PostgreSQL Source Code  git master
Typedefs | Functions | Variables
auth.h File Reference
#include "libpq/libpq-be.h"
Include dependency graph for auth.h:
This graph shows which files directly or indirectly include this file:

Go to the source code of this file.

Typedefs

typedef void(* ClientAuthentication_hook_type) (Port *, int)
 

Functions

void ClientAuthentication (Port *port)
 

Variables

char * pg_krb_server_keyfile
 
bool pg_krb_caseins_users
 
char * pg_krb_realm
 
PGDLLIMPORT ClientAuthentication_hook_type ClientAuthentication_hook
 

Typedef Documentation

◆ ClientAuthentication_hook_type

typedef void(* ClientAuthentication_hook_type) (Port *, int)

Definition at line 26 of file auth.h.

Function Documentation

◆ ClientAuthentication()

void ClientAuthentication ( Port port)

Definition at line 347 of file auth.c.

References _, SockAddr::addr, am_walsender, Assert, auth_failed(), HbaLine::auth_method, AUTH_REQ_GSS, AUTH_REQ_OK, AUTH_REQ_SSPI, CHECK_FOR_INTERRUPTS, CheckPasswordAuth(), CheckPWChallengeAuth(), CheckRADIUSAuth(), ClientAuthentication_hook, HbaLine::clientcert, Port::database_name, ereport, errcode(), errmsg(), FATAL, Port::hba, hba_getauthmethod(), HOSTNAME_LOOKUP_DETAIL, ident_inet(), NI_MAXHOST, NI_NUMERICHOST, Port::peer_cert_valid, pg_getnameinfo_all(), port, Port::raddr, SockAddr::salen, secure_loaded_verify_locations(), sendAuthRequest(), Port::ssl_in_use, status(), STATUS_ERROR, STATUS_OK, uaBSD, uaCert, uaGSS, uaIdent, uaImplicitReject, uaLDAP, uaMD5, uaPAM, uaPassword, uaRADIUS, uaReject, uaSCRAM, uaSSPI, uaTrust, and Port::user_name.

Referenced by PerformAuthentication().

348 {
349  int status = STATUS_ERROR;
350  char *logdetail = NULL;
351 
352  /*
353  * Get the authentication method to use for this frontend/database
354  * combination. Note: we do not parse the file at this point; this has
355  * already been done elsewhere. hba.c dropped an error message into the
356  * server logfile if parsing the hba config file failed.
357  */
358  hba_getauthmethod(port);
359 
360  CHECK_FOR_INTERRUPTS();
361 
362  /*
363  * This is the first point where we have access to the hba record for the
364  * current connection, so perform any verifications based on the hba
365  * options field that should be done *before* the authentication here.
366  */
367  if (port->hba->clientcert)
368  {
369  /* If we haven't loaded a root certificate store, fail */
370  if (!secure_loaded_verify_locations())
371  ereport(FATAL,
372  (errcode(ERRCODE_CONFIG_FILE_ERROR),
373  errmsg("client certificates can only be checked if a root certificate store is available")));
374 
375  /*
376  * If we loaded a root certificate store, and if a certificate is
377  * present on the client, then it has been verified against our root
378  * certificate store, and the connection would have been aborted
379  * already if it didn't verify ok.
380  */
381  if (!port->peer_cert_valid)
382  ereport(FATAL,
383  (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
384  errmsg("connection requires a valid client certificate")));
385  }
386 
387  /*
388  * Now proceed to do the actual authentication check
389  */
390  switch (port->hba->auth_method)
391  {
392  case uaReject:
393 
394  /*
395  * An explicit "reject" entry in pg_hba.conf. This report exposes
396  * the fact that there's an explicit reject entry, which is
397  * perhaps not so desirable from a security standpoint; but the
398  * message for an implicit reject could confuse the DBA a lot when
399  * the true situation is a match to an explicit reject. And we
400  * don't want to change the message for an implicit reject. As
401  * noted below, the additional information shown here doesn't
402  * expose anything not known to an attacker.
403  */
404  {
405  char hostinfo[NI_MAXHOST];
406 
407  pg_getnameinfo_all(&port->raddr.addr, port->raddr.salen,
408  hostinfo, sizeof(hostinfo),
409  NULL, 0,
410  NI_NUMERICHOST);
411 
412  if (am_walsender)
413  {
414 #ifdef USE_SSL
415  ereport(FATAL,
416  (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
417  errmsg("pg_hba.conf rejects replication connection for host \"%s\", user \"%s\", %s",
418  hostinfo, port->user_name,
419  port->ssl_in_use ? _("SSL on") : _("SSL off"))));
420 #else
421  ereport(FATAL,
422  (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
423  errmsg("pg_hba.conf rejects replication connection for host \"%s\", user \"%s\"",
424  hostinfo, port->user_name)));
425 #endif
426  }
427  else
428  {
429 #ifdef USE_SSL
430  ereport(FATAL,
431  (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
432  errmsg("pg_hba.conf rejects connection for host \"%s\", user \"%s\", database \"%s\", %s",
433  hostinfo, port->user_name,
434  port->database_name,
435  port->ssl_in_use ? _("SSL on") : _("SSL off"))));
436 #else
437  ereport(FATAL,
438  (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
439  errmsg("pg_hba.conf rejects connection for host \"%s\", user \"%s\", database \"%s\"",
440  hostinfo, port->user_name,
441  port->database_name)));
442 #endif
443  }
444  break;
445  }
446 
447  case uaImplicitReject:
448 
449  /*
450  * No matching entry, so tell the user we fell through.
451  *
452  * NOTE: the extra info reported here is not a security breach,
453  * because all that info is known at the frontend and must be
454  * assumed known to bad guys. We're merely helping out the less
455  * clueful good guys.
456  */
457  {
458  char hostinfo[NI_MAXHOST];
459 
460  pg_getnameinfo_all(&port->raddr.addr, port->raddr.salen,
461  hostinfo, sizeof(hostinfo),
462  NULL, 0,
463  NI_NUMERICHOST);
464 
465 #define HOSTNAME_LOOKUP_DETAIL(port) \
466  (port->remote_hostname ? \
467  (port->remote_hostname_resolv == +1 ? \
468  errdetail_log("Client IP address resolved to \"%s\", forward lookup matches.", \
469  port->remote_hostname) : \
470  port->remote_hostname_resolv == 0 ? \
471  errdetail_log("Client IP address resolved to \"%s\", forward lookup not checked.", \
472  port->remote_hostname) : \
473  port->remote_hostname_resolv == -1 ? \
474  errdetail_log("Client IP address resolved to \"%s\", forward lookup does not match.", \
475  port->remote_hostname) : \
476  port->remote_hostname_resolv == -2 ? \
477  errdetail_log("Could not translate client host name \"%s\" to IP address: %s.", \
478  port->remote_hostname, \
479  gai_strerror(port->remote_hostname_errcode)) : \
480  0) \
481  : (port->remote_hostname_resolv == -2 ? \
482  errdetail_log("Could not resolve client IP address to a host name: %s.", \
483  gai_strerror(port->remote_hostname_errcode)) : \
484  0))
485 
486  if (am_walsender)
487  {
488 #ifdef USE_SSL
489  ereport(FATAL,
490  (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
491  errmsg("no pg_hba.conf entry for replication connection from host \"%s\", user \"%s\", %s",
492  hostinfo, port->user_name,
493  port->ssl_in_use ? _("SSL on") : _("SSL off")),
494  HOSTNAME_LOOKUP_DETAIL(port)));
495 #else
496  ereport(FATAL,
497  (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
498  errmsg("no pg_hba.conf entry for replication connection from host \"%s\", user \"%s\"",
499  hostinfo, port->user_name),
500  HOSTNAME_LOOKUP_DETAIL(port)));
501 #endif
502  }
503  else
504  {
505 #ifdef USE_SSL
506  ereport(FATAL,
507  (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
508  errmsg("no pg_hba.conf entry for host \"%s\", user \"%s\", database \"%s\", %s",
509  hostinfo, port->user_name,
510  port->database_name,
511  port->ssl_in_use ? _("SSL on") : _("SSL off")),
512  HOSTNAME_LOOKUP_DETAIL(port)));
513 #else
514  ereport(FATAL,
515  (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
516  errmsg("no pg_hba.conf entry for host \"%s\", user \"%s\", database \"%s\"",
517  hostinfo, port->user_name,
518  port->database_name),
519  HOSTNAME_LOOKUP_DETAIL(port)));
520 #endif
521  }
522  break;
523  }
524 
525  case uaGSS:
526 #ifdef ENABLE_GSS
527  sendAuthRequest(port, AUTH_REQ_GSS, NULL, 0);
528  status = pg_GSS_recvauth(port);
529 #else
530  Assert(false);
531 #endif
532  break;
533 
534  case uaSSPI:
535 #ifdef ENABLE_SSPI
536  sendAuthRequest(port, AUTH_REQ_SSPI, NULL, 0);
537  status = pg_SSPI_recvauth(port);
538 #else
539  Assert(false);
540 #endif
541  break;
542 
543  case uaPeer:
544 #ifdef HAVE_UNIX_SOCKETS
545  status = auth_peer(port);
546 #else
547  Assert(false);
548 #endif
549  break;
550 
551  case uaIdent:
552  status = ident_inet(port);
553  break;
554 
555  case uaMD5:
556  case uaSCRAM:
557  status = CheckPWChallengeAuth(port, &logdetail);
558  break;
559 
560  case uaPassword:
561  status = CheckPasswordAuth(port, &logdetail);
562  break;
563 
564  case uaPAM:
565 #ifdef USE_PAM
566  status = CheckPAMAuth(port, port->user_name, "");
567 #else
568  Assert(false);
569 #endif /* USE_PAM */
570  break;
571 
572  case uaBSD:
573 #ifdef USE_BSD_AUTH
574  status = CheckBSDAuth(port, port->user_name);
575 #else
576  Assert(false);
577 #endif /* USE_BSD_AUTH */
578  break;
579 
580  case uaLDAP:
581 #ifdef USE_LDAP
582  status = CheckLDAPAuth(port);
583 #else
584  Assert(false);
585 #endif
586  break;
587 
588  case uaCert:
589 #ifdef USE_SSL
590  status = CheckCertAuth(port);
591 #else
592  Assert(false);
593 #endif
594  break;
595  case uaRADIUS:
596  status = CheckRADIUSAuth(port);
597  break;
598  case uaTrust:
599  status = STATUS_OK;
600  break;
601  }
602 
603  if (ClientAuthentication_hook)
604  (*ClientAuthentication_hook) (port, status);
605 
606  if (status == STATUS_OK)
607  sendAuthRequest(port, AUTH_REQ_OK, NULL, 0);
608  else
609  auth_failed(port, status, logdetail);
610 }
HOSTNAME_LOOKUP_DETAIL
#define HOSTNAME_LOOKUP_DETAIL(port)
uaIdent
Definition: hba.h:30
AUTH_REQ_SSPI
#define AUTH_REQ_SSPI
Definition: pqcomm.h:174
uaLDAP
Definition: hba.h:38
NI_NUMERICHOST
#define NI_NUMERICHOST
Definition: getaddrinfo.h:78
uaMD5
Definition: hba.h:32
sendAuthRequest
static void sendAuthRequest(Port *port, AuthRequest areq, const char *extradata, int extralen)
Definition: auth.c:617
AUTH_REQ_OK
#define AUTH_REQ_OK
Definition: pqcomm.h:165
AUTH_REQ_GSS
#define AUTH_REQ_GSS
Definition: pqcomm.h:172
uaSSPI
Definition: hba.h:35
Port::peer_cert_valid
bool peer_cert_valid
Definition: libpq-be.h:183
SockAddr::addr
struct sockaddr_storage addr
Definition: pqcomm.h:64
errcode
int errcode(int sqlerrcode)
Definition: elog.c:575
STATUS_ERROR
#define STATUS_ERROR
Definition: c.h:1009
Port::ssl_in_use
bool ssl_in_use
Definition: libpq-be.h:181
CheckRADIUSAuth
static int CheckRADIUSAuth(Port *port)
Definition: auth.c:2856
uaGSS
Definition: hba.h:34
uaPassword
Definition: hba.h:31
Port::raddr
SockAddr raddr
Definition: libpq-be.h:122
am_walsender
bool am_walsender
Definition: walsender.c:115
NI_MAXHOST
#define NI_MAXHOST
Definition: getaddrinfo.h:88
uaCert
Definition: hba.h:39
CheckPWChallengeAuth
static int CheckPWChallengeAuth(Port *port, char **logdetail)
Definition: auth.c:770
FATAL
#define FATAL
Definition: elog.h:52
uaReject
Definition: hba.h:27
uaTrust
Definition: hba.h:29
hba_getauthmethod
void hba_getauthmethod(hbaPort *port)
Definition: hba.c:3024
ClientAuthentication_hook
ClientAuthentication_hook_type ClientAuthentication_hook
Definition: auth.c:243
Port::user_name
char * user_name
Definition: libpq-be.h:137
SockAddr::salen
ACCEPT_TYPE_ARG3 salen
Definition: pqcomm.h:65
ereport
#define ereport(elevel, rest)
Definition: elog.h:122
STATUS_OK
#define STATUS_OK
Definition: c.h:1008
port
static int port
Definition: pg_regress.c:90
Port::hba
HbaLine * hba
Definition: libpq-be.h:144
ident_inet
static int ident_inet(hbaPort *port)
Definition: auth.c:1845
uaSCRAM
Definition: hba.h:33
CheckPasswordAuth
static int CheckPasswordAuth(Port *port, char **logdetail)
Definition: auth.c:738
uaBSD
Definition: hba.h:37
Assert
#define Assert(condition)
Definition: c.h:699
pg_getnameinfo_all
int pg_getnameinfo_all(const struct sockaddr_storage *addr, int salen, char *node, int nodelen, char *service, int servicelen, int flags)
Definition: ip.c:122
secure_loaded_verify_locations
bool secure_loaded_verify_locations(void)
Definition: be-secure.c:98
errmsg
int errmsg(const char *fmt,...)
Definition: elog.c:797
auth_failed
static void auth_failed(Port *port, int status, char *logdetail)
Definition: auth.c:259
HbaLine::clientcert
bool clientcert
Definition: hba.h:89
CHECK_FOR_INTERRUPTS
#define CHECK_FOR_INTERRUPTS()
Definition: miscadmin.h:98
status
static void static void status(const char *fmt,...) pg_attribute_printf(1
Definition: pg_regress.c:225
Port::database_name
char * database_name
Definition: libpq-be.h:136
uaPAM
Definition: hba.h:36
_
#define _(x)
Definition: elog.c:84
uaRADIUS
Definition: hba.h:40
HbaLine::auth_method
UserAuth auth_method
Definition: hba.h:72

Variable Documentation

◆ ClientAuthentication_hook

PGDLLIMPORT ClientAuthentication_hook_type ClientAuthentication_hook

Definition at line 243 of file auth.c.

Referenced by _PG_init(), ClientAuthentication(), and sepgsql_init_client_label().

◆ pg_krb_caseins_users

bool pg_krb_caseins_users

Definition at line 168 of file auth.c.

Referenced by CheckSCRAMAuth().

◆ pg_krb_realm

char* pg_krb_realm

◆ pg_krb_server_keyfile

char* pg_krb_server_keyfile

Definition at line 167 of file auth.c.

Referenced by CheckSCRAMAuth().