PostgreSQL Source Code  git master
 All Data Structures Namespaces Files Functions Variables Typedefs Enumerations Enumerator Macros
auth.h File Reference
#include "libpq/libpq-be.h"
Include dependency graph for auth.h:
This graph shows which files directly or indirectly include this file:

Go to the source code of this file.

Typedefs

typedef void(* ClientAuthentication_hook_type )(Port *, int)
 

Functions

void ClientAuthentication (Port *port)
 

Variables

char * pg_krb_server_keyfile
 
bool pg_krb_caseins_users
 
char * pg_krb_realm
 
PGDLLIMPORT
ClientAuthentication_hook_type 
ClientAuthentication_hook
 

Typedef Documentation

typedef void(* ClientAuthentication_hook_type)(Port *, int)

Definition at line 26 of file auth.h.

Function Documentation

void ClientAuthentication ( Port port)

Definition at line 329 of file auth.c.

References _, SockAddr::addr, am_walsender, Assert, auth_failed(), HbaLine::auth_method, AUTH_REQ_GSS, AUTH_REQ_OK, AUTH_REQ_SSPI, CHECK_FOR_INTERRUPTS, CheckMD5Auth(), CheckPasswordAuth(), CheckRADIUSAuth(), ClientAuthentication_hook, HbaLine::clientcert, Port::database_name, ereport, errcode(), errmsg(), FATAL, Port::hba, hba_getauthmethod(), HOSTNAME_LOOKUP_DETAIL, ident_inet(), NI_MAXHOST, NI_NUMERICHOST, NULL, Port::peer_cert_valid, pg_getnameinfo_all(), port, Port::raddr, SockAddr::salen, secure_loaded_verify_locations(), sendAuthRequest(), Port::ssl_in_use, status(), STATUS_ERROR, STATUS_OK, uaBSD, uaCert, uaGSS, uaIdent, uaImplicitReject, uaLDAP, uaMD5, uaPAM, uaPassword, uaRADIUS, uaReject, uaSSPI, uaTrust, and Port::user_name.

Referenced by PerformAuthentication().

330 {
331  int status = STATUS_ERROR;
332  char *logdetail = NULL;
333 
334  /*
335  * Get the authentication method to use for this frontend/database
336  * combination. Note: we do not parse the file at this point; this has
337  * already been done elsewhere. hba.c dropped an error message into the
338  * server logfile if parsing the hba config file failed.
339  */
340  hba_getauthmethod(port);
341 
343 
344  /*
345  * This is the first point where we have access to the hba record for the
346  * current connection, so perform any verifications based on the hba
347  * options field that should be done *before* the authentication here.
348  */
349  if (port->hba->clientcert)
350  {
351  /* If we haven't loaded a root certificate store, fail */
353  ereport(FATAL,
354  (errcode(ERRCODE_CONFIG_FILE_ERROR),
355  errmsg("client certificates can only be checked if a root certificate store is available")));
356 
357  /*
358  * If we loaded a root certificate store, and if a certificate is
359  * present on the client, then it has been verified against our root
360  * certificate store, and the connection would have been aborted
361  * already if it didn't verify ok.
362  */
363  if (!port->peer_cert_valid)
364  ereport(FATAL,
365  (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
366  errmsg("connection requires a valid client certificate")));
367  }
368 
369  /*
370  * Now proceed to do the actual authentication check
371  */
372  switch (port->hba->auth_method)
373  {
374  case uaReject:
375 
376  /*
377  * An explicit "reject" entry in pg_hba.conf. This report exposes
378  * the fact that there's an explicit reject entry, which is
379  * perhaps not so desirable from a security standpoint; but the
380  * message for an implicit reject could confuse the DBA a lot when
381  * the true situation is a match to an explicit reject. And we
382  * don't want to change the message for an implicit reject. As
383  * noted below, the additional information shown here doesn't
384  * expose anything not known to an attacker.
385  */
386  {
387  char hostinfo[NI_MAXHOST];
388 
389  pg_getnameinfo_all(&port->raddr.addr, port->raddr.salen,
390  hostinfo, sizeof(hostinfo),
391  NULL, 0,
393 
394  if (am_walsender)
395  {
396 #ifdef USE_SSL
397  ereport(FATAL,
398  (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
399  errmsg("pg_hba.conf rejects replication connection for host \"%s\", user \"%s\", %s",
400  hostinfo, port->user_name,
401  port->ssl_in_use ? _("SSL on") : _("SSL off"))));
402 #else
403  ereport(FATAL,
404  (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
405  errmsg("pg_hba.conf rejects replication connection for host \"%s\", user \"%s\"",
406  hostinfo, port->user_name)));
407 #endif
408  }
409  else
410  {
411 #ifdef USE_SSL
412  ereport(FATAL,
413  (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
414  errmsg("pg_hba.conf rejects connection for host \"%s\", user \"%s\", database \"%s\", %s",
415  hostinfo, port->user_name,
416  port->database_name,
417  port->ssl_in_use ? _("SSL on") : _("SSL off"))));
418 #else
419  ereport(FATAL,
420  (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
421  errmsg("pg_hba.conf rejects connection for host \"%s\", user \"%s\", database \"%s\"",
422  hostinfo, port->user_name,
423  port->database_name)));
424 #endif
425  }
426  break;
427  }
428 
429  case uaImplicitReject:
430 
431  /*
432  * No matching entry, so tell the user we fell through.
433  *
434  * NOTE: the extra info reported here is not a security breach,
435  * because all that info is known at the frontend and must be
436  * assumed known to bad guys. We're merely helping out the less
437  * clueful good guys.
438  */
439  {
440  char hostinfo[NI_MAXHOST];
441 
442  pg_getnameinfo_all(&port->raddr.addr, port->raddr.salen,
443  hostinfo, sizeof(hostinfo),
444  NULL, 0,
446 
447 #define HOSTNAME_LOOKUP_DETAIL(port) \
448  (port->remote_hostname ? \
449  (port->remote_hostname_resolv == +1 ? \
450  errdetail_log("Client IP address resolved to \"%s\", forward lookup matches.", \
451  port->remote_hostname) : \
452  port->remote_hostname_resolv == 0 ? \
453  errdetail_log("Client IP address resolved to \"%s\", forward lookup not checked.", \
454  port->remote_hostname) : \
455  port->remote_hostname_resolv == -1 ? \
456  errdetail_log("Client IP address resolved to \"%s\", forward lookup does not match.", \
457  port->remote_hostname) : \
458  port->remote_hostname_resolv == -2 ? \
459  errdetail_log("Could not translate client host name \"%s\" to IP address: %s.", \
460  port->remote_hostname, \
461  gai_strerror(port->remote_hostname_errcode)) : \
462  0) \
463  : (port->remote_hostname_resolv == -2 ? \
464  errdetail_log("Could not resolve client IP address to a host name: %s.", \
465  gai_strerror(port->remote_hostname_errcode)) : \
466  0))
467 
468  if (am_walsender)
469  {
470 #ifdef USE_SSL
471  ereport(FATAL,
472  (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
473  errmsg("no pg_hba.conf entry for replication connection from host \"%s\", user \"%s\", %s",
474  hostinfo, port->user_name,
475  port->ssl_in_use ? _("SSL on") : _("SSL off")),
476  HOSTNAME_LOOKUP_DETAIL(port)));
477 #else
478  ereport(FATAL,
479  (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
480  errmsg("no pg_hba.conf entry for replication connection from host \"%s\", user \"%s\"",
481  hostinfo, port->user_name),
482  HOSTNAME_LOOKUP_DETAIL(port)));
483 #endif
484  }
485  else
486  {
487 #ifdef USE_SSL
488  ereport(FATAL,
489  (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
490  errmsg("no pg_hba.conf entry for host \"%s\", user \"%s\", database \"%s\", %s",
491  hostinfo, port->user_name,
492  port->database_name,
493  port->ssl_in_use ? _("SSL on") : _("SSL off")),
494  HOSTNAME_LOOKUP_DETAIL(port)));
495 #else
496  ereport(FATAL,
497  (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
498  errmsg("no pg_hba.conf entry for host \"%s\", user \"%s\", database \"%s\"",
499  hostinfo, port->user_name,
500  port->database_name),
501  HOSTNAME_LOOKUP_DETAIL(port)));
502 #endif
503  }
504  break;
505  }
506 
507  case uaGSS:
508 #ifdef ENABLE_GSS
509  sendAuthRequest(port, AUTH_REQ_GSS, NULL, 0);
510  status = pg_GSS_recvauth(port);
511 #else
512  Assert(false);
513 #endif
514  break;
515 
516  case uaSSPI:
517 #ifdef ENABLE_SSPI
519  status = pg_SSPI_recvauth(port);
520 #else
521  Assert(false);
522 #endif
523  break;
524 
525  case uaPeer:
526 #ifdef HAVE_UNIX_SOCKETS
527  status = auth_peer(port);
528 #else
529  Assert(false);
530 #endif
531  break;
532 
533  case uaIdent:
534  status = ident_inet(port);
535  break;
536 
537  case uaMD5:
538  status = CheckMD5Auth(port, &logdetail);
539  break;
540 
541  case uaPassword:
542  status = CheckPasswordAuth(port, &logdetail);
543  break;
544 
545  case uaPAM:
546 #ifdef USE_PAM
547  status = CheckPAMAuth(port, port->user_name, "");
548 #else
549  Assert(false);
550 #endif /* USE_PAM */
551  break;
552 
553  case uaBSD:
554 #ifdef USE_BSD_AUTH
555  status = CheckBSDAuth(port, port->user_name);
556 #else
557  Assert(false);
558 #endif /* USE_BSD_AUTH */
559  break;
560 
561  case uaLDAP:
562 #ifdef USE_LDAP
563  status = CheckLDAPAuth(port);
564 #else
565  Assert(false);
566 #endif
567  break;
568 
569  case uaCert:
570 #ifdef USE_SSL
571  status = CheckCertAuth(port);
572 #else
573  Assert(false);
574 #endif
575  break;
576  case uaRADIUS:
577  status = CheckRADIUSAuth(port);
578  break;
579  case uaTrust:
580  status = STATUS_OK;
581  break;
582  }
583 
585  (*ClientAuthentication_hook) (port, status);
586 
587  if (status == STATUS_OK)
588  sendAuthRequest(port, AUTH_REQ_OK, NULL, 0);
589  else
590  auth_failed(port, status, logdetail);
591 }
#define HOSTNAME_LOOKUP_DETAIL(port)
Definition: hba.h:30
#define AUTH_REQ_SSPI
Definition: pqcomm.h:174
Definition: hba.h:37
#define NI_NUMERICHOST
Definition: getaddrinfo.h:80
Definition: hba.h:32
#define AUTH_REQ_OK
Definition: pqcomm.h:165
#define AUTH_REQ_GSS
Definition: pqcomm.h:172
Definition: hba.h:34
bool peer_cert_valid
Definition: libpq-be.h:185
struct sockaddr_storage addr
Definition: pqcomm.h:64
int errcode(int sqlerrcode)
Definition: elog.c:575
#define STATUS_ERROR
Definition: c.h:971
bool ssl_in_use
Definition: libpq-be.h:183
static int CheckRADIUSAuth(Port *port)
Definition: auth.c:2455
Definition: hba.h:33
Definition: hba.h:31
SockAddr raddr
Definition: libpq-be.h:124
bool am_walsender
Definition: walsender.c:106
#define NI_MAXHOST
Definition: getaddrinfo.h:90
Definition: hba.h:38
#define FATAL
Definition: elog.h:52
Definition: hba.h:27
Definition: hba.h:29
void hba_getauthmethod(hbaPort *port)
Definition: hba.c:2838
ClientAuthentication_hook_type ClientAuthentication_hook
Definition: auth.c:226
char * user_name
Definition: libpq-be.h:139
ACCEPT_TYPE_ARG3 salen
Definition: pqcomm.h:65
static void sendAuthRequest(Port *port, AuthRequest areq, char *extradata, int extralen)
Definition: auth.c:598
#define ereport(elevel, rest)
Definition: elog.h:122
#define STATUS_OK
Definition: c.h:970
static int CheckMD5Auth(Port *port, char **logdetail)
Definition: auth.c:697
static int port
Definition: pg_regress.c:87
HbaLine * hba
Definition: libpq-be.h:146
static int ident_inet(hbaPort *port)
Definition: auth.c:1569
static int CheckPasswordAuth(Port *port, char **logdetail)
Definition: auth.c:741
Definition: hba.h:36
#define NULL
Definition: c.h:226
#define Assert(condition)
Definition: c.h:670
int pg_getnameinfo_all(const struct sockaddr_storage *addr, int salen, char *node, int nodelen, char *service, int servicelen, int flags)
Definition: ip.c:123
bool secure_loaded_verify_locations(void)
Definition: be-secure.c:97
int errmsg(const char *fmt,...)
Definition: elog.c:797
static void auth_failed(Port *port, int status, char *logdetail)
Definition: auth.c:242
bool clientcert
Definition: hba.h:86
#define CHECK_FOR_INTERRUPTS()
Definition: miscadmin.h:97
static void static void status(const char *fmt,...) pg_attribute_printf(1
Definition: pg_regress.c:222
char * database_name
Definition: libpq-be.h:138
Definition: hba.h:35
#define _(x)
Definition: elog.c:84
Definition: hba.h:39
UserAuth auth_method
Definition: hba.h:71

Variable Documentation

PGDLLIMPORT ClientAuthentication_hook_type ClientAuthentication_hook

Definition at line 226 of file auth.c.

Referenced by _PG_init(), ClientAuthentication(), and sepgsql_init_client_label().

bool pg_krb_caseins_users

Definition at line 159 of file auth.c.

char* pg_krb_realm
char* pg_krb_server_keyfile

Definition at line 158 of file auth.c.