On Mon, Mar 14, 2011 at 16:26, Magnus Hagander <mag...@hagander.net> wrote:
> On Mon, Mar 14, 2011 at 16:17, Tom Lane <t...@sss.pgh.pa.us> wrote:
>> Magnus Hagander <mag...@hagander.net> writes:
>>> On Mon, Mar 14, 2011 at 14:43, Robert Haas <robertmh...@gmail.com> wrote:
>>>> Also, the text is not accurate: nothing has been automatically changed
>>>> to anything. The pg_hba.conf file is just as it was. You could say
>>>> something like "ident" authentication on local socket treated as
>>>> "peer", but I think a better idea would be to just remove this message
>>>> altogether.
>>
>>> The idea being to let people know it's been deprecated, nothing else.
>>> But sure, we can just remove the message - at elast for now, and maybe
>>> add it $n releases down the road when people are expected to have
>>> changed over.
>>
>> I'm with Robert on this one --- the first reaction I had to your
>> description of the patch was "why do we need a log message for that?"
>> If there were some real reason to push people away from use of the
>> non-preferred term, maybe it'd be worth nagging them to change; but
>> there isn't.
>
> Ok. fair enough, I'll take that part out.
Here's an updated patch that removes this log message, and adds a few
lines to initdb to create a combination of ident/peer rows. And
finally, adds docs.
> Are people in general in favor of making the change provided I do that, then?
Comments?
--
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/
diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml
index c05805b..3f4631e 100644
--- a/doc/src/sgml/client-auth.sgml
+++ b/doc/src/sgml/client-auth.sgml
@@ -457,17 +457,28 @@ hostnossl <replaceable>database</replaceable> <replaceable>user</replaceable>
<term><literal>ident</></term>
<listitem>
<para>
- Obtain the operating system user name of the client (for
- TCP/IP connections by contacting the ident server on the
- client, for local connections by getting it from the
- operating system) and check if it matches the requested
- database user name.
+ Obtain the operating system user name of the client
+ by contacting the ident server on the client
+ and check if it matches the requested database user name.
+ This is only available for TCP/IP connections.
See <xref linkend="auth-ident"> for details.
</para>
</listitem>
</varlistentry>
<varlistentry>
+ <term><literal>peer</></term>
+ <listitem>
+ <para>
+ Obtain the operating system user name from the operating system
+ and check if it matches the requested database user name.
+ This is only available for local connections.
+ See <xref linkend="auth-peer"> for details.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
<term><literal>ldap</></term>
<listitem>
<para>
@@ -1200,7 +1211,7 @@ omicron bryanh guest1
</sect2>
<sect2 id="auth-ident">
- <title>Ident-based Authentication</title>
+ <title>Ident Authentication</title>
<indexterm>
<primary>ident</primary>
@@ -1208,11 +1219,9 @@ omicron bryanh guest1
<para>
The ident authentication method works by obtaining the client's
- operating system user name and using it as the allowed database user
- name (with an optional user name mapping).
- The determination of the client's
- user name is the security-critical point, and it works differently
- depending on the connection type, as described below.
+ operating system user name from an ident server and using it as
+ the allowed database user name (with an optional user name mapping).
+ This is only supported on TCP/IP connections.
</para>
<para>
@@ -1230,9 +1239,6 @@ omicron bryanh guest1
</variablelist>
</para>
- <sect3>
- <title>Ident Authentication Over TCP/IP</title>
-
<para>
The <quote>Identification Protocol</quote> is described in
RFC 1413. Virtually every Unix-like
@@ -1275,36 +1281,48 @@ omicron bryanh guest1
since <productname>PostgreSQL</> does not have any way to decrypt the
returned string to determine the actual user name.
</para>
- </sect3>
+ </sect2>
+
+ <sect2 id="auth-peer">
+ <title>Peer Authentication</title>
+
+ <indexterm>
+ <primary>peer</primary>
+ </indexterm>
+
+ <para>
+ The peer authentication method works by obtaining the client's
+ operating system user name from the kernel and using it as the
+ allowed database user name (with optional user name mapping). This
+ is only supported on local connections.
+ </para>
- <sect3>
- <title>Ident Authentication Over Local Sockets</title>
+ <para>
+ The following configuration options are supported for <productname>peer</productname>:
+ <variablelist>
+ <varlistentry>
+ <term><literal>map</literal></term>
+ <listitem>
+ <para>
+ Allows for mapping between system and database user names. See
+ <xref linkend="auth-username-maps"> for details.
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </para>
<para>
- On systems supporting <symbol>SO_PEERCRED</symbol> requests for
+ Peer authentication is only available on systems supporting
+ <symbol>SO_PEERCRED</symbol> requests for
Unix-domain sockets (currently <systemitem
class="osname">Linux</>, <systemitem class="osname">FreeBSD</>,
<systemitem class="osname">NetBSD</>, <systemitem class="osname">OpenBSD</>,
- <systemitem class="osname">BSD/OS</>, and <systemitem class="osname">Solaris</systemitem>), ident authentication can also
- be applied to local connections.
+ <systemitem class="osname">BSD/OS</>, and <systemitem class="osname">Solaris</systemitem>).
<productname>PostgreSQL</> uses <symbol>SO_PEERCRED</symbol> to find out
the operating system name of the connected client process.
- In this case, no security risk is added by
- using ident authentication; indeed it is a preferable choice for
- local connections on such systems.
</para>
- <para>
- On systems without <symbol>SO_PEERCRED</> requests, ident
- authentication is only available for TCP/IP connections. As a
- work-around, it is possible to specify the <systemitem
- class="systemname">localhost</> address <systemitem
- class="systemname">127.0.0.1</> and make connections to this
- address. This method is trustworthy to the extent that you trust
- the local ident server.
- </para>
- </sect3>
-
</sect2>
<sect2 id="auth-ldap">
diff --git a/doc/src/sgml/runtime.sgml b/doc/src/sgml/runtime.sgml
index f776737..b5ad101 100644
--- a/doc/src/sgml/runtime.sgml
+++ b/doc/src/sgml/runtime.sgml
@@ -148,7 +148,7 @@ postgres$ <userinput>initdb -D /usr/local/pgsql/data</userinput>
mode is not used; or modify the generated <filename>pg_hba.conf</filename>
file after running <command>initdb</command>, but
<emphasis>before</> you start the server for the first time. (Other
- reasonable approaches include using <literal>ident</literal> authentication
+ reasonable approaches include using <literal>peer</literal> authentication
or file system permissions to restrict connections. See <xref
linkend="client-authentication"> for more information.)
</para>
diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c
index af43c2a..bc8e4ca 100644
--- a/src/backend/libpq/auth.c
+++ b/src/backend/libpq/auth.c
@@ -60,7 +60,8 @@ static int recv_and_check_password_packet(Port *port);
/* Standard TCP port number for Ident service. Assigned by IANA */
#define IDENT_PORT 113
-static int authident(hbaPort *port);
+static int ident_inet(hbaPort *port);
+static int auth_peer(hbaPort *port);
/*----------------------------------------------------------------
@@ -269,6 +270,9 @@ auth_failed(Port *port, int status)
case uaIdent:
errstr = gettext_noop("Ident authentication failed for user \"%s\"");
break;
+ case uaPeer:
+ errstr = gettext_noop("Peer authentication failed for user \"%s\"");
+ break;
case uaPassword:
case uaMD5:
errstr = gettext_noop("password authentication failed for user \"%s\"");
@@ -506,11 +510,11 @@ ClientAuthentication(Port *port)
#endif
break;
- case uaIdent:
+ case uaPeer:
/*
- * If we are doing ident on unix-domain sockets, use SCM_CREDS
- * only if it is defined and SO_PEERCRED isn't.
+ * If we are doing peer on unix-domain sockets, use SCM_CREDS only
+ * if it is defined and SO_PEERCRED isn't.
*/
#if !defined(HAVE_GETPEEREID) && !defined(SO_PEERCRED) && \
(defined(HAVE_STRUCT_CMSGCRED) || defined(HAVE_STRUCT_FCRED) || \
@@ -535,7 +539,11 @@ ClientAuthentication(Port *port)
sendAuthRequest(port, AUTH_REQ_SCM_CREDS);
}
#endif
- status = authident(port);
+ status = auth_peer(port);
+ break;
+
+ case uaIdent:
+ status = ident_inet(port);
break;
case uaMD5:
@@ -1599,11 +1607,12 @@ interpret_ident_response(const char *ident_response,
*
* But iff we're unable to get the information from ident, return false.
*/
-static bool
-ident_inet(const SockAddr remote_addr,
- const SockAddr local_addr,
- char *ident_user)
+static int
+ident_inet(hbaPort *port)
{
+ const SockAddr remote_addr = port->raddr;
+ const SockAddr local_addr = port->laddr;
+ char ident_user[IDENT_USERNAME_MAX + 1];
pgsocket sock_fd, /* File descriptor for socket on which we talk
* to Ident */
rc; /* Return code from a locally called function */
@@ -1646,7 +1655,7 @@ ident_inet(const SockAddr remote_addr,
{
if (ident_serv)
pg_freeaddrinfo_all(hints.ai_family, ident_serv);
- return false; /* we don't expect this to happen */
+ return STATUS_ERROR; /* we don't expect this to happen */
}
hints.ai_flags = AI_NUMERICHOST;
@@ -1662,7 +1671,7 @@ ident_inet(const SockAddr remote_addr,
{
if (la)
pg_freeaddrinfo_all(hints.ai_family, la);
- return false; /* we don't expect this to happen */
+ return STATUS_ERROR; /* we don't expect this to happen */
}
sock_fd = socket(ident_serv->ai_family, ident_serv->ai_socktype,
@@ -1751,7 +1760,11 @@ ident_inet_done:
closesocket(sock_fd);
pg_freeaddrinfo_all(remote_addr.addr.ss_family, ident_serv);
pg_freeaddrinfo_all(local_addr.addr.ss_family, la);
- return ident_return;
+
+ if (ident_return)
+ /* Success! Check the usermap */
+ return check_usermap(port->hba->usermap, port->user_name, ident_user, false);
+ return STATUS_ERROR;
}
/*
@@ -1763,9 +1776,12 @@ ident_inet_done:
*/
#ifdef HAVE_UNIX_SOCKETS
-static bool
-ident_unix(int sock, char *ident_user)
+static int
+auth_peer(hbaPort *port)
{
+ int sock = port->sock;
+ char ident_user[IDENT_USERNAME_MAX + 1];
+
#if defined(HAVE_GETPEEREID)
/* OpenBSD style: */
uid_t uid;
@@ -1779,7 +1795,7 @@ ident_unix(int sock, char *ident_user)
ereport(LOG,
(errcode_for_socket_access(),
errmsg("could not get peer credentials: %m")));
- return false;
+ return STATUS_ERROR;
}
pass = getpwuid(uid);
@@ -1789,12 +1805,11 @@ ident_unix(int sock, char *ident_user)
ereport(LOG,
(errmsg("local user with ID %d does not exist",
(int) uid)));
- return false;
+ return STATUS_ERROR;
}
strlcpy(ident_user, pass->pw_name, IDENT_USERNAME_MAX + 1);
- return true;
#elif defined(SO_PEERCRED)
/* Linux style: use getsockopt(SO_PEERCRED) */
struct ucred peercred;
@@ -1809,7 +1824,7 @@ ident_unix(int sock, char *ident_user)
ereport(LOG,
(errcode_for_socket_access(),
errmsg("could not get peer credentials: %m")));
- return false;
+ return STATUS_ERROR;
}
pass = getpwuid(peercred.uid);
@@ -1819,12 +1834,11 @@ ident_unix(int sock, char *ident_user)
ereport(LOG,
(errmsg("local user with ID %d does not exist",
(int) peercred.uid)));
- return false;
+ return STATUS_ERROR;
}
strlcpy(ident_user, pass->pw_name, IDENT_USERNAME_MAX + 1);
- return true;
#elif defined(HAVE_GETPEERUCRED)
/* Solaris > 10 */
uid_t uid;
@@ -1837,7 +1851,7 @@ ident_unix(int sock, char *ident_user)
ereport(LOG,
(errcode_for_socket_access(),
errmsg("could not get peer credentials: %m")));
- return false;
+ return STATUS_ERROR;
}
if ((uid = ucred_geteuid(ucred)) == -1)
@@ -1845,7 +1859,7 @@ ident_unix(int sock, char *ident_user)
ereport(LOG,
(errcode_for_socket_access(),
errmsg("could not get effective UID from peer credentials: %m")));
- return false;
+ return STATUS_ERROR;
}
ucred_free(ucred);
@@ -1856,12 +1870,11 @@ ident_unix(int sock, char *ident_user)
ereport(LOG,
(errmsg("local user with ID %d does not exist",
(int) uid)));
- return false;
+ return STATUS_ERROR;
}
strlcpy(ident_user, pass->pw_name, IDENT_USERNAME_MAX + 1);
- return true;
#elif defined(HAVE_STRUCT_CMSGCRED) || defined(HAVE_STRUCT_FCRED) || (defined(HAVE_STRUCT_SOCKCRED) && defined(LOCAL_CREDS))
struct msghdr msg;
@@ -1913,7 +1926,7 @@ ident_unix(int sock, char *ident_user)
ereport(LOG,
(errcode_for_socket_access(),
errmsg("could not get peer credentials: %m")));
- return false;
+ return STATUS_ERROR;
}
cred = (Cred *) CMSG_DATA(cmsg);
@@ -1925,59 +1938,22 @@ ident_unix(int sock, char *ident_user)
ereport(LOG,
(errmsg("local user with ID %d does not exist",
(int) cred->cruid)));
- return false;
+ return STATUS_ERROR;
}
strlcpy(ident_user, pw->pw_name, IDENT_USERNAME_MAX + 1);
- return true;
#else
ereport(LOG,
(errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
errmsg("Ident authentication is not supported on local connections on this platform")));
- return false;
-#endif
-}
-#endif /* HAVE_UNIX_SOCKETS */
-
-
-/*
- * Determine the username of the initiator of the connection described
- * by "port". Then look in the usermap file under the usermap
- * port->hba->usermap and see if that user is equivalent to Postgres user
- * port->user.
- *
- * Return STATUS_OK if yes, STATUS_ERROR if no match (or couldn't get info).
- */
-static int
-authident(hbaPort *port)
-{
- char ident_user[IDENT_USERNAME_MAX + 1];
-
- switch (port->raddr.addr.ss_family)
- {
- case AF_INET:
-#ifdef HAVE_IPV6
- case AF_INET6:
-#endif
- if (!ident_inet(port->raddr, port->laddr, ident_user))
- return STATUS_ERROR;
- break;
-
-#ifdef HAVE_UNIX_SOCKETS
- case AF_UNIX:
- if (!ident_unix(port->sock, ident_user))
- return STATUS_ERROR;
- break;
+ return STATUS_ERROR;
#endif
- default:
- return STATUS_ERROR;
- }
-
return check_usermap(port->hba->usermap, port->user_name, ident_user, false);
}
+#endif /* HAVE_UNIX_SOCKETS */
/*----------------------------------------------------------------
diff --git a/src/backend/libpq/hba.c b/src/backend/libpq/hba.c
index 1b3a714..2def6ce 100644
--- a/src/backend/libpq/hba.c
+++ b/src/backend/libpq/hba.c
@@ -1060,6 +1060,8 @@ parse_hba_line(List *line, int line_num, HbaLine *parsedline)
parsedline->auth_method = uaTrust;
else if (strcmp(token, "ident") == 0)
parsedline->auth_method = uaIdent;
+ else if (strcmp(token, "peer") == 0)
+ parsedline->auth_method = uaPeer;
else if (strcmp(token, "password") == 0)
parsedline->auth_method = uaPassword;
else if (strcmp(token, "krb5") == 0)
@@ -1137,6 +1139,14 @@ parse_hba_line(List *line, int line_num, HbaLine *parsedline)
return false;
}
+ /*
+ * XXX: When using ident on local connections, change it to peer, for
+ * backwards compatibility.
+ */
+ if (parsedline->conntype == ctLocal &&
+ parsedline->auth_method == uaIdent)
+ parsedline->auth_method = uaPeer;
+
/* Invalid authentication combinations */
if (parsedline->conntype == ctLocal &&
parsedline->auth_method == uaKrb5)
@@ -1160,6 +1170,17 @@ parse_hba_line(List *line, int line_num, HbaLine *parsedline)
return false;
}
+ if (parsedline->conntype != ctLocal &&
+ parsedline->auth_method == uaPeer)
+ {
+ ereport(LOG,
+ (errcode(ERRCODE_CONFIG_FILE_ERROR),
+ errmsg("peer authentication is only supported on local sockets"),
+ errcontext("line %d of configuration file \"%s\"",
+ line_num, HbaFileName)));
+ return false;
+ }
+
/*
* SSPI authentication can never be enabled on ctLocal connections,
* because it's only supported on Windows, where ctLocal isn't supported.
@@ -1203,11 +1224,12 @@ parse_hba_line(List *line, int line_num, HbaLine *parsedline)
if (strcmp(token, "map") == 0)
{
if (parsedline->auth_method != uaIdent &&
+ parsedline->auth_method != uaPeer &&
parsedline->auth_method != uaKrb5 &&
parsedline->auth_method != uaGSS &&
parsedline->auth_method != uaSSPI &&
parsedline->auth_method != uaCert)
- INVALID_AUTH_OPTION("map", gettext_noop("ident, krb5, gssapi, sspi and cert"));
+ INVALID_AUTH_OPTION("map", gettext_noop("ident, peer, krb5, gssapi, sspi and cert"));
parsedline->usermap = pstrdup(c);
}
else if (strcmp(token, "clientcert") == 0)
diff --git a/src/backend/libpq/pg_hba.conf.sample b/src/backend/libpq/pg_hba.conf.sample
index 87f8499..0a90b68 100644
--- a/src/backend/libpq/pg_hba.conf.sample
+++ b/src/backend/libpq/pg_hba.conf.sample
@@ -41,7 +41,7 @@
# directly connected to.
#
# METHOD can be "trust", "reject", "md5", "password", "gss", "sspi",
-# "krb5", "ident", "pam", "ldap", "radius" or "cert". Note that
+# "krb5", "ident", "peer", "pam", "ldap", "radius" or "cert". Note that
# "password" sends passwords in clear text; "md5" is preferred since
# it sends encrypted passwords.
#
@@ -75,7 +75,7 @@
# TYPE DATABASE USER ADDRESS METHOD
@remove-line-for-nolocal@# "local" is for Unix domain socket connections only
-@remove-line-for-nolocal@local all all @authmethod@
+@remove-line-for-nolocal@local all all @authmethodlocal@
# IPv4 local connections:
host all all 127.0.0.1/32 @authmethod@
# IPv6 local connections:
diff --git a/src/bin/initdb/initdb.c b/src/bin/initdb/initdb.c
index 7a4b698..d509b13 100644
--- a/src/bin/initdb/initdb.c
+++ b/src/bin/initdb/initdb.c
@@ -82,6 +82,7 @@ static char *username = "";
static bool pwprompt = false;
static char *pwfilename = NULL;
static char *authmethod = "";
+static char *authmethodlocal = "";
static bool debug = false;
static bool noclean = false;
static bool show_setting = false;
@@ -1076,6 +1077,9 @@ setup_config(void)
conflines = replace_token(conflines,
"@authmethod@",
authmethod);
+ conflines = replace_token(conflines,
+ "@authmethodlocal@",
+ authmethodlocal);
conflines = replace_token(conflines,
"@authcomment@",
@@ -2637,6 +2641,7 @@ main(int argc, char *argv[])
}
if (strcmp(authmethod, "md5") &&
+ strcmp(authmethod, "peer") &&
strcmp(authmethod, "ident") &&
strcmp(authmethod, "trust") &&
#ifdef USE_PAM
@@ -2666,6 +2671,20 @@ main(int argc, char *argv[])
exit(1);
}
+ /*
+ * When ident is specified, use peer for local connections. Mirrored, when
+ * peer is specified, use ident for TCP connections.
+ */
+ if (strcmp(authmethod, "ident") == 0)
+ authmethodlocal = "peer";
+ else if (strcmp(authmethod, "peer") == 0)
+ {
+ authmethodlocal = "peer";
+ authmethod = "ident";
+ }
+ else
+ authmethodlocal = authmethod;
+
if (strlen(pg_data) == 0)
{
pgdenv = getenv("PGDATA");
diff --git a/src/include/libpq/hba.h b/src/include/libpq/hba.h
index aa60d8d..b92dc0d 100644
--- a/src/include/libpq/hba.h
+++ b/src/include/libpq/hba.h
@@ -29,7 +29,8 @@ typedef enum UserAuth
uaPAM,
uaLDAP,
uaCert,
- uaRADIUS
+ uaRADIUS,
+ uaPeer
} UserAuth;
typedef enum IPCompareMethod
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
