PostgreSQL Source Code  git master
auth.h File Reference
#include "libpq/libpq-be.h"
Include dependency graph for auth.h:
This graph shows which files directly or indirectly include this file:

Go to the source code of this file.

Typedefs

typedef void(* ClientAuthentication_hook_type) (Port *, int)
 

Functions

void ClientAuthentication (Port *port)
 

Variables

char * pg_krb_server_keyfile
 
bool pg_krb_caseins_users
 
char * pg_krb_realm
 
PGDLLIMPORT ClientAuthentication_hook_type ClientAuthentication_hook
 

Typedef Documentation

◆ ClientAuthentication_hook_type

typedef void(* ClientAuthentication_hook_type) (Port *, int)

Definition at line 26 of file auth.h.

Function Documentation

◆ ClientAuthentication()

void ClientAuthentication ( Port port)

Definition at line 346 of file auth.c.

References _, SockAddr::addr, am_walsender, Assert, auth_failed(), HbaLine::auth_method, AUTH_REQ_GSS, AUTH_REQ_OK, AUTH_REQ_SSPI, CHECK_FOR_INTERRUPTS, CheckPasswordAuth(), CheckPWChallengeAuth(), CheckRADIUSAuth(), ClientAuthentication_hook, HbaLine::clientcert, Port::database_name, ereport, errcode(), errmsg(), FATAL, Port::hba, hba_getauthmethod(), HOSTNAME_LOOKUP_DETAIL, ident_inet(), NI_MAXHOST, NI_NUMERICHOST, Port::peer_cert_valid, pg_getnameinfo_all(), port, Port::raddr, SockAddr::salen, secure_loaded_verify_locations(), sendAuthRequest(), Port::ssl_in_use, status(), STATUS_ERROR, STATUS_OK, uaBSD, uaCert, uaGSS, uaIdent, uaImplicitReject, uaLDAP, uaMD5, uaPAM, uaPassword, uaRADIUS, uaReject, uaSCRAM, uaSSPI, uaTrust, and Port::user_name.

Referenced by PerformAuthentication().

347 {
348  int status = STATUS_ERROR;
349  char *logdetail = NULL;
350 
351  /*
352  * Get the authentication method to use for this frontend/database
353  * combination. Note: we do not parse the file at this point; this has
354  * already been done elsewhere. hba.c dropped an error message into the
355  * server logfile if parsing the hba config file failed.
356  */
357  hba_getauthmethod(port);
358 
360 
361  /*
362  * This is the first point where we have access to the hba record for the
363  * current connection, so perform any verifications based on the hba
364  * options field that should be done *before* the authentication here.
365  */
366  if (port->hba->clientcert)
367  {
368  /* If we haven't loaded a root certificate store, fail */
370  ereport(FATAL,
371  (errcode(ERRCODE_CONFIG_FILE_ERROR),
372  errmsg("client certificates can only be checked if a root certificate store is available")));
373 
374  /*
375  * If we loaded a root certificate store, and if a certificate is
376  * present on the client, then it has been verified against our root
377  * certificate store, and the connection would have been aborted
378  * already if it didn't verify ok.
379  */
380  if (!port->peer_cert_valid)
381  ereport(FATAL,
382  (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
383  errmsg("connection requires a valid client certificate")));
384  }
385 
386  /*
387  * Now proceed to do the actual authentication check
388  */
389  switch (port->hba->auth_method)
390  {
391  case uaReject:
392 
393  /*
394  * An explicit "reject" entry in pg_hba.conf. This report exposes
395  * the fact that there's an explicit reject entry, which is
396  * perhaps not so desirable from a security standpoint; but the
397  * message for an implicit reject could confuse the DBA a lot when
398  * the true situation is a match to an explicit reject. And we
399  * don't want to change the message for an implicit reject. As
400  * noted below, the additional information shown here doesn't
401  * expose anything not known to an attacker.
402  */
403  {
404  char hostinfo[NI_MAXHOST];
405 
406  pg_getnameinfo_all(&port->raddr.addr, port->raddr.salen,
407  hostinfo, sizeof(hostinfo),
408  NULL, 0,
410 
411  if (am_walsender)
412  {
413 #ifdef USE_SSL
414  ereport(FATAL,
415  (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
416  errmsg("pg_hba.conf rejects replication connection for host \"%s\", user \"%s\", %s",
417  hostinfo, port->user_name,
418  port->ssl_in_use ? _("SSL on") : _("SSL off"))));
419 #else
420  ereport(FATAL,
421  (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
422  errmsg("pg_hba.conf rejects replication connection for host \"%s\", user \"%s\"",
423  hostinfo, port->user_name)));
424 #endif
425  }
426  else
427  {
428 #ifdef USE_SSL
429  ereport(FATAL,
430  (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
431  errmsg("pg_hba.conf rejects connection for host \"%s\", user \"%s\", database \"%s\", %s",
432  hostinfo, port->user_name,
433  port->database_name,
434  port->ssl_in_use ? _("SSL on") : _("SSL off"))));
435 #else
436  ereport(FATAL,
437  (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
438  errmsg("pg_hba.conf rejects connection for host \"%s\", user \"%s\", database \"%s\"",
439  hostinfo, port->user_name,
440  port->database_name)));
441 #endif
442  }
443  break;
444  }
445 
446  case uaImplicitReject:
447 
448  /*
449  * No matching entry, so tell the user we fell through.
450  *
451  * NOTE: the extra info reported here is not a security breach,
452  * because all that info is known at the frontend and must be
453  * assumed known to bad guys. We're merely helping out the less
454  * clueful good guys.
455  */
456  {
457  char hostinfo[NI_MAXHOST];
458 
459  pg_getnameinfo_all(&port->raddr.addr, port->raddr.salen,
460  hostinfo, sizeof(hostinfo),
461  NULL, 0,
463 
464 #define HOSTNAME_LOOKUP_DETAIL(port) \
465  (port->remote_hostname ? \
466  (port->remote_hostname_resolv == +1 ? \
467  errdetail_log("Client IP address resolved to \"%s\", forward lookup matches.", \
468  port->remote_hostname) : \
469  port->remote_hostname_resolv == 0 ? \
470  errdetail_log("Client IP address resolved to \"%s\", forward lookup not checked.", \
471  port->remote_hostname) : \
472  port->remote_hostname_resolv == -1 ? \
473  errdetail_log("Client IP address resolved to \"%s\", forward lookup does not match.", \
474  port->remote_hostname) : \
475  port->remote_hostname_resolv == -2 ? \
476  errdetail_log("Could not translate client host name \"%s\" to IP address: %s.", \
477  port->remote_hostname, \
478  gai_strerror(port->remote_hostname_errcode)) : \
479  0) \
480  : (port->remote_hostname_resolv == -2 ? \
481  errdetail_log("Could not resolve client IP address to a host name: %s.", \
482  gai_strerror(port->remote_hostname_errcode)) : \
483  0))
484 
485  if (am_walsender)
486  {
487 #ifdef USE_SSL
488  ereport(FATAL,
489  (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
490  errmsg("no pg_hba.conf entry for replication connection from host \"%s\", user \"%s\", %s",
491  hostinfo, port->user_name,
492  port->ssl_in_use ? _("SSL on") : _("SSL off")),
493  HOSTNAME_LOOKUP_DETAIL(port)));
494 #else
495  ereport(FATAL,
496  (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
497  errmsg("no pg_hba.conf entry for replication connection from host \"%s\", user \"%s\"",
498  hostinfo, port->user_name),
499  HOSTNAME_LOOKUP_DETAIL(port)));
500 #endif
501  }
502  else
503  {
504 #ifdef USE_SSL
505  ereport(FATAL,
506  (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
507  errmsg("no pg_hba.conf entry for host \"%s\", user \"%s\", database \"%s\", %s",
508  hostinfo, port->user_name,
509  port->database_name,
510  port->ssl_in_use ? _("SSL on") : _("SSL off")),
511  HOSTNAME_LOOKUP_DETAIL(port)));
512 #else
513  ereport(FATAL,
514  (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
515  errmsg("no pg_hba.conf entry for host \"%s\", user \"%s\", database \"%s\"",
516  hostinfo, port->user_name,
517  port->database_name),
518  HOSTNAME_LOOKUP_DETAIL(port)));
519 #endif
520  }
521  break;
522  }
523 
524  case uaGSS:
525 #ifdef ENABLE_GSS
526  sendAuthRequest(port, AUTH_REQ_GSS, NULL, 0);
527  status = pg_GSS_recvauth(port);
528 #else
529  Assert(false);
530 #endif
531  break;
532 
533  case uaSSPI:
534 #ifdef ENABLE_SSPI
535  sendAuthRequest(port, AUTH_REQ_SSPI, NULL, 0);
536  status = pg_SSPI_recvauth(port);
537 #else
538  Assert(false);
539 #endif
540  break;
541 
542  case uaPeer:
543 #ifdef HAVE_UNIX_SOCKETS
544  status = auth_peer(port);
545 #else
546  Assert(false);
547 #endif
548  break;
549 
550  case uaIdent:
551  status = ident_inet(port);
552  break;
553 
554  case uaMD5:
555  case uaSCRAM:
556  status = CheckPWChallengeAuth(port, &logdetail);
557  break;
558 
559  case uaPassword:
560  status = CheckPasswordAuth(port, &logdetail);
561  break;
562 
563  case uaPAM:
564 #ifdef USE_PAM
565  status = CheckPAMAuth(port, port->user_name, "");
566 #else
567  Assert(false);
568 #endif /* USE_PAM */
569  break;
570 
571  case uaBSD:
572 #ifdef USE_BSD_AUTH
573  status = CheckBSDAuth(port, port->user_name);
574 #else
575  Assert(false);
576 #endif /* USE_BSD_AUTH */
577  break;
578 
579  case uaLDAP:
580 #ifdef USE_LDAP
581  status = CheckLDAPAuth(port);
582 #else
583  Assert(false);
584 #endif
585  break;
586 
587  case uaCert:
588 #ifdef USE_SSL
589  status = CheckCertAuth(port);
590 #else
591  Assert(false);
592 #endif
593  break;
594  case uaRADIUS:
595  status = CheckRADIUSAuth(port);
596  break;
597  case uaTrust:
598  status = STATUS_OK;
599  break;
600  }
601 
603  (*ClientAuthentication_hook) (port, status);
604 
605  if (status == STATUS_OK)
606  sendAuthRequest(port, AUTH_REQ_OK, NULL, 0);
607  else
608  auth_failed(port, status, logdetail);
609 }
#define HOSTNAME_LOOKUP_DETAIL(port)
Definition: hba.h:30
#define AUTH_REQ_SSPI
Definition: pqcomm.h:174
Definition: hba.h:38
#define NI_NUMERICHOST
Definition: getaddrinfo.h:78
Definition: hba.h:32
static void sendAuthRequest(Port *port, AuthRequest areq, const char *extradata, int extralen)
Definition: auth.c:616
#define AUTH_REQ_OK
Definition: pqcomm.h:165
#define AUTH_REQ_GSS
Definition: pqcomm.h:172
Definition: hba.h:35
bool peer_cert_valid
Definition: libpq-be.h:183
struct sockaddr_storage addr
Definition: pqcomm.h:64
int errcode(int sqlerrcode)
Definition: elog.c:575
#define STATUS_ERROR
Definition: c.h:964
bool ssl_in_use
Definition: libpq-be.h:181
static int CheckRADIUSAuth(Port *port)
Definition: auth.c:2819
Definition: hba.h:34
Definition: hba.h:31
SockAddr raddr
Definition: libpq-be.h:122
bool am_walsender
Definition: walsender.c:114
#define NI_MAXHOST
Definition: getaddrinfo.h:88
Definition: hba.h:39
static int CheckPWChallengeAuth(Port *port, char **logdetail)
Definition: auth.c:769
#define FATAL
Definition: elog.h:52
Definition: hba.h:27
Definition: hba.h:29
void hba_getauthmethod(hbaPort *port)
Definition: hba.c:3010
ClientAuthentication_hook_type ClientAuthentication_hook
Definition: auth.c:242
char * user_name
Definition: libpq-be.h:137
ACCEPT_TYPE_ARG3 salen
Definition: pqcomm.h:65
#define ereport(elevel, rest)
Definition: elog.h:122
#define STATUS_OK
Definition: c.h:963
static int port
Definition: pg_regress.c:90
HbaLine * hba
Definition: libpq-be.h:144
static int ident_inet(hbaPort *port)
Definition: auth.c:1861
Definition: hba.h:33
static int CheckPasswordAuth(Port *port, char **logdetail)
Definition: auth.c:737
Definition: hba.h:37
#define Assert(condition)
Definition: c.h:680
int pg_getnameinfo_all(const struct sockaddr_storage *addr, int salen, char *node, int nodelen, char *service, int servicelen, int flags)
Definition: ip.c:122
bool secure_loaded_verify_locations(void)
Definition: be-secure.c:98
int errmsg(const char *fmt,...)
Definition: elog.c:797
static void auth_failed(Port *port, int status, char *logdetail)
Definition: auth.c:258
bool clientcert
Definition: hba.h:88
#define CHECK_FOR_INTERRUPTS()
Definition: miscadmin.h:98
static void static void status(const char *fmt,...) pg_attribute_printf(1
Definition: pg_regress.c:225
char * database_name
Definition: libpq-be.h:136
Definition: hba.h:36
#define _(x)
Definition: elog.c:84
Definition: hba.h:40
UserAuth auth_method
Definition: hba.h:72

Variable Documentation

◆ ClientAuthentication_hook

PGDLLIMPORT ClientAuthentication_hook_type ClientAuthentication_hook

Definition at line 242 of file auth.c.

Referenced by _PG_init(), ClientAuthentication(), and sepgsql_init_client_label().

◆ pg_krb_caseins_users

bool pg_krb_caseins_users

Definition at line 167 of file auth.c.

Referenced by CheckSCRAMAuth().

◆ pg_krb_realm

char* pg_krb_realm

◆ pg_krb_server_keyfile

char* pg_krb_server_keyfile

Definition at line 166 of file auth.c.

Referenced by CheckSCRAMAuth().