New patch, which change pamservice parameter from pamusedns to pam_use_hostname.
On 03/21/2016 10:59 AM, Grzegorz Sampolski wrote: > Ok. So if no one objected to the evening - in my time zone ofcourse :) > I will change pamusedns to pam_use_hostname. > > On 03/21/2016 08:43 AM, Haribabu Kommi wrote: >> On Wed, Mar 16, 2016 at 10:46 PM, Grzegorz Sampolski <grz...@gmail.com> >> wrote: >>> Hi. >>> Can be, but as you mentioned OS resolver can be configured to not use >>> dns at all. So much more appropriate will be pam_try_hostname if we want >>> to be more accurately. >>> But for me pamusedns, pam_use_hostname or pam_try_hostname all are >>> correct as either need to use some try to resolve ip address >>> irrespectively OS resolver use dns or not - I mean getnameinfo() not >>> give you such information if OS resolver use dns or not. >>> No to drug the discussion I can change pamusedns to pam_use_hostname if >>> you prefer. >> >> +1 for pam_use_hostname. >> >> >> Regards, >> Hari Babu >> Fujitsu Australia >>
diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml index 3b2935c..a086b9a 100644 --- a/doc/src/sgml/client-auth.sgml +++ b/doc/src/sgml/client-auth.sgml @@ -1617,16 +1617,18 @@ host ... ldap ldapurl="ldap://ldap.example.net/dc=example,dc=net?uid?sub"; <literal>password</literal> except that it uses PAM (Pluggable Authentication Modules) as the authentication mechanism. The default PAM service name is <literal>postgresql</literal>. - PAM is used only to validate user name/password pairs. - Therefore the user must already exist in the database before PAM - can be used for authentication. For more information about - PAM, please read the <ulink url="http://www.kernel.org/pub/linux/libs/pam/";> + PAM is used only to validate user name/password and connected + remote hostname/IP address. Therefore the user must already + exist in the database before PAM can be used for authentication. + For more information about PAM, please read the + <ulink url="http://www.kernel.org/pub/linux/libs/pam/";> <productname>Linux-PAM</> Page</ulink>. </para> <para> The following configuration options are supported for PAM: <variablelist> + <varlistentry> <term><literal>pamservice</literal></term> <listitem> @@ -1635,6 +1637,20 @@ host ... ldap ldapurl="ldap://ldap.example.net/dc=example,dc=net?uid?sub"; </para> </listitem> </varlistentry> + + <varlistentry> + <term><literal>pam_use_hostname</literal></term> + <listitem> + <para> + Parmater used to control the remote hostname/IP address that needs + to be sent to PAM authentication module. When not set (which is default), + then ip address of connected host will be passed to pam modules through + PAM_RHOST item. Otherwise the connected hostname is identified and passed. + An attempt to determine hostname may lead to login delays. + </para> + </listitem> + </varlistentry> + </variablelist> </para> diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c index 7f1ae8c..3361daf 100644 --- a/src/backend/libpq/auth.c +++ b/src/backend/libpq/auth.c @@ -1737,6 +1737,21 @@ CheckPAMAuth(Port *port, char *user, char *password) { int retval; pam_handle_t *pamh = NULL; + char hostinfo[NI_MAXHOST]; + + if (port->hba->pam_use_hostname == true) + retval = pg_getnameinfo_all(&port->raddr.addr, port->raddr.salen, + hostinfo, sizeof(hostinfo), NULL, 0, 0); + else + retval = pg_getnameinfo_all(&port->raddr.addr, port->raddr.salen, + hostinfo, sizeof(hostinfo), NULL, 0, NI_NUMERICHOST); + if (retval) + { + ereport(LOG, + (errmsg("(pam) couldn not determine the remote host information (%s)", + gai_strerror(retval)))); + return STATUS_ERROR; + } /* * We can't entirely rely on PAM to pass through appdata --- it appears @@ -1782,6 +1797,17 @@ CheckPAMAuth(Port *port, char *user, char *password) return STATUS_ERROR; } + retval = pam_set_item(pamh, PAM_RHOST, hostinfo); + + if (retval != PAM_SUCCESS) + { + ereport(LOG, + (errmsg("pam_set_item(PAM_RHOST) failed: %s", + pam_strerror(pamh, retval)))); + pam_passwd = NULL; + return STATUS_ERROR; + } + retval = pam_set_item(pamh, PAM_CONV, &pam_passw_conv); if (retval != PAM_SUCCESS) diff --git a/src/backend/libpq/hba.c b/src/backend/libpq/hba.c index 28f9fb5..5a39746 100644 --- a/src/backend/libpq/hba.c +++ b/src/backend/libpq/hba.c @@ -1447,6 +1447,15 @@ parse_hba_auth_opt(char *name, char *val, HbaLine *hbaline, int line_num) REQUIRE_AUTH_OPTION(uaPAM, "pamservice", "pam"); hbaline->pamservice = pstrdup(val); } + else if (strcmp(name, "pam_use_hostname") == 0) + { + REQUIRE_AUTH_OPTION(uaPAM, "pam_use_hostname", "pam"); + if (strcmp(val, "1") == 0) + hbaline->pam_use_hostname = true; + else + hbaline->pam_use_hostname = false; + + } else if (strcmp(name, "ldapurl") == 0) { #ifdef LDAP_API_FEATURE_X_OPENLDAP diff --git a/src/include/libpq/hba.h b/src/include/libpq/hba.h index 68a953a..b306baf 100644 --- a/src/include/libpq/hba.h +++ b/src/include/libpq/hba.h @@ -64,6 +64,7 @@ typedef struct HbaLine char *usermap; char *pamservice; + bool pam_use_hostname; bool ldaptls; char *ldapserver; int ldapport;
-- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
