src/backend/libpq/auth.c @@ -8,7 +8,7 @@ * * * IDENTIFICATION - * $Header: /cvsroot/pgsql/src/backend/libpq/auth.c,v 1.67 2001/09/21 20:31:45 tgl Exp $ + * $Header: /cvsroot/pgsql/src/backend/libpq/auth.c,v 1.68 2001/09/26 19:54:12 momjian Exp $ * *------------------------------------------------------------------------- */ @@ -520,7 +520,7 @@ ClientAuthentication(Port *port) break; case uaIdent: -#if !defined(SO_PEERCRED) && (defined(HAVE_STRUCT_CMSGCRED) || defined(HAVE_STRUCT_FCRED) || defined(HAVE_STRUCT_SOCKCRED)) +#if !defined(SO_PEERCRED) && (defined(HAVE_STRUCT_CMSGCRED) || defined(HAVE_STRUCT_FCRED) || (defined(HAVE_STRUCT_SOCKCRED) && defined(LOCAL_CREDS))) /* * If we are doing ident on unix-domain sockets, * use SCM_CREDS only if it is defined and SO_PEERCRED isn't. diff --git a/src/backend/libpq/hba.c b/src/backend/libpq/hba.c index 891fcb4317..c674da678b 100644 --- a/src/backend/libpq/hba.c +++ b/src/backend/libpq/hba.c @@ -10,7 +10,7 @@ * * * IDENTIFICATION - * $Header: /cvsroot/pgsql/src/backend/libpq/hba.c,v 1.72 2001/09/21 20:31:46 tgl Exp $ + * $Header: /cvsroot/pgsql/src/backend/libpq/hba.c,v 1.73 2001/09/26 19:54:12 momjian Exp $ * *------------------------------------------------------------------------- */ @@ -904,7 +904,7 @@ ident_unix(int sock, char *ident_user) return true; -#elif defined(HAVE_STRUCT_CMSGCRED) || defined(HAVE_STRUCT_FCRED) || defined(HAVE_STRUCT_SOCKCRED) +#elif defined(HAVE_STRUCT_CMSGCRED) || defined(HAVE_STRUCT_FCRED) || (defined(HAVE_STRUCT_SOCKCRED) && defined(LOCAL_CREDS)) struct msghdr msg; /* Credentials structure */ diff --git a/src/backend/libpq/pg_hba.conf.sample b/src/backend/libpq/pg_hba.conf.sample index 0aff0f43fc..c61915bd31 100644 --- a/src/backend/libpq/pg_hba.conf.sample +++ b/src/backend/libpq/pg_hba.conf.sample @@ -125,18 +125,21 @@ # not store encrypted passwords if you use this option. # # ident: For TCP/IP connections, authentication is done by contacting -# the ident server on the client host. (CAUTION: this is only -# as secure as the client machine!) On machines that support -# SO_PEERCRED or SCM_CREDS socket requests, this method also -# works for local Unix-domain connections. AUTH_ARGUMENT is -# required: it determines how to map remote user names to -# Postgres user names. The AUTH_ARGUMENT is a map name found -# in the $PGDATA/pg_ident.conf file. The connection is accepted -# if that file contains an entry for this map name with the -# ident-supplied username and the requested Postgres username. -# The special map name "sameuser" indicates an implied map -# (not in pg_ident.conf) that maps each ident username to the -# identical PostgreSQL username. +# the ident server on the client host. (CAUTION: this is +# only as secure as the client machine!) On machines that +# support unix-domain socket credentials (currently Linux, +# FreeBSD, NetBSD, and BSD/OS), this method also works for +# "local" connections. +# +# AUTH_ARGUMENT is required: it determines how to map +# remote user names to Postgres user names. The +# AUTH_ARGUMENT is a map name found in the +# $PGDATA/pg_ident.conf file. The connection is accepted +# if that file contains an entry for this map name with +# the ident-supplied username and the requested Postgres +# username. The special map name "sameuser" indicates an +# implied map (not in pg_ident.conf) that maps each ident +# username to the identical PostgreSQL username. # # krb4: Kerberos V4 authentication is used. Allowed only for # TCP/IP connections, not for local UNIX-domain sockets. diff --git a/src/interfaces/libpq/fe-auth.c b/src/interfaces/libpq/fe-auth.c index bb60bb1ceb..4b4b039910 100644 --- a/src/interfaces/libpq/fe-auth.c +++ b/src/interfaces/libpq/fe-auth.c @@ -10,7 +10,7 @@ * exceed INITIAL_EXPBUFFER_SIZE (currently 256 bytes). * * IDENTIFICATION - * $Header: /cvsroot/pgsql/src/interfaces/libpq/fe-auth.c,v 1.60 2001/09/21 20:31:49 tgl Exp $ + * $Header: /cvsroot/pgsql/src/interfaces/libpq/fe-auth.c,v 1.61 2001/09/26 19:54:12 momjian Exp $ * *------------------------------------------------------------------------- */ @@ -435,10 +435,10 @@ pg_krb5_sendauth(char *PQerrormsg, int sock, #endif /* KRB5 */ -#if defined(HAVE_STRUCT_CMSGCRED) || defined(HAVE_STRUCT_FCRED) || defined(HAVE_STRUCT_SOCKCRED) static int pg_local_sendauth(char *PQerrormsg, PGconn *conn) { +#if defined(HAVE_STRUCT_CMSGCRED) || defined(HAVE_STRUCT_FCRED) || (defined(HAVE_STRUCT_SOCKCRED) && defined(LOCAL_CREDS)) char buf; struct iovec iov; struct msghdr msg; @@ -485,8 +485,12 @@ pg_local_sendauth(char *PQerrormsg, PGconn *conn) return STATUS_ERROR; } return STATUS_OK; -} +#else + snprintf(PQerrormsg, PQERRORMSG_LENGTH, + libpq_gettext("SCM_CRED authentication method not supported\n")); + return STATUS_ERROR; #endif +} static int pg_password_sendauth(PGconn *conn, const char *password, AuthRequest areq) @@ -614,14 +618,8 @@ fe_sendauth(AuthRequest areq, PGconn *conn, const char *hostname, break; case AUTH_REQ_SCM_CREDS: -#if defined(HAVE_STRUCT_CMSGCRED) || defined(HAVE_STRUCT_FCRED) || defined(HAVE_STRUCT_SOCKCRED) if (pg_local_sendauth(PQerrormsg, conn) != STATUS_OK) return STATUS_ERROR; -#else - snprintf(PQerrormsg, PQERRORMSG_LENGTH, - libpq_gettext("SCM_CRED authentication method not supported\n")); - return STATUS_ERROR; -#endif break; default: -- 2.11.0