Index: configure.in =================================================================== RCS file: /projects/cvsroot/pgsql/configure.in,v retrieving revision 1.412 diff -c -r1.412 configure.in *** configure.in 4 Jun 2005 20:42:41 -0000 1.412 --- configure.in 21 Jun 2005 20:27:45 -0000 *************** *** 410,428 **** AC_SUBST(with_python) # - # Kerberos 4 - # - AC_MSG_CHECKING([whether to build with Kerberos 4 support]) - PGAC_ARG_BOOL(with, krb4, no, [ --with-krb4 build with Kerberos 4 support], - [ - AC_DEFINE(KRB4, 1, [Define to build with Kerberos 4 support. (--with-krb4)]) - krb_srvtab="/etc/srvtab" - ]) - AC_MSG_RESULT([$with_krb4]) - AC_SUBST(with_krb4) - - - # # Kerberos 5 # AC_MSG_CHECKING([whether to build with Kerberos 5 support]) --- 410,415 ---- *************** *** 435,445 **** AC_SUBST(with_krb5) - # Using both Kerberos 4 and Kerberos 5 at the same time isn't going to work. - if test "$with_krb4" = yes && test "$with_krb5" = yes ; then - AC_MSG_ERROR([Kerberos 4 and Kerberos 5 support cannot be combined]) - fi - AC_SUBST(krb_srvtab) --- 422,427 ---- *************** *** 666,677 **** *** Not using spinlocks will cause poor performance.]) fi - if test "$with_krb4" = yes ; then - AC_CHECK_LIB(des, des_encrypt, [], [AC_MSG_ERROR([library 'des' is required for Kerberos 4])]) - AC_CHECK_LIB(krb, krb_sendauth, [], [AC_MSG_ERROR([library 'krb' is required for Kerberos 4])]) - AC_REPLACE_FUNCS([gethostname]) - fi - if test "$with_krb5" = yes ; then if test "$PORTNAME" != "win32"; then AC_SEARCH_LIBS(com_err, [krb5 'krb5 -ldes -lasn1 -lroken' com_err], [], --- 648,653 ---- *************** *** 762,771 **** Use --without-zlib to disable zlib support.])]) fi - if test "$with_krb4" = yes ; then - AC_CHECK_HEADER(krb.h, [], [AC_MSG_ERROR([header file is required for Kerberos 4])]) - fi - if test "$with_krb5" = yes ; then AC_CHECK_HEADER(krb5.h, [], [AC_MSG_ERROR([header file is required for Kerberos 5])]) fi --- 738,743 ---- Index: doc/TODO =================================================================== RCS file: /projects/cvsroot/pgsql/doc/TODO,v retrieving revision 1.1568 diff -c -r1.1568 TODO *** doc/TODO 18 Jun 2005 01:45:58 -0000 1.1568 --- doc/TODO 21 Jun 2005 20:27:46 -0000 *************** *** 975,981 **** * Promote debug_query_string into a server-side function current_query() * Allow the identifier length to be increased via a configure option * Remove Win32 rename/unlink looping if unnecessary - * Remove kerberos4 from source tree? * Allow cross-compiling by generating the zic database on the target system * Improve NLS maintenace of libpgport messages linked onto applications * Allow ecpg to work with MSVC and BCC --- 975,980 ---- Index: doc/src/sgml/client-auth.sgml =================================================================== RCS file: /projects/cvsroot/pgsql/doc/src/sgml/client-auth.sgml,v retrieving revision 1.81 diff -c -r1.81 client-auth.sgml *** doc/src/sgml/client-auth.sgml 21 Jun 2005 04:02:29 -0000 1.81 --- doc/src/sgml/client-auth.sgml 21 Jun 2005 20:27:46 -0000 *************** *** 327,343 **** - krb4 - - - Use Kerberos V4 to authenticate the user. This is only - available for TCP/IP connections. See for details. - - - - - krb5 --- 327,332 ---- *************** *** 623,633 **** ! While PostgreSQL supports both Kerberos 4 and ! Kerberos 5, only Kerberos 5 is recommended. Kerberos 4 is ! considered insecure and no longer recommended for general ! use. Only one version of Kerberos can be supported in any one ! build, and support must be enabled at build time. See for more information. --- 612,619 ---- ! PostgreSQL supports Kerberos version 5, and it has ! to be enabled at build time. See for more information. *************** *** 669,679 **** account. (See also .) The location of the key file is specified by the configuration ! parameter. The default ! is /etc/srvtab if you are using Kerberos 4 and /usr/local/pgsql/etc/krb5.keytab (or whichever ! directory was specified as sysconfdir at build time) ! with Kerberos 5. --- 655,663 ---- account. (See also .) The location of the key file is specified by the configuration ! parameter. The default is /usr/local/pgsql/etc/krb5.keytab (or whichever ! directory was specified as sysconfdir at build time). Index: doc/src/sgml/installation.sgml =================================================================== RCS file: /projects/cvsroot/pgsql/doc/src/sgml/installation.sgml,v retrieving revision 1.236 diff -c -r1.236 installation.sgml *** doc/src/sgml/installation.sgml 21 Jun 2005 04:02:29 -0000 1.236 --- doc/src/sgml/installation.sgml 21 Jun 2005 20:27:46 -0000 *************** *** 795,806 **** - ! Build with support for Kerberos authentication. You can use ! either Kerberos version 4 or 5, but not both. On many systems, the Kerberos system is not installed in a location that is searched by default (e.g., /usr/include, /usr/lib), so you must use the options --- 795,804 ---- ! Build with support for Kerberos 5 authentication. On many systems, the Kerberos system is not installed in a location that is searched by default (e.g., /usr/include, /usr/lib), so you must use the options Index: doc/src/sgml/libpq.sgml =================================================================== RCS file: /projects/cvsroot/pgsql/doc/src/sgml/libpq.sgml,v retrieving revision 1.186 diff -c -r1.186 libpq.sgml *** doc/src/sgml/libpq.sgml 21 Jun 2005 04:02:29 -0000 1.186 --- doc/src/sgml/libpq.sgml 21 Jun 2005 20:27:47 -0000 *************** *** 283,289 **** krbsrvname ! Kerberos service name to use when authenticating with Kerberos 4 or 5. This must match the service name specified in the server configuration for Kerberos authentication to succeed. (See also .) --- 283,289 ---- krbsrvname ! Kerberos service name to use when authenticating with Kerberos 5. This must match the service name specified in the server configuration for Kerberos authentication to succeed. (See also .) *************** *** 3802,3808 **** PGKRBSRVNAME PGKRBSRVNAME sets the Kerberos service name to use when ! authenticating with Kerberos 4 or 5. --- 3802,3808 ---- PGKRBSRVNAME PGKRBSRVNAME sets the Kerberos service name to use when ! authenticating with Kerberos 5. Index: doc/src/sgml/protocol.sgml =================================================================== RCS file: /projects/cvsroot/pgsql/doc/src/sgml/protocol.sgml,v retrieving revision 1.58 diff -c -r1.58 protocol.sgml *** doc/src/sgml/protocol.sgml 23 Jan 2005 00:30:18 -0000 1.58 --- doc/src/sgml/protocol.sgml 21 Jun 2005 20:27:47 -0000 *************** *** 265,283 **** - AuthenticationKerberosV4 - - - The frontend must now take part in a Kerberos V4 - authentication dialog (not described here, part of the - Kerberos specification) with the server. If this is - successful, the server responds with an AuthenticationOk, - otherwise it responds with an ErrorResponse. - - - - - AuthenticationKerberosV5 --- 265,270 ---- *************** *** 1390,1439 **** - AuthenticationKerberosV4 (B) - - - - - - - - Byte1('R') - - - - Identifies the message as an authentication request. - - - - - - Int32(8) - - - - Length of message contents in bytes, including self. - - - - - - Int32(1) - - - - Specifies that Kerberos V4 authentication is required. - - - - - - - - - - - AuthenticationKerberosV5 (B) --- 1377,1382 ---- Index: src/backend/libpq/auth.c =================================================================== RCS file: /projects/cvsroot/pgsql/src/backend/libpq/auth.c,v retrieving revision 1.125 diff -c -r1.125 auth.c *** src/backend/libpq/auth.c 14 Jun 2005 17:43:13 -0000 1.125 --- src/backend/libpq/auth.c 21 Jun 2005 20:27:48 -0000 *************** *** 69,151 **** * into pam_passwd_conv_proc */ #endif /* USE_PAM */ - #ifdef KRB4 - /*---------------------------------------------------------------- - * MIT Kerberos authentication system - protocol version 4 - *---------------------------------------------------------------- - */ - - #include "krb.h" - - /* - * pg_krb4_recvauth -- server routine to receive authentication information - * from the client - * - * Nothing unusual here, except that we compare the username obtained from - * the client's setup packet to the authenticated name. (We have to retain - * the name in the setup packet since we have to retain the ability to handle - * unauthenticated connections.) - */ - static int - pg_krb4_recvauth(Port *port) - { - long krbopts = 0; /* one-way authentication */ - KTEXT_ST clttkt; - char instance[INST_SZ + 1], - version[KRB_SENDAUTH_VLEN + 1]; - AUTH_DAT auth_data; - Key_schedule key_sched; - int status; - - strcpy(instance, "*"); /* don't care, but arg gets expanded - * anyway */ - status = krb_recvauth(krbopts, - port->sock, - &clttkt, - pg_krb_srvnam, - instance, - &port->raddr.in, - &port->laddr.in, - &auth_data, - pg_krb_server_keyfile, - key_sched, - version); - if (status != KSUCCESS) - { - ereport(LOG, - (errmsg("Kerberos error: %s", krb_err_txt[status]))); - return STATUS_ERROR; - } - if (strncmp(version, PG_KRB4_VERSION, KRB_SENDAUTH_VLEN) != 0) - { - ereport(LOG, - (errmsg("unexpected Kerberos protocol version received from client (received \"%s\", expected \"%s\")", - version, PG_KRB4_VERSION))); - return STATUS_ERROR; - } - if (strncmp(port->user_name, auth_data.pname, SM_DATABASE_USER) != 0) - { - ereport(LOG, - (errmsg("unexpected Kerberos user name received from client (received \"%s\", expected \"%s\")", - port->user_name, auth_data.pname))); - return STATUS_ERROR; - } - return STATUS_OK; - } - - #else - - static int - pg_krb4_recvauth(Port *port) - { - ereport(LOG, - (errcode(ERRCODE_FEATURE_NOT_SUPPORTED), - errmsg("Kerberos 4 not implemented on this server"))); - return STATUS_ERROR; - } - #endif /* KRB4 */ - - #ifdef KRB5 /*---------------------------------------------------------------- * MIT Kerberos authentication system - protocol version 5 --- 69,74 ---- *************** *** 252,259 **** * from the client * * We still need to compare the username obtained from the client's setup ! * packet to the authenticated name, as described in pg_krb4_recvauth. This ! * is a bit more problematic in v5, as described above in pg_an_to_ln. * * We have our own keytab file because postgres is unlikely to run as root, * and so cannot read the default keytab. --- 175,181 ---- * from the client * * We still need to compare the username obtained from the client's setup ! * packet to the authenticated name. * * We have our own keytab file because postgres is unlikely to run as root, * and so cannot read the default keytab. *************** *** 380,388 **** case uaReject: errstr = gettext_noop("authentication failed for user \"%s\": host rejected"); break; - case uaKrb4: - errstr = gettext_noop("Kerberos 4 authentication failed for user \"%s\""); - break; case uaKrb5: errstr = gettext_noop("Kerberos 5 authentication failed for user \"%s\""); break; --- 302,307 ---- *************** *** 471,487 **** break; } - case uaKrb4: - /* Kerberos 4 only seems to work with AF_INET. */ - if (port->raddr.addr.ss_family != AF_INET - || port->laddr.addr.ss_family != AF_INET) - ereport(FATAL, - (errcode(ERRCODE_FEATURE_NOT_SUPPORTED), - errmsg("Kerberos 4 only supports IPv4 connections"))); - sendAuthRequest(port, AUTH_REQ_KRB4); - status = pg_krb4_recvauth(port); - break; - case uaKrb5: sendAuthRequest(port, AUTH_REQ_KRB5); status = pg_krb5_recvauth(port); --- 390,395 ---- Index: src/backend/libpq/hba.c =================================================================== RCS file: /projects/cvsroot/pgsql/src/backend/libpq/hba.c,v retrieving revision 1.141 diff -c -r1.141 hba.c *** src/backend/libpq/hba.c 21 Jun 2005 01:20:09 -0000 1.141 --- src/backend/libpq/hba.c 21 Jun 2005 20:27:48 -0000 *************** *** 607,614 **** *userauth_p = uaIdent; else if (strcmp(token, "password") == 0) *userauth_p = uaPassword; - else if (strcmp(token, "krb4") == 0) - *userauth_p = uaKrb4; else if (strcmp(token, "krb5") == 0) *userauth_p = uaKrb5; else if (strcmp(token, "reject") == 0) --- 607,612 ---- *************** *** 694,701 **** goto hba_syntax; /* Disallow auth methods that always need TCP/IP sockets to work */ ! if (port->auth_method == uaKrb4 || ! port->auth_method == uaKrb5) goto hba_syntax; /* Does not match if connection isn't AF_UNIX */ --- 692,698 ---- goto hba_syntax; /* Disallow auth methods that always need TCP/IP sockets to work */ ! if (port->auth_method == uaKrb5) goto hba_syntax; /* Does not match if connection isn't AF_UNIX */ Index: src/backend/libpq/pg_hba.conf.sample =================================================================== RCS file: /projects/cvsroot/pgsql/src/backend/libpq/pg_hba.conf.sample,v retrieving revision 1.57 diff -c -r1.57 pg_hba.conf.sample *** src/backend/libpq/pg_hba.conf.sample 7 Jan 2005 23:59:17 -0000 1.57 --- src/backend/libpq/pg_hba.conf.sample 21 Jun 2005 20:27:48 -0000 *************** *** 35,41 **** # an IP address and netmask in separate columns to specify the set of hosts. # # METHOD can be "trust", "reject", "md5", "crypt", "password", ! # "krb4", "krb5", "ident", or "pam". Note that "password" sends passwords # in clear text; "md5" is preferred since it sends encrypted passwords. # # OPTION is the ident map or the name of the PAM service, depending on METHOD. --- 35,41 ---- # an IP address and netmask in separate columns to specify the set of hosts. # # METHOD can be "trust", "reject", "md5", "crypt", "password", ! # "krb5", "ident", or "pam". Note that "password" sends passwords # in clear text; "md5" is preferred since it sends encrypted passwords. # # OPTION is the ident map or the name of the PAM service, depending on METHOD. Index: src/include/pg_config.h.in =================================================================== RCS file: /projects/cvsroot/pgsql/src/include/pg_config.h.in,v retrieving revision 1.84 diff -c -r1.84 pg_config.h.in *** src/include/pg_config.h.in 4 Jun 2005 20:42:42 -0000 1.84 --- src/include/pg_config.h.in 21 Jun 2005 20:27:48 -0000 *************** *** 575,583 **** /* Define to the appropriate snprintf format for 64-bit ints, if any. */ #undef INT64_FORMAT - /* Define to build with Kerberos 4 support. (--with-krb4) */ - #undef KRB4 - /* Define to build with Kerberos 5 support. (--with-krb5) */ #undef KRB5 --- 575,580 ---- Index: src/include/port.h =================================================================== RCS file: /projects/cvsroot/pgsql/src/include/port.h,v retrieving revision 1.75 diff -c -r1.75 port.h *** src/include/port.h 25 May 2005 21:40:41 -0000 1.75 --- src/include/port.h 21 Jun 2005 20:27:48 -0000 *************** *** 267,276 **** extern int isinf(double x); #endif - #if !defined(HAVE_GETHOSTNAME) && defined(KRB4) - extern int gethostname(char *name, int namelen); - #endif - #ifndef HAVE_RINT extern double rint(double x); #endif --- 267,272 ---- Index: src/include/libpq/auth.h =================================================================== RCS file: /projects/cvsroot/pgsql/src/include/libpq/auth.h,v retrieving revision 1.28 diff -c -r1.28 auth.h *** src/include/libpq/auth.h 14 Jun 2005 17:43:14 -0000 1.28 --- src/include/libpq/auth.h 21 Jun 2005 20:27:48 -0000 *************** *** 23,30 **** extern void ClientAuthentication(Port *port); ! #define PG_KRB4_VERSION "PGVER4.1" /* at most KRB_SENDAUTH_VLEN chars */ ! #define PG_KRB5_VERSION "PGVER5.1" extern char *pg_krb_server_keyfile; extern char *pg_krb_srvnam; --- 23,29 ---- extern void ClientAuthentication(Port *port); ! #define PG_KRB5_VERSION "PGVER5.1" /* at most KRB_SENDAUTH_VLEN chars */ extern char *pg_krb_server_keyfile; extern char *pg_krb_srvnam; Index: src/include/libpq/hba.h =================================================================== RCS file: /projects/cvsroot/pgsql/src/include/libpq/hba.h,v retrieving revision 1.36 diff -c -r1.36 hba.h *** src/include/libpq/hba.h 26 Feb 2005 18:43:34 -0000 1.36 --- src/include/libpq/hba.h 21 Jun 2005 20:27:48 -0000 *************** *** 17,23 **** typedef enum UserAuth { uaReject, ! uaKrb4, uaKrb5, uaTrust, uaIdent, --- 17,23 ---- typedef enum UserAuth { uaReject, ! uaKrb4, /* Not supported any more */ uaKrb5, uaTrust, uaIdent, Index: src/include/libpq/pqcomm.h =================================================================== RCS file: /projects/cvsroot/pgsql/src/include/libpq/pqcomm.h,v retrieving revision 1.96 diff -c -r1.96 pqcomm.h *** src/include/libpq/pqcomm.h 31 Dec 2004 22:03:32 -0000 1.96 --- src/include/libpq/pqcomm.h 21 Jun 2005 20:27:48 -0000 *************** *** 160,166 **** /* These are the authentication request codes sent by the backend. */ #define AUTH_REQ_OK 0 /* User is authenticated */ ! #define AUTH_REQ_KRB4 1 /* Kerberos V4 */ #define AUTH_REQ_KRB5 2 /* Kerberos V5 */ #define AUTH_REQ_PASSWORD 3 /* Password */ #define AUTH_REQ_CRYPT 4 /* crypt password */ --- 160,166 ---- /* These are the authentication request codes sent by the backend. */ #define AUTH_REQ_OK 0 /* User is authenticated */ ! #define AUTH_REQ_KRB4 1 /* Kerberos V4. Not supported any more. */ #define AUTH_REQ_KRB5 2 /* Kerberos V5 */ #define AUTH_REQ_PASSWORD 3 /* Password */ #define AUTH_REQ_CRYPT 4 /* crypt password */ Index: src/interfaces/libpq/Makefile =================================================================== RCS file: /projects/cvsroot/pgsql/src/interfaces/libpq/Makefile,v retrieving revision 1.133 diff -c -r1.133 Makefile *** src/interfaces/libpq/Makefile 29 Apr 2005 14:07:27 -0000 1.133 --- src/interfaces/libpq/Makefile 21 Jun 2005 20:27:49 -0000 *************** *** 53,59 **** # Add libraries that libpq depends (or might depend) on into the # shared library link. (The order in which you list them here doesn't # matter.) ! SHLIB_LINK += $(filter -lcrypt -ldes -lkrb -lcom_err -lcrypto -lk5crypto -lkrb5 -lssl -lsocket -lnsl -lresolv -lintl, $(LIBS)) $(PTHREAD_LIBS) ifeq ($(PORTNAME), win32) SHLIB_LINK += -lshfolder -lwsock32 -lws2_32 $(filter -leay32 -lssleay32 -lcomerr32 -lkrb5_32, $(LIBS)) endif --- 53,59 ---- # Add libraries that libpq depends (or might depend) on into the # shared library link. (The order in which you list them here doesn't # matter.) ! SHLIB_LINK += $(filter -lcrypt -ldes -lcom_err -lcrypto -lk5crypto -lkrb5 -lssl -lsocket -lnsl -lresolv -lintl, $(LIBS)) $(PTHREAD_LIBS) ifeq ($(PORTNAME), win32) SHLIB_LINK += -lshfolder -lwsock32 -lws2_32 $(filter -leay32 -lssleay32 -lcomerr32 -lkrb5_32, $(LIBS)) endif Index: src/interfaces/libpq/fe-auth.c =================================================================== RCS file: /projects/cvsroot/pgsql/src/interfaces/libpq/fe-auth.c,v retrieving revision 1.101 diff -c -r1.101 fe-auth.c *** src/interfaces/libpq/fe-auth.c 4 Jun 2005 20:42:43 -0000 1.101 --- src/interfaces/libpq/fe-auth.c 21 Jun 2005 20:27:49 -0000 *************** *** 64,70 **** */ #define STARTUP_MSG 7 /* Initialise a connection */ ! #define STARTUP_KRB4_MSG 10 /* krb4 session follows */ #define STARTUP_KRB5_MSG 11 /* krb5 session follows */ #define STARTUP_PASSWORD_MSG 14 /* Password follows */ --- 64,70 ---- */ #define STARTUP_MSG 7 /* Initialise a connection */ ! #define STARTUP_KRB4_MSG 10 /* krb4 session follows. Not supported any more. */ #define STARTUP_KRB5_MSG 11 /* krb5 session follows */ #define STARTUP_PASSWORD_MSG 14 /* Password follows */ *************** *** 87,243 **** * isn't any authentication system. */ static const struct authsvc authsvcs[] = { - #ifdef KRB4 - {"krb4", STARTUP_KRB4_MSG, 1}, - {"kerberos", STARTUP_KRB4_MSG, 1}, - #endif /* KRB4 */ #ifdef KRB5 {"krb5", STARTUP_KRB5_MSG, 1}, {"kerberos", STARTUP_KRB5_MSG, 1}, #endif /* KRB5 */ {UNAUTHNAME, STARTUP_MSG, ! #if defined(KRB4) || defined(KRB5) 0 ! #else /* !(KRB4 || KRB5) */ 1 ! #endif /* !(KRB4 || KRB5) */ }, {"password", STARTUP_PASSWORD_MSG, 0} }; static const int n_authsvcs = sizeof(authsvcs) / sizeof(struct authsvc); - #ifdef KRB4 - /* - * MIT Kerberos authentication system - protocol version 4 - */ - - #include "krb.h" - - /* for some reason, this is not defined in krb.h ... */ - extern char *tkt_string(void); - - /* - * pg_krb4_init -- initialization performed before any Kerberos calls are made - * - * For v4, all we need to do is make sure the library routines get the right - * ticket file if we want them to see a special one. (They will open the file - * themselves.) - */ - static void - pg_krb4_init() - { - char *realm; - static int init_done = 0; - - if (init_done) - return; - init_done = 1; - - /* - * If the user set PGREALM, then we use a ticket file with a special - * name: @ - */ - if ((realm = getenv("PGREALM"))) - { - char tktbuf[MAXPGPATH]; - - (void) snprintf(tktbuf, sizeof(tktbuf), "%s@%s", tkt_string(), realm); - krb_set_tkt_string(tktbuf); - } - } - - /* - * pg_krb4_authname -- returns a pointer to static space containing whatever - * name the user has authenticated to the system - * - * We obtain this information by digging around in the ticket file. - */ - static char * - pg_krb4_authname(char *PQerrormsg) - { - char instance[INST_SZ + 1]; - char realm[REALM_SZ + 1]; - int status; - static char name[SNAME_SZ + 1] = ""; - - if (name[0]) - return name; - - pg_krb4_init(); - - name[SNAME_SZ] = '\0'; - status = krb_get_tf_fullname(tkt_string(), name, instance, realm); - if (status != KSUCCESS) - { - snprintf(PQerrormsg, PQERRORMSG_LENGTH, - "pg_krb4_authname: krb_get_tf_fullname: %s\n", - krb_err_txt[status]); - return NULL; - } - return name; - } - - /* - * pg_krb4_sendauth -- client routine to send authentication information to - * the server - * - * This routine does not do mutual authentication, nor does it return enough - * information to do encrypted connections. But then, if we want to do - * encrypted connections, we'll have to redesign the whole RPC mechanism - * anyway. - * - * If the user is too lazy to feed us a hostname, we try to come up with - * something other than "localhost" since the hostname is used as an - * instance and instance names in v4 databases are usually actual hostnames - * (canonicalized to omit all domain suffixes). - */ - static int - pg_krb4_sendauth(char *PQerrormsg, int sock, - struct sockaddr_in * laddr, - struct sockaddr_in * raddr, - const char *hostname, - const char *servicename) - { - long krbopts = 0; /* one-way authentication */ - KTEXT_ST clttkt; - int status; - char hostbuf[MAXHOSTNAMELEN]; - const char *realm = getenv("PGREALM"); /* NULL == current realm */ - - if (!hostname || !(*hostname)) - { - if (gethostname(hostbuf, MAXHOSTNAMELEN) < 0) - strcpy(hostbuf, "localhost"); - hostname = hostbuf; - } - - pg_krb4_init(); - - status = krb_sendauth(krbopts, - sock, - &clttkt, - servicename, - hostname, - realm, - (u_long) 0, - NULL, - NULL, - NULL, - laddr, - raddr, - PG_KRB4_VERSION); - if (status != KSUCCESS) - { - snprintf(PQerrormsg, PQERRORMSG_LENGTH, - libpq_gettext("Kerberos 4 error: %s\n"), - krb_err_txt[status]); - return STATUS_ERROR; - } - return STATUS_OK; - } - #endif /* KRB4 */ - #ifdef KRB5 /* * MIT Kerberos authentication system - protocol version 5 --- 87,108 ---- * isn't any authentication system. */ static const struct authsvc authsvcs[] = { #ifdef KRB5 {"krb5", STARTUP_KRB5_MSG, 1}, {"kerberos", STARTUP_KRB5_MSG, 1}, #endif /* KRB5 */ {UNAUTHNAME, STARTUP_MSG, ! #ifdef KRB5 0 ! #else /* !KRB5 */ 1 ! #endif /* !KRB5 */ }, {"password", STARTUP_PASSWORD_MSG, 0} }; static const int n_authsvcs = sizeof(authsvcs) / sizeof(struct authsvc); #ifdef KRB5 /* * MIT Kerberos authentication system - protocol version 5 *************** *** 597,603 **** fe_sendauth(AuthRequest areq, PGconn *conn, const char *hostname, const char *password, char *PQerrormsg) { ! #if !defined(KRB4) && !defined(KRB5) (void) hostname; /* not used */ #endif --- 462,468 ---- fe_sendauth(AuthRequest areq, PGconn *conn, const char *hostname, const char *password, char *PQerrormsg) { ! #ifndef KRB5 (void) hostname; /* not used */ #endif *************** *** 607,630 **** break; case AUTH_REQ_KRB4: - #ifdef KRB4 - pglock_thread(); - if (pg_krb4_sendauth(PQerrormsg, conn->sock, - (struct sockaddr_in *) & conn->laddr.addr, - (struct sockaddr_in *) & conn->raddr.addr, - hostname, conn->krbsrvname) != STATUS_OK) - { - /* PQerrormsg already filled in */ - pgunlock_thread(); - return STATUS_ERROR; - } - pgunlock_thread(); - break; - #else snprintf(PQerrormsg, PQERRORMSG_LENGTH, libpq_gettext("Kerberos 4 authentication not supported\n")); return STATUS_ERROR; - #endif case AUTH_REQ_KRB5: #ifdef KRB5 --- 472,480 ---- *************** *** 754,770 **** pglock_thread(); - #ifdef KRB4 - if (authsvc == STARTUP_KRB4_MSG) - name = pg_krb4_authname(PQerrormsg); - #endif #ifdef KRB5 if (authsvc == STARTUP_KRB5_MSG) name = pg_krb5_authname(PQerrormsg); #endif if (authsvc == STARTUP_MSG - || (authsvc == STARTUP_KRB4_MSG && !name) || (authsvc == STARTUP_KRB5_MSG && !name)) { #ifdef WIN32 --- 604,615 ---- *************** *** 776,782 **** #endif } ! if (authsvc != STARTUP_MSG && authsvc != STARTUP_KRB4_MSG && authsvc != STARTUP_KRB5_MSG) snprintf(PQerrormsg, PQERRORMSG_LENGTH, libpq_gettext("fe_getauthname: invalid authentication system: %d\n"), authsvc); --- 621,627 ---- #endif } ! if (authsvc != STARTUP_MSG && authsvc != STARTUP_KRB5_MSG) snprintf(PQerrormsg, PQERRORMSG_LENGTH, libpq_gettext("fe_getauthname: invalid authentication system: %d\n"), authsvc); Index: src/interfaces/libpq/fe-auth.h =================================================================== RCS file: /projects/cvsroot/pgsql/src/interfaces/libpq/fe-auth.h,v retrieving revision 1.20 diff -c -r1.20 fe-auth.h *** src/interfaces/libpq/fe-auth.h 31 Dec 2004 22:03:50 -0000 1.20 --- src/interfaces/libpq/fe-auth.h 21 Jun 2005 20:27:49 -0000 *************** *** 27,37 **** #define UNAUTHNAME "unauth" /* what a frontend uses by default */ ! #if !defined(KRB4) && !defined(KRB5) #define DEFAULT_CLIENT_AUTHSVC UNAUTHNAME ! #else /* KRB4 || KRB5 */ #define DEFAULT_CLIENT_AUTHSVC "kerberos" ! #endif /* KRB4 || KRB5 */ extern int fe_sendauth(AuthRequest areq, PGconn *conn, const char *hostname, const char *password, char *PQerrormsg); --- 27,37 ---- #define UNAUTHNAME "unauth" /* what a frontend uses by default */ ! #ifndef KRB5 #define DEFAULT_CLIENT_AUTHSVC UNAUTHNAME ! #else /* KRB5 */ #define DEFAULT_CLIENT_AUTHSVC "kerberos" ! #endif /* KRB5 */ extern int fe_sendauth(AuthRequest areq, PGconn *conn, const char *hostname, const char *password, char *PQerrormsg); *************** *** 39,45 **** extern void fe_setauthsvc(const char *name, char *PQerrormsg); extern char *fe_getauthname(char *PQerrormsg); ! #define PG_KRB4_VERSION "PGVER4.1" /* at most KRB_SENDAUTH_VLEN chars */ ! #define PG_KRB5_VERSION "PGVER5.1" #endif /* FE_AUTH_H */ --- 39,44 ---- extern void fe_setauthsvc(const char *name, char *PQerrormsg); extern char *fe_getauthname(char *PQerrormsg); ! #define PG_KRB5_VERSION "PGVER5.1" /* at most KRB_SENDAUTH_VLEN chars */ #endif /* FE_AUTH_H */ Index: src/interfaces/libpq/fe-connect.c =================================================================== RCS file: /projects/cvsroot/pgsql/src/interfaces/libpq/fe-connect.c,v retrieving revision 1.312 diff -c -r1.312 fe-connect.c *** src/interfaces/libpq/fe-connect.c 19 Jun 2005 13:10:55 -0000 1.312 --- src/interfaces/libpq/fe-connect.c 21 Jun 2005 20:27:49 -0000 *************** *** 170,176 **** {"sslmode", "PGSSLMODE", DefaultSSLMode, NULL, "SSL-Mode", "", 8}, /* sizeof("disable") == 8 */ ! #if defined(KRB4) || defined(KRB5) /* Kerberos authentication supports specifying the service name */ {"krbsrvname", "PGKRBSRVNAME", PG_KRB_SRVNAM, NULL, "Kerberos-service-name", "", 20}, --- 170,176 ---- {"sslmode", "PGSSLMODE", DefaultSSLMode, NULL, "SSL-Mode", "", 8}, /* sizeof("disable") == 8 */ ! #ifdef KRB5 /* Kerberos authentication supports specifying the service name */ {"krbsrvname", "PGKRBSRVNAME", PG_KRB_SRVNAM, NULL, "Kerberos-service-name", "", 20}, *************** *** 401,407 **** conn->sslmode = strdup("require"); } #endif ! #if defined(KRB4) || defined(KRB5) tmp = conninfo_getval(connOptions, "krbsrvname"); conn->krbsrvname = tmp ? strdup(tmp) : NULL; #endif --- 401,407 ---- conn->sslmode = strdup("require"); } #endif ! #ifdef KRB5 tmp = conninfo_getval(connOptions, "krbsrvname"); conn->krbsrvname = tmp ? strdup(tmp) : NULL; #endif *************** *** 1916,1922 **** free(conn->pgpass); if (conn->sslmode) free(conn->sslmode); ! #if defined(KRB4) || defined(KRB5) if (conn->krbsrvname) free(conn->krbsrvname); #endif --- 1916,1922 ---- free(conn->pgpass); if (conn->sslmode) free(conn->sslmode); ! #ifdef KRB5 if (conn->krbsrvname) free(conn->krbsrvname); #endif Index: src/interfaces/libpq/libpq-int.h =================================================================== RCS file: /projects/cvsroot/pgsql/src/interfaces/libpq/libpq-int.h,v retrieving revision 1.103 diff -c -r1.103 libpq-int.h *** src/interfaces/libpq/libpq-int.h 13 Jun 2005 02:26:53 -0000 1.103 --- src/interfaces/libpq/libpq-int.h 21 Jun 2005 20:27:49 -0000 *************** *** 262,268 **** char *pguser; /* Postgres username and password, if any */ char *pgpass; char *sslmode; /* SSL mode (require,prefer,allow,disable) */ ! #if defined(KRB5) || defined(KRB4) char *krbsrvname; /* Kerberos service name */ #endif --- 262,268 ---- char *pguser; /* Postgres username and password, if any */ char *pgpass; char *sslmode; /* SSL mode (require,prefer,allow,disable) */ ! #ifdef KRB5 char *krbsrvname; /* Kerberos service name */ #endif