PostgreSQL Source Code  git master
 All Data Structures Namespaces Files Functions Variables Typedefs Enumerations Enumerator Macros
auth.h File Reference
#include "libpq/libpq-be.h"
Include dependency graph for auth.h:
This graph shows which files directly or indirectly include this file:

Go to the source code of this file.

Typedefs

typedef void(* ClientAuthentication_hook_type )(Port *, int)
 

Functions

void ClientAuthentication (Port *port)
 

Variables

char * pg_krb_server_keyfile
 
bool pg_krb_caseins_users
 
char * pg_krb_realm
 
PGDLLIMPORT
ClientAuthentication_hook_type 
ClientAuthentication_hook
 

Typedef Documentation

typedef void(* ClientAuthentication_hook_type)(Port *, int)

Definition at line 26 of file auth.h.

Function Documentation

void ClientAuthentication ( Port port)

Definition at line 345 of file auth.c.

References _, SockAddr::addr, am_walsender, Assert, auth_failed(), HbaLine::auth_method, AUTH_REQ_GSS, AUTH_REQ_OK, AUTH_REQ_SSPI, CHECK_FOR_INTERRUPTS, CheckPasswordAuth(), CheckPWChallengeAuth(), CheckRADIUSAuth(), ClientAuthentication_hook, HbaLine::clientcert, Port::database_name, ereport, errcode(), errmsg(), FATAL, Port::hba, hba_getauthmethod(), HOSTNAME_LOOKUP_DETAIL, ident_inet(), NI_MAXHOST, NI_NUMERICHOST, Port::peer_cert_valid, pg_getnameinfo_all(), port, Port::raddr, SockAddr::salen, secure_loaded_verify_locations(), sendAuthRequest(), Port::ssl_in_use, status(), STATUS_ERROR, STATUS_OK, uaBSD, uaCert, uaGSS, uaIdent, uaImplicitReject, uaLDAP, uaMD5, uaPAM, uaPassword, uaRADIUS, uaReject, uaSCRAM, uaSSPI, uaTrust, and Port::user_name.

Referenced by PerformAuthentication().

346 {
347  int status = STATUS_ERROR;
348  char *logdetail = NULL;
349 
350  /*
351  * Get the authentication method to use for this frontend/database
352  * combination. Note: we do not parse the file at this point; this has
353  * already been done elsewhere. hba.c dropped an error message into the
354  * server logfile if parsing the hba config file failed.
355  */
356  hba_getauthmethod(port);
357 
359 
360  /*
361  * This is the first point where we have access to the hba record for the
362  * current connection, so perform any verifications based on the hba
363  * options field that should be done *before* the authentication here.
364  */
365  if (port->hba->clientcert)
366  {
367  /* If we haven't loaded a root certificate store, fail */
369  ereport(FATAL,
370  (errcode(ERRCODE_CONFIG_FILE_ERROR),
371  errmsg("client certificates can only be checked if a root certificate store is available")));
372 
373  /*
374  * If we loaded a root certificate store, and if a certificate is
375  * present on the client, then it has been verified against our root
376  * certificate store, and the connection would have been aborted
377  * already if it didn't verify ok.
378  */
379  if (!port->peer_cert_valid)
380  ereport(FATAL,
381  (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
382  errmsg("connection requires a valid client certificate")));
383  }
384 
385  /*
386  * Now proceed to do the actual authentication check
387  */
388  switch (port->hba->auth_method)
389  {
390  case uaReject:
391 
392  /*
393  * An explicit "reject" entry in pg_hba.conf. This report exposes
394  * the fact that there's an explicit reject entry, which is
395  * perhaps not so desirable from a security standpoint; but the
396  * message for an implicit reject could confuse the DBA a lot when
397  * the true situation is a match to an explicit reject. And we
398  * don't want to change the message for an implicit reject. As
399  * noted below, the additional information shown here doesn't
400  * expose anything not known to an attacker.
401  */
402  {
403  char hostinfo[NI_MAXHOST];
404 
405  pg_getnameinfo_all(&port->raddr.addr, port->raddr.salen,
406  hostinfo, sizeof(hostinfo),
407  NULL, 0,
409 
410  if (am_walsender)
411  {
412 #ifdef USE_SSL
413  ereport(FATAL,
414  (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
415  errmsg("pg_hba.conf rejects replication connection for host \"%s\", user \"%s\", %s",
416  hostinfo, port->user_name,
417  port->ssl_in_use ? _("SSL on") : _("SSL off"))));
418 #else
419  ereport(FATAL,
420  (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
421  errmsg("pg_hba.conf rejects replication connection for host \"%s\", user \"%s\"",
422  hostinfo, port->user_name)));
423 #endif
424  }
425  else
426  {
427 #ifdef USE_SSL
428  ereport(FATAL,
429  (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
430  errmsg("pg_hba.conf rejects connection for host \"%s\", user \"%s\", database \"%s\", %s",
431  hostinfo, port->user_name,
432  port->database_name,
433  port->ssl_in_use ? _("SSL on") : _("SSL off"))));
434 #else
435  ereport(FATAL,
436  (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
437  errmsg("pg_hba.conf rejects connection for host \"%s\", user \"%s\", database \"%s\"",
438  hostinfo, port->user_name,
439  port->database_name)));
440 #endif
441  }
442  break;
443  }
444 
445  case uaImplicitReject:
446 
447  /*
448  * No matching entry, so tell the user we fell through.
449  *
450  * NOTE: the extra info reported here is not a security breach,
451  * because all that info is known at the frontend and must be
452  * assumed known to bad guys. We're merely helping out the less
453  * clueful good guys.
454  */
455  {
456  char hostinfo[NI_MAXHOST];
457 
458  pg_getnameinfo_all(&port->raddr.addr, port->raddr.salen,
459  hostinfo, sizeof(hostinfo),
460  NULL, 0,
462 
463 #define HOSTNAME_LOOKUP_DETAIL(port) \
464  (port->remote_hostname ? \
465  (port->remote_hostname_resolv == +1 ? \
466  errdetail_log("Client IP address resolved to \"%s\", forward lookup matches.", \
467  port->remote_hostname) : \
468  port->remote_hostname_resolv == 0 ? \
469  errdetail_log("Client IP address resolved to \"%s\", forward lookup not checked.", \
470  port->remote_hostname) : \
471  port->remote_hostname_resolv == -1 ? \
472  errdetail_log("Client IP address resolved to \"%s\", forward lookup does not match.", \
473  port->remote_hostname) : \
474  port->remote_hostname_resolv == -2 ? \
475  errdetail_log("Could not translate client host name \"%s\" to IP address: %s.", \
476  port->remote_hostname, \
477  gai_strerror(port->remote_hostname_errcode)) : \
478  0) \
479  : (port->remote_hostname_resolv == -2 ? \
480  errdetail_log("Could not resolve client IP address to a host name: %s.", \
481  gai_strerror(port->remote_hostname_errcode)) : \
482  0))
483 
484  if (am_walsender)
485  {
486 #ifdef USE_SSL
487  ereport(FATAL,
488  (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
489  errmsg("no pg_hba.conf entry for replication connection from host \"%s\", user \"%s\", %s",
490  hostinfo, port->user_name,
491  port->ssl_in_use ? _("SSL on") : _("SSL off")),
492  HOSTNAME_LOOKUP_DETAIL(port)));
493 #else
494  ereport(FATAL,
495  (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
496  errmsg("no pg_hba.conf entry for replication connection from host \"%s\", user \"%s\"",
497  hostinfo, port->user_name),
498  HOSTNAME_LOOKUP_DETAIL(port)));
499 #endif
500  }
501  else
502  {
503 #ifdef USE_SSL
504  ereport(FATAL,
505  (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
506  errmsg("no pg_hba.conf entry for host \"%s\", user \"%s\", database \"%s\", %s",
507  hostinfo, port->user_name,
508  port->database_name,
509  port->ssl_in_use ? _("SSL on") : _("SSL off")),
510  HOSTNAME_LOOKUP_DETAIL(port)));
511 #else
512  ereport(FATAL,
513  (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
514  errmsg("no pg_hba.conf entry for host \"%s\", user \"%s\", database \"%s\"",
515  hostinfo, port->user_name,
516  port->database_name),
517  HOSTNAME_LOOKUP_DETAIL(port)));
518 #endif
519  }
520  break;
521  }
522 
523  case uaGSS:
524 #ifdef ENABLE_GSS
525  sendAuthRequest(port, AUTH_REQ_GSS, NULL, 0);
526  status = pg_GSS_recvauth(port);
527 #else
528  Assert(false);
529 #endif
530  break;
531 
532  case uaSSPI:
533 #ifdef ENABLE_SSPI
534  sendAuthRequest(port, AUTH_REQ_SSPI, NULL, 0);
535  status = pg_SSPI_recvauth(port);
536 #else
537  Assert(false);
538 #endif
539  break;
540 
541  case uaPeer:
542 #ifdef HAVE_UNIX_SOCKETS
543  status = auth_peer(port);
544 #else
545  Assert(false);
546 #endif
547  break;
548 
549  case uaIdent:
550  status = ident_inet(port);
551  break;
552 
553  case uaMD5:
554  case uaSCRAM:
555  status = CheckPWChallengeAuth(port, &logdetail);
556  break;
557 
558  case uaPassword:
559  status = CheckPasswordAuth(port, &logdetail);
560  break;
561 
562  case uaPAM:
563 #ifdef USE_PAM
564  status = CheckPAMAuth(port, port->user_name, "");
565 #else
566  Assert(false);
567 #endif /* USE_PAM */
568  break;
569 
570  case uaBSD:
571 #ifdef USE_BSD_AUTH
572  status = CheckBSDAuth(port, port->user_name);
573 #else
574  Assert(false);
575 #endif /* USE_BSD_AUTH */
576  break;
577 
578  case uaLDAP:
579 #ifdef USE_LDAP
580  status = CheckLDAPAuth(port);
581 #else
582  Assert(false);
583 #endif
584  break;
585 
586  case uaCert:
587 #ifdef USE_SSL
588  status = CheckCertAuth(port);
589 #else
590  Assert(false);
591 #endif
592  break;
593  case uaRADIUS:
594  status = CheckRADIUSAuth(port);
595  break;
596  case uaTrust:
597  status = STATUS_OK;
598  break;
599  }
600 
602  (*ClientAuthentication_hook) (port, status);
603 
604  if (status == STATUS_OK)
605  sendAuthRequest(port, AUTH_REQ_OK, NULL, 0);
606  else
607  auth_failed(port, status, logdetail);
608 }
#define HOSTNAME_LOOKUP_DETAIL(port)
Definition: hba.h:30
#define AUTH_REQ_SSPI
Definition: pqcomm.h:174
Definition: hba.h:38
#define NI_NUMERICHOST
Definition: getaddrinfo.h:78
Definition: hba.h:32
#define AUTH_REQ_OK
Definition: pqcomm.h:165
#define AUTH_REQ_GSS
Definition: pqcomm.h:172
Definition: hba.h:35
bool peer_cert_valid
Definition: libpq-be.h:183
struct sockaddr_storage addr
Definition: pqcomm.h:64
int errcode(int sqlerrcode)
Definition: elog.c:575
#define STATUS_ERROR
Definition: c.h:982
bool ssl_in_use
Definition: libpq-be.h:181
static int CheckRADIUSAuth(Port *port)
Definition: auth.c:2784
Definition: hba.h:34
Definition: hba.h:31
SockAddr raddr
Definition: libpq-be.h:122
bool am_walsender
Definition: walsender.c:114
#define NI_MAXHOST
Definition: getaddrinfo.h:88
Definition: hba.h:39
static int CheckPWChallengeAuth(Port *port, char **logdetail)
Definition: auth.c:768
#define FATAL
Definition: elog.h:52
Definition: hba.h:27
Definition: hba.h:29
void hba_getauthmethod(hbaPort *port)
Definition: hba.c:3008
ClientAuthentication_hook_type ClientAuthentication_hook
Definition: auth.c:241
char * user_name
Definition: libpq-be.h:137
ACCEPT_TYPE_ARG3 salen
Definition: pqcomm.h:65
static void sendAuthRequest(Port *port, AuthRequest areq, char *extradata, int extralen)
Definition: auth.c:615
#define ereport(elevel, rest)
Definition: elog.h:122
#define STATUS_OK
Definition: c.h:981
static int port
Definition: pg_regress.c:90
HbaLine * hba
Definition: libpq-be.h:144
static int ident_inet(hbaPort *port)
Definition: auth.c:1827
Definition: hba.h:33
static int CheckPasswordAuth(Port *port, char **logdetail)
Definition: auth.c:736
Definition: hba.h:37
#define Assert(condition)
Definition: c.h:681
int pg_getnameinfo_all(const struct sockaddr_storage *addr, int salen, char *node, int nodelen, char *service, int servicelen, int flags)
Definition: ip.c:122
bool secure_loaded_verify_locations(void)
Definition: be-secure.c:98
int errmsg(const char *fmt,...)
Definition: elog.c:797
static void auth_failed(Port *port, int status, char *logdetail)
Definition: auth.c:257
bool clientcert
Definition: hba.h:88
#define CHECK_FOR_INTERRUPTS()
Definition: miscadmin.h:98
static void static void status(const char *fmt,...) pg_attribute_printf(1
Definition: pg_regress.c:225
char * database_name
Definition: libpq-be.h:136
Definition: hba.h:36
#define _(x)
Definition: elog.c:84
Definition: hba.h:40
UserAuth auth_method
Definition: hba.h:72

Variable Documentation

PGDLLIMPORT ClientAuthentication_hook_type ClientAuthentication_hook

Definition at line 241 of file auth.c.

Referenced by _PG_init(), ClientAuthentication(), and sepgsql_init_client_label().

bool pg_krb_caseins_users

Definition at line 166 of file auth.c.

char* pg_krb_realm
char* pg_krb_server_keyfile

Definition at line 165 of file auth.c.