Loading...
Searching...
No Matches
#include "postgres.h"#include <sys/param.h>#include <sys/select.h>#include <sys/socket.h>#include <netinet/in.h>#include <netdb.h>#include <pwd.h>#include <unistd.h>#include "commands/user.h"#include "common/ip.h"#include "common/md5.h"#include "libpq/auth.h"#include "libpq/crypt.h"#include "libpq/libpq.h"#include "libpq/oauth.h"#include "libpq/pqformat.h"#include "libpq/sasl.h"#include "libpq/scram.h"#include "miscadmin.h"#include "port/pg_bswap.h"#include "postmaster/postmaster.h"#include "replication/walsender.h"#include "storage/ipc.h"#include "tcop/backend_startup.h"#include "utils/memutils.h"
Include dependency graph for auth.c:
Go to the source code of this file.
Macros | |
| #define | IDENT_USERNAME_MAX 512 |
| #define | IDENT_PORT 113 |
| #define | HOSTNAME_LOOKUP_DETAIL(port) |
Functions | |
| static void | auth_failed (Port *port, int elevel, int status, const char *logdetail) |
| static char * | recv_password_packet (Port *port) |
| static int | CheckPasswordAuth (Port *port, const char **logdetail) |
| static int | CheckPWChallengeAuth (Port *port, const char **logdetail) |
| static int | CheckMD5Auth (Port *port, char *shadow_pass, const char **logdetail) |
| static int | ident_inet (Port *port) |
| static int | auth_peer (Port *port) |
| void | set_authn_id (Port *port, const char *id) |
| void | ClientAuthentication (Port *port) |
| void | sendAuthRequest (Port *port, AuthRequest areq, const void *extradata, int extralen) |
| static bool | is_ident_whitespace (const char c) |
| static bool | interpret_ident_response (const char *ident_response, char *ident_user) |
Variables | |
| char * | pg_krb_server_keyfile |
| bool | pg_krb_caseins_users |
| bool | pg_gss_accept_delegation |
| ClientAuthentication_hook_type | ClientAuthentication_hook = NULL |
Macro Definition Documentation
◆ HOSTNAME_LOOKUP_DETAIL
Value:
(port->remote_hostname ? \
errdetail_log("Client IP address resolved to \"%s\", forward lookup matches.", \
port->remote_hostname) : \
port->remote_hostname_resolv == 0 ? \
errdetail_log("Client IP address resolved to \"%s\", forward lookup not checked.", \
port->remote_hostname) : \
port->remote_hostname_resolv == -1 ? \
errdetail_log("Client IP address resolved to \"%s\", forward lookup does not match.", \
port->remote_hostname) : \
port->remote_hostname_resolv == -2 ? \
errdetail_log("Could not translate client host name \"%s\" to IP address: %s.", \
port->remote_hostname, \
gai_strerror(port->remote_hostname_errcode)) : \
0) \
: (port->remote_hostname_resolv == -2 ? \
errdetail_log("Could not resolve client IP address to a host name: %s.", \
gai_strerror(port->remote_hostname_errcode)) : \
0))
int int int errdetail_log(const char *fmt,...) pg_attribute_printf(1
◆ IDENT_PORT
◆ IDENT_USERNAME_MAX
Function Documentation
◆ auth_failed()
Definition at line 234 of file auth.c.
235{
239
241
242 /*
243 * If we failed due to EOF from client, just quit; there's no point in
244 * trying to send a message to the client, and not much point in logging
245 * the failure in the postmaster log. (Logging the failure might be
246 * desirable, were it not for the fact that libpq closes the connection
247 * unceremoniously if challenged for a password when it hasn't got one to
248 * send. We'll get a useless log entry for every psql connection under
249 * password auth, even if it's perfectly successful, if we log STATUS_EOF
250 * events.)
251 */
253 proc_exit(0);
254
256 {
260 break;
263 break;
266 break;
269 break;
274 /* We use it to indicate if a .pgpass password failed. */
276 break;
279 break;
282 break;
285 break;
288 break;
291 break;
294 break;
297 break;
298 default:
300 break;
301 }
302
305 port->hba->rawline);
306 if (logdetail)
308 else
309 logdetail = cdetail;
310
311 ereport(elevel,
315
316 /* doesn't return */
317 pg_unreachable();
318}
References _, Assert, ereport, errcode(), ERRCODE_INVALID_PASSWORD, errdetail_log(), errmsg, FATAL, fb(), gettext_noop, pg_unreachable, port, proc_exit(), psprintf(), STATUS_EOF, uaBSD, uaCert, uaGSS, uaIdent, uaImplicitReject, uaLDAP, uaMD5, uaOAuth, uaPAM, uaPassword, uaPeer, uaReject, uaSCRAM, uaSSPI, and uaTrust.
Referenced by ClientAuthentication().
◆ auth_peer()
Definition at line 1870 of file auth.c.
1871{
1872 uid_t uid;
1873 gid_t gid;
1874#ifndef WIN32
1878 int rc;
1879 int ret;
1880#endif
1881
1883 {
1884 /* Provide special error message if getpeereid is a stub */
1889 else
1891 (errcode_for_socket_access(),
1894 }
1895
1896#ifndef WIN32
1898 if (rc != 0)
1899 {
1900 errno = rc;
1904 }
1906 {
1910 }
1911
1912 /*
1913 * Make a copy of static getpw*() result area; this is our authenticated
1914 * identity. Set it before calling check_usermap, because authentication
1915 * has already succeeded and we want the log file to reflect that.
1916 */
1918
1921
1922 return ret;
1923#else
1924 /* should have failed with ENOSYS above */
1927#endif
1928}
int check_usermap(const char *usermap_name, const char *pg_user, const char *system_user, bool case_insensitive)
Definition hba.c:2791
References Assert, ClientConnectionInfo::authn_id, buf, check_usermap(), ereport, errcode(), errcode_for_socket_access(), errmsg, fb(), getpeereid(), LOG, MyClientConnectionInfo, port, set_authn_id(), and STATUS_ERROR.
Referenced by ClientAuthentication().
◆ CheckMD5Auth()
Definition at line 888 of file auth.c.
889{
893
894 /* include the salt to use for computing the response */
896 {
900 }
901
903
907
910 md5Salt, 4, logdetail);
911 else
913
915
917}
void sendAuthRequest(Port *port, AuthRequest areq, const void *extradata, int extralen)
Definition auth.c:682
int md5_crypt_verify(const char *role, const char *shadow_pass, const char *client_pass, const uint8 *md5_salt, int md5_salt_len, const char **logdetail)
Definition crypt.c:265
References AUTH_REQ_MD5, ereport, errmsg, fb(), LOG, md5_crypt_verify(), pfree(), pg_strong_random(), port, recv_password_packet(), result, sendAuthRequest(), STATUS_EOF, and STATUS_ERROR.
Referenced by CheckPWChallengeAuth().
◆ CheckPasswordAuth()
Definition at line 793 of file auth.c.
794{
798
800
804
807 {
809 logdetail);
810 }
811 else
813
817
820
822}
int plain_crypt_verify(const char *role, const char *shadow_pass, const char *client_pass, const char **logdetail)
Definition crypt.c:336
char * get_role_password(const char *role, const char **logdetail)
Definition crypt.c:43
References AUTH_REQ_PASSWORD, fb(), get_role_password(), pfree(), plain_crypt_verify(), port, recv_password_packet(), result, sendAuthRequest(), set_authn_id(), STATUS_EOF, STATUS_ERROR, and STATUS_OK.
Referenced by ClientAuthentication().
◆ CheckPWChallengeAuth()
Definition at line 828 of file auth.c.
829{
833
836
837 /* First look up the user's password. */
839
840 /*
841 * If the user does not exist, or has no password or it's expired, we
842 * still go through the motions of authentication, to avoid revealing to
843 * the client that the user didn't exist. If 'md5' is allowed, we choose
844 * whether to use 'md5' or 'scram-sha-256' authentication based on current
845 * password_encryption setting. The idea is that most genuine users
846 * probably have a password of that type, and if we pretend that this user
847 * had a password of that type, too, it "blends in" best.
848 */
851 else
853
854 /*
855 * If 'md5' authentication is allowed, decide whether to perform 'md5' or
856 * 'scram-sha-256' authentication based on the type of password the user
857 * has. If it's an MD5 hash, we must do MD5 authentication, and if it's a
858 * SCRAM secret, we must do SCRAM authentication.
859 *
860 * If MD5 authentication is not allowed, always use SCRAM. If the user
861 * had an MD5 password, CheckSASLAuth() with the SCRAM mechanism will
862 * fail.
863 */
866 else
869
872 else
873 {
874 /*
875 * If get_role_password() returned error, authentication better not
876 * have succeeded.
877 */
879 }
880
883
885}
int CheckSASLAuth(const pg_be_sasl_mech *mech, Port *port, char *shadow_pass, const char **logdetail, bool *abandoned)
Definition auth-sasl.c:50
static int CheckMD5Auth(Port *port, char *shadow_pass, const char **logdetail)
Definition auth.c:888
References Assert, CheckMD5Auth(), CheckSASLAuth(), fb(), get_password_type(), get_role_password(), Password_encryption, PASSWORD_TYPE_MD5, pfree(), pg_be_scram_mech, port, set_authn_id(), STATUS_OK, uaMD5, and uaSCRAM.
Referenced by ClientAuthentication().
◆ ClientAuthentication()
Definition at line 374 of file auth.c.
375{
378
379 /*
380 * "Abandoned" is a SASL-specific state similar to STATUS_EOF, in that we
381 * don't want to generate any server logs. But it's caused by an in-band
382 * client action that requires a server response, not an out-of-band
383 * connection closure, so we can't just proc_exit() like we do with
384 * STATUS_EOF.
385 */
387
388 /*
389 * Get the authentication method to use for this frontend/database
390 * combination. Note: we do not parse the file at this point; this has
391 * already been done elsewhere. hba.c dropped an error message into the
392 * server logfile if parsing the hba config file failed.
393 */
395
396 CHECK_FOR_INTERRUPTS();
397
398 /*
399 * This is the first point where we have access to the hba record for the
400 * current connection, so perform any verifications based on the hba
401 * options field that should be done *before* the authentication here.
402 */
404 {
405 /* If we haven't loaded a root certificate store, fail */
410
411 /*
412 * If we loaded a root certificate store, and if a certificate is
413 * present on the client, then it has been verified against our root
414 * certificate store, and the connection would have been aborted
415 * already if it didn't verify ok.
416 */
421 }
422
423 /*
424 * Now proceed to do the actual authentication check
425 */
427 {
429
430 /*
431 * An explicit "reject" entry in pg_hba.conf. This report exposes
432 * the fact that there's an explicit reject entry, which is
433 * perhaps not so desirable from a security standpoint; but the
434 * message for an implicit reject could confuse the DBA a lot when
435 * the true situation is a match to an explicit reject. And we
436 * don't want to change the message for an implicit reject. As
437 * noted below, the additional information shown here doesn't
438 * expose anything not known to an attacker.
439 */
440 {
443
446 NULL, 0,
447 NI_NUMERICHOST);
448
449 encryption_state =
450#ifdef ENABLE_GSS
452#endif
453#ifdef USE_SSL
455#endif
457
461 /* translator: last %s describes encryption state */
464 encryption_state)));
465 else
468 /* translator: last %s describes encryption state */
471 port->database_name,
472 encryption_state)));
473 break;
474 }
475
477
478 /*
479 * No matching entry, so tell the user we fell through.
480 *
481 * NOTE: the extra info reported here is not a security breach,
482 * because all that info is known at the frontend and must be
483 * assumed known to bad guys. We're merely helping out the less
484 * clueful good guys.
485 */
486 {
489
492 NULL, 0,
493 NI_NUMERICHOST);
494
495 encryption_state =
496#ifdef ENABLE_GSS
498#endif
499#ifdef USE_SSL
501#endif
503
504#define HOSTNAME_LOOKUP_DETAIL(port) \
505 (port->remote_hostname ? \
506 (port->remote_hostname_resolv == +1 ? \
507 errdetail_log("Client IP address resolved to \"%s\", forward lookup matches.", \
508 port->remote_hostname) : \
509 port->remote_hostname_resolv == 0 ? \
510 errdetail_log("Client IP address resolved to \"%s\", forward lookup not checked.", \
511 port->remote_hostname) : \
512 port->remote_hostname_resolv == -1 ? \
513 errdetail_log("Client IP address resolved to \"%s\", forward lookup does not match.", \
514 port->remote_hostname) : \
515 port->remote_hostname_resolv == -2 ? \
516 errdetail_log("Could not translate client host name \"%s\" to IP address: %s.", \
517 port->remote_hostname, \
518 gai_strerror(port->remote_hostname_errcode)) : \
519 0) \
520 : (port->remote_hostname_resolv == -2 ? \
521 errdetail_log("Could not resolve client IP address to a host name: %s.", \
522 gai_strerror(port->remote_hostname_errcode)) : \
523 0))
524
528 /* translator: last %s describes encryption state */
531 encryption_state),
533 else
536 /* translator: last %s describes encryption state */
539 port->database_name,
540 encryption_state),
542 break;
543 }
544
546#ifdef ENABLE_GSS
547 /* We might or might not have the gss workspace already */
553
554 /*
555 * If GSS state was set up while enabling encryption, we can just
556 * check the client's principal. Otherwise, ask for it.
557 */
560 else
561 {
564 }
565#else
567#endif
568 break;
569
571#ifdef ENABLE_SSPI
578#else
580#endif
581 break;
582
585 break;
586
589 break;
590
594 break;
595
598 break;
599
601#ifdef USE_PAM
603#else
605#endif /* USE_PAM */
606 break;
607
609#ifdef USE_BSD_AUTH
611#else
613#endif /* USE_BSD_AUTH */
614 break;
615
617#ifdef USE_LDAP
619#else
621#endif
622 break;
624 /* uaCert will be treated as if clientcert=verify-full (uaTrust) */
626 status = STATUS_OK;
627 break;
630 &abandoned);
631 break;
632 }
633
636 {
637 /*
638 * Make sure we only check the certificate if we use the cert method
639 * or verify-full option.
640 */
641#ifdef USE_SSL
643#else
645#endif
646 }
647
649 status == STATUS_OK &&
651 {
652 /*
653 * Normally, if log_connections is set, the call to set_authn_id()
654 * will log the connection. However, if that function is never
655 * called, perhaps because the trust method is in use, then we handle
656 * the logging here instead.
657 */
660 "(%s:%d)",
663 }
664
666 (*ClientAuthentication_hook) (port, status);
667
670 else
673 status,
674 logdetail);
675}
static int CheckPWChallengeAuth(Port *port, const char **logdetail)
Definition auth.c:828
static void auth_failed(Port *port, int elevel, int status, const char *logdetail)
Definition auth.c:234
ClientAuthentication_hook_type ClientAuthentication_hook
Definition auth.c:217
#define HOSTNAME_LOOKUP_DETAIL(port)
static int CheckPasswordAuth(Port *port, const char **logdetail)
Definition auth.c:793
int pg_getnameinfo_all(const struct sockaddr_storage *addr, int salen, char *node, int nodelen, char *service, int servicelen, int flags)
Definition ip.c:117
void * MemoryContextAllocZero(MemoryContext context, Size size)
Definition mcxt.c:1266
References _, am_db_walsender, am_walsender, Assert, auth_failed(), auth_peer(), AUTH_REQ_GSS, AUTH_REQ_OK, AUTH_REQ_SSPI, ClientConnectionInfo::authn_id, CHECK_FOR_INTERRUPTS, CheckPasswordAuth(), CheckPWChallengeAuth(), CheckSASLAuth(), ClientAuthentication_hook, clientCertFull, clientCertOff, ereport, errcode(), errmsg, FATAL, FATAL_CLIENT_ONLY, fb(), hba_authname(), hba_getauthmethod(), HOSTNAME_LOOKUP_DETAIL, ident_inet(), LOG, LOG_CONNECTION_AUTHENTICATION, log_connections, MemoryContextAllocZero(), MyClientConnectionInfo, pg_be_oauth_mech, pg_getnameinfo_all(), port, secure_loaded_verify_locations(), sendAuthRequest(), STATUS_ERROR, STATUS_OK, TopMemoryContext, uaBSD, uaCert, uaGSS, uaIdent, uaImplicitReject, uaLDAP, uaMD5, uaOAuth, uaPAM, uaPassword, uaPeer, uaReject, uaSCRAM, uaSSPI, and uaTrust.
Referenced by PerformAuthentication().
◆ ident_inet()
Definition at line 1685 of file auth.c.
1686{
1691 int rc; /* Return code from a locally called function */
1702 hints;
1703
1704 /*
1705 * Might look a little weird to first convert it to text and then back to
1706 * sockaddr, but it's protocol independent.
1707 */
1710 remote_port, sizeof(remote_port),
1716
1721 hints.ai_protocol = 0;
1722 hints.ai_addrlen = 0;
1728 {
1729 /* we don't expect this to happen */
1732 }
1733
1737 hints.ai_protocol = 0;
1738 hints.ai_addrlen = 0;
1744 {
1745 /* we don't expect this to happen */
1748 }
1749
1751 ident_serv->ai_protocol);
1753 {
1755 (errcode_for_socket_access(),
1759 }
1760
1761 /*
1762 * Bind to the address which the client originally contacted, otherwise
1763 * the ident server won't be able to match up the right connection. This
1764 * is necessary if the PostgreSQL server is running on an IP alias.
1765 */
1767 if (rc != 0)
1768 {
1770 (errcode_for_socket_access(),
1772 local_addr_s)));
1775 }
1776
1778 ident_serv->ai_addrlen);
1779 if (rc != 0)
1780 {
1782 (errcode_for_socket_access(),
1787 }
1788
1789 /* The query we send to the Ident server */
1791 remote_port, local_port);
1792
1793 /* loop in case send is interrupted */
1794 do
1795 {
1796 CHECK_FOR_INTERRUPTS();
1797
1800
1801 if (rc < 0)
1802 {
1804 (errcode_for_socket_access(),
1809 }
1810
1811 do
1812 {
1813 CHECK_FOR_INTERRUPTS();
1814
1817
1818 if (rc < 0)
1819 {
1821 (errcode_for_socket_access(),
1826 }
1827
1833 ident_response)));
1834
1835ident_inet_done:
1842
1844 {
1845 /*
1846 * Success! Store the identity, then check the usermap. Note that
1847 * setting the authenticated identity is done before checking the
1848 * usermap, because at this point authentication has succeeded.
1849 */
1852 }
1854}
static bool interpret_ident_response(const char *ident_response, char *ident_user)
Definition auth.c:1604
void pg_freeaddrinfo_all(int hint_ai_family, struct addrinfo *ai)
Definition ip.c:85
int pg_getaddrinfo_all(const char *hostname, const char *servname, const struct addrinfo *hintp, struct addrinfo **result)
Definition ip.c:56
Definition pqcomm.h:31
References bind, CHECK_FOR_INTERRUPTS, check_usermap(), closesocket, connect, EINTR, ereport, errcode_for_socket_access(), errmsg, fb(), IDENT_PORT, IDENT_USERNAME_MAX, interpret_ident_response(), LOG, pg_freeaddrinfo_all(), pg_getaddrinfo_all(), pg_getnameinfo_all(), PGINVALID_SOCKET, port, recv, send, set_authn_id(), snprintf, socket, and STATUS_ERROR.
Referenced by ClientAuthentication().
◆ interpret_ident_response()
Definition at line 1604 of file auth.c.
1606{
1608
1609 /*
1610 * Ident's response, in the telnet tradition, should end in crlf (\r\n).
1611 */
1613 return false;
1615 return false;
1616 else
1617 {
1620
1622 return false;
1623 else
1624 {
1625 /* We're positioned to colon before response type field */
1628
1632 i = 0;
1640 return false;
1641 else
1642 {
1643 /*
1644 * It's a USERID response. Good. "cursor" should be pointing
1645 * to the colon that precedes the operating system type.
1646 */
1648 return false;
1649 else
1650 {
1652 /* Skip over operating system field. */
1654 cursor++;
1656 return false;
1657 else
1658 {
1662 /* Rest of line is user name. Copy it over. */
1663 i = 0;
1667 return true;
1668 }
1669 }
1670 }
1671 }
1672 }
1673}
Definition type.h:138
References fb(), i, IDENT_USERNAME_MAX, and is_ident_whitespace().
Referenced by ident_inet().
◆ is_ident_whitespace()
Definition at line 1592 of file auth.c.
Referenced by interpret_ident_response().
◆ recv_password_packet()
Definition at line 712 of file auth.c.
713{
716
717 pq_startmsgread();
718
719 /* Expect 'p' message type */
722 {
723 /*
724 * If the client just disconnects without offering a password, don't
725 * make a log entry. This is legal per protocol spec and in fact
726 * commonly done by psql, so complaining just clutters the log.
727 */
732 mtype)));
734 }
735
738 {
739 /* EOF - pq_getmessage already logged a suitable message */
742 }
743
744 /*
745 * Apply sanity check: password packet length should agree with length of
746 * contained string. Note it is safe to use strlen here because
747 * StringInfo is guaranteed to have an appended '\0'.
748 */
753
754 /*
755 * Don't allow an empty password. Libpq treats an empty password the same
756 * as no password at all, and won't even try to authenticate. But other
757 * clients might, so allowing it would be confusing.
758 *
759 * Note that this only catches an empty password sent by the client in
760 * plaintext. There's also a check in CREATE/ALTER USER that prevents an
761 * empty string from being stored as a user's password in the first place.
762 * We rely on that for MD5 and SCRAM authentication, but we still need
763 * this check here, to prevent an empty password from being used with
764 * authentication methods that check the password against an external
765 * system, like PAM and LDAP.
766 */
771
772 /* Do not echo password to logs, for security. */
774
775 /*
776 * Return the received string. Note we do not attempt to do any
777 * character-set conversion on it; since we don't yet know the client's
778 * encoding, there wouldn't be much point.
779 */
781}
Definition stringinfo.h:47
References buf, DEBUG5, elog, ereport, errcode(), ERRCODE_INVALID_PASSWORD, ERRCODE_PROTOCOL_VIOLATION, errmsg, ERROR, fb(), initStringInfo(), pfree(), PG_MAX_AUTH_TOKEN_LENGTH, pq_getbyte(), pq_getmessage(), pq_startmsgread(), and PqMsg_PasswordMessage.
Referenced by CheckMD5Auth(), and CheckPasswordAuth().
◆ sendAuthRequest()
Definition at line 682 of file auth.c.
683{
685
686 CHECK_FOR_INTERRUPTS();
687
692
694
695 /*
696 * Flush message so client will see it, except for AUTH_REQ_OK and
697 * AUTH_REQ_SASL_FIN, which need not be sent until we are ready for
698 * queries.
699 */
701 pq_flush();
702
703 CHECK_FOR_INTERRUPTS();
704}
void pq_sendbytes(StringInfo buf, const void *data, int datalen)
Definition pqformat.c:126
References AUTH_REQ_OK, AUTH_REQ_SASL_FIN, buf, CHECK_FOR_INTERRUPTS, fb(), pq_beginmessage(), pq_endmessage(), pq_flush, pq_sendbytes(), pq_sendint32(), and PqMsg_AuthenticationRequest.
Referenced by CheckMD5Auth(), CheckPasswordAuth(), CheckSASLAuth(), and ClientAuthentication().
◆ set_authn_id()
Definition at line 336 of file auth.c.
337{
339
341 {
342 /*
343 * An existing authn_id should never be overwritten; that means two
344 * authentication providers are fighting (or one is fighting itself).
345 * Don't leak any authn details to the client, but don't let the
346 * connection continue, either.
347 */
352 }
353
356
358 {
361 "(%s:%d)",
365 }
366}
char * MemoryContextStrdup(MemoryContext context, const char *string)
Definition mcxt.c:1768
References Assert, ClientConnectionInfo::auth_method, ClientConnectionInfo::authn_id, ereport, errdetail_log(), errmsg, FATAL, hba_authname(), LOG, LOG_CONNECTION_AUTHENTICATION, log_connections, MemoryContextStrdup(), MyClientConnectionInfo, port, and TopMemoryContext.
Referenced by auth_peer(), CheckPasswordAuth(), CheckPWChallengeAuth(), ident_inet(), and validate().
Variable Documentation
◆ ClientAuthentication_hook
| ClientAuthentication_hook_type ClientAuthentication_hook = NULL |
Definition at line 217 of file auth.c.
Referenced by _PG_init(), ClientAuthentication(), and sepgsql_init_client_label().
◆ pg_gss_accept_delegation
| bool pg_gss_accept_delegation |
Definition at line 176 of file auth.c.
Referenced by secure_open_gssapi().
◆ pg_krb_caseins_users
◆ pg_krb_server_keyfile
| char* pg_krb_server_keyfile |
Definition at line 174 of file auth.c.
Referenced by secure_open_gssapi().
