Removing Kerberos 4
Started by Magnus Haganderover 20 years ago11 messages
This patch removes Kerberos version 4 support from the backend and
libpq. Per previous mail, I sent a mail to both hackers and -general
about a month ago asking for ppl who use it, for zero responses. I also
looked back in the archives and it seems it has been asked before and
also not responded, so I think it's safe to say it's not in widespread
use ATM. Finally, kerberos version 4 is deprecated by the kerberos
people - for security reasons amongst others.
Anyway. Here's the patch.
(only configure.in touched, my autoconf is the wrong version so it
generates huge diffs)
//Magnus
Attachments:
krb4.patchapplication/octet-stream; name=krb4.patchDownload
Index: configure.in
===================================================================
RCS file: /projects/cvsroot/pgsql/configure.in,v
retrieving revision 1.412
diff -c -r1.412 configure.in
*** configure.in 4 Jun 2005 20:42:41 -0000 1.412
--- configure.in 21 Jun 2005 20:27:45 -0000
***************
*** 410,428 ****
AC_SUBST(with_python)
#
- # Kerberos 4
- #
- AC_MSG_CHECKING([whether to build with Kerberos 4 support])
- PGAC_ARG_BOOL(with, krb4, no, [ --with-krb4 build with Kerberos 4 support],
- [
- AC_DEFINE(KRB4, 1, [Define to build with Kerberos 4 support. (--with-krb4)])
- krb_srvtab="/etc/srvtab"
- ])
- AC_MSG_RESULT([$with_krb4])
- AC_SUBST(with_krb4)
-
-
- #
# Kerberos 5
#
AC_MSG_CHECKING([whether to build with Kerberos 5 support])
--- 410,415 ----
***************
*** 435,445 ****
AC_SUBST(with_krb5)
- # Using both Kerberos 4 and Kerberos 5 at the same time isn't going to work.
- if test "$with_krb4" = yes && test "$with_krb5" = yes ; then
- AC_MSG_ERROR([Kerberos 4 and Kerberos 5 support cannot be combined])
- fi
-
AC_SUBST(krb_srvtab)
--- 422,427 ----
***************
*** 666,677 ****
*** Not using spinlocks will cause poor performance.])
fi
- if test "$with_krb4" = yes ; then
- AC_CHECK_LIB(des, des_encrypt, [], [AC_MSG_ERROR([library 'des' is required for Kerberos 4])])
- AC_CHECK_LIB(krb, krb_sendauth, [], [AC_MSG_ERROR([library 'krb' is required for Kerberos 4])])
- AC_REPLACE_FUNCS([gethostname])
- fi
-
if test "$with_krb5" = yes ; then
if test "$PORTNAME" != "win32"; then
AC_SEARCH_LIBS(com_err, [krb5 'krb5 -ldes -lasn1 -lroken' com_err], [],
--- 648,653 ----
***************
*** 762,771 ****
Use --without-zlib to disable zlib support.])])
fi
- if test "$with_krb4" = yes ; then
- AC_CHECK_HEADER(krb.h, [], [AC_MSG_ERROR([header file <krb.h> is required for Kerberos 4])])
- fi
-
if test "$with_krb5" = yes ; then
AC_CHECK_HEADER(krb5.h, [], [AC_MSG_ERROR([header file <krb5.h> is required for Kerberos 5])])
fi
--- 738,743 ----
Index: doc/TODO
===================================================================
RCS file: /projects/cvsroot/pgsql/doc/TODO,v
retrieving revision 1.1568
diff -c -r1.1568 TODO
*** doc/TODO 18 Jun 2005 01:45:58 -0000 1.1568
--- doc/TODO 21 Jun 2005 20:27:46 -0000
***************
*** 975,981 ****
* Promote debug_query_string into a server-side function current_query()
* Allow the identifier length to be increased via a configure option
* Remove Win32 rename/unlink looping if unnecessary
- * Remove kerberos4 from source tree?
* Allow cross-compiling by generating the zic database on the target system
* Improve NLS maintenace of libpgport messages linked onto applications
* Allow ecpg to work with MSVC and BCC
--- 975,980 ----
Index: doc/src/sgml/client-auth.sgml
===================================================================
RCS file: /projects/cvsroot/pgsql/doc/src/sgml/client-auth.sgml,v
retrieving revision 1.81
diff -c -r1.81 client-auth.sgml
*** doc/src/sgml/client-auth.sgml 21 Jun 2005 04:02:29 -0000 1.81
--- doc/src/sgml/client-auth.sgml 21 Jun 2005 20:27:46 -0000
***************
*** 327,343 ****
</varlistentry>
<varlistentry>
- <term><literal>krb4</></term>
- <listitem>
- <para>
- Use Kerberos V4 to authenticate the user. This is only
- available for TCP/IP connections. See <xref
- linkend="kerberos-auth"> for details.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
<term><literal>krb5</></term>
<listitem>
<para>
--- 327,332 ----
***************
*** 623,633 ****
</para>
<para>
! While <productname>PostgreSQL</> supports both Kerberos 4 and
! Kerberos 5, only Kerberos 5 is recommended. Kerberos 4 is
! considered insecure and no longer recommended for general
! use. Only one version of Kerberos can be supported in any one
! build, and support must be enabled at build time. See
<xref linkend="installation"> for more information.
</para>
--- 612,619 ----
</para>
<para>
! <productname>PostgreSQL</> supports Kerberos version 5, and it has
! to be enabled at build time. See
<xref linkend="installation"> for more information.
</para>
***************
*** 669,679 ****
account. (See also <xref linkend="postgres-user">.) The location
of the key file is specified by the <xref
linkend="guc-krb-server-keyfile"> configuration
! parameter. The default
! is <filename>/etc/srvtab</> if you are using Kerberos 4 and
<filename>/usr/local/pgsql/etc/krb5.keytab</> (or whichever
! directory was specified as <varname>sysconfdir</> at build time)
! with Kerberos 5.
</para>
<para>
--- 655,663 ----
account. (See also <xref linkend="postgres-user">.) The location
of the key file is specified by the <xref
linkend="guc-krb-server-keyfile"> configuration
! parameter. The default is
<filename>/usr/local/pgsql/etc/krb5.keytab</> (or whichever
! directory was specified as <varname>sysconfdir</> at build time).
</para>
<para>
Index: doc/src/sgml/installation.sgml
===================================================================
RCS file: /projects/cvsroot/pgsql/doc/src/sgml/installation.sgml,v
retrieving revision 1.236
diff -c -r1.236 installation.sgml
*** doc/src/sgml/installation.sgml 21 Jun 2005 04:02:29 -0000 1.236
--- doc/src/sgml/installation.sgml 21 Jun 2005 20:27:46 -0000
***************
*** 795,806 ****
</varlistentry>
<varlistentry>
- <term><option>--with-krb4</option></term>
<term><option>--with-krb5</option></term>
<listitem>
<para>
! Build with support for Kerberos authentication. You can use
! either Kerberos version 4 or 5, but not both. On many
systems, the Kerberos system is not installed in a location
that is searched by default (e.g., <filename>/usr/include</>,
<filename>/usr/lib</>), so you must use the options
--- 795,804 ----
</varlistentry>
<varlistentry>
<term><option>--with-krb5</option></term>
<listitem>
<para>
! Build with support for Kerberos 5 authentication. On many
systems, the Kerberos system is not installed in a location
that is searched by default (e.g., <filename>/usr/include</>,
<filename>/usr/lib</>), so you must use the options
Index: doc/src/sgml/libpq.sgml
===================================================================
RCS file: /projects/cvsroot/pgsql/doc/src/sgml/libpq.sgml,v
retrieving revision 1.186
diff -c -r1.186 libpq.sgml
*** doc/src/sgml/libpq.sgml 21 Jun 2005 04:02:29 -0000 1.186
--- doc/src/sgml/libpq.sgml 21 Jun 2005 20:27:47 -0000
***************
*** 283,289 ****
<term><literal>krbsrvname</literal></term>
<listitem>
<para>
! Kerberos service name to use when authenticating with Kerberos 4 or 5.
This must match the service name specified in the server
configuration for Kerberos authentication to succeed. (See also
<xref linkend="kerberos-auth">.)
--- 283,289 ----
<term><literal>krbsrvname</literal></term>
<listitem>
<para>
! Kerberos service name to use when authenticating with Kerberos 5.
This must match the service name specified in the server
configuration for Kerberos authentication to succeed. (See also
<xref linkend="kerberos-auth">.)
***************
*** 3802,3808 ****
<primary><envar>PGKRBSRVNAME</envar></primary>
</indexterm>
<envar>PGKRBSRVNAME</envar> sets the Kerberos service name to use when
! authenticating with Kerberos 4 or 5.
</para>
</listitem>
<listitem>
--- 3802,3808 ----
<primary><envar>PGKRBSRVNAME</envar></primary>
</indexterm>
<envar>PGKRBSRVNAME</envar> sets the Kerberos service name to use when
! authenticating with Kerberos 5.
</para>
</listitem>
<listitem>
Index: doc/src/sgml/protocol.sgml
===================================================================
RCS file: /projects/cvsroot/pgsql/doc/src/sgml/protocol.sgml,v
retrieving revision 1.58
diff -c -r1.58 protocol.sgml
*** doc/src/sgml/protocol.sgml 23 Jan 2005 00:30:18 -0000 1.58
--- doc/src/sgml/protocol.sgml 21 Jun 2005 20:27:47 -0000
***************
*** 265,283 ****
</varlistentry>
<varlistentry>
- <term>AuthenticationKerberosV4</term>
- <listitem>
- <para>
- The frontend must now take part in a Kerberos V4
- authentication dialog (not described here, part of the
- Kerberos specification) with the server. If this is
- successful, the server responds with an AuthenticationOk,
- otherwise it responds with an ErrorResponse.
- </para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
<term>AuthenticationKerberosV5</term>
<listitem>
<para>
--- 265,270 ----
***************
*** 1390,1439 ****
<varlistentry>
<term>
- AuthenticationKerberosV4 (B)
- </term>
- <listitem>
- <para>
-
- <variablelist>
- <varlistentry>
- <term>
- Byte1('R')
- </term>
- <listitem>
- <para>
- Identifies the message as an authentication request.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>
- Int32(8)
- </term>
- <listitem>
- <para>
- Length of message contents in bytes, including self.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>
- Int32(1)
- </term>
- <listitem>
- <para>
- Specifies that Kerberos V4 authentication is required.
- </para>
- </listitem>
- </varlistentry>
- </variablelist>
- </para>
- </listitem>
- </varlistentry>
-
-
- <varlistentry>
- <term>
AuthenticationKerberosV5 (B)
</term>
<listitem>
--- 1377,1382 ----
Index: src/backend/libpq/auth.c
===================================================================
RCS file: /projects/cvsroot/pgsql/src/backend/libpq/auth.c,v
retrieving revision 1.125
diff -c -r1.125 auth.c
*** src/backend/libpq/auth.c 14 Jun 2005 17:43:13 -0000 1.125
--- src/backend/libpq/auth.c 21 Jun 2005 20:27:48 -0000
***************
*** 69,151 ****
* into pam_passwd_conv_proc */
#endif /* USE_PAM */
- #ifdef KRB4
- /*----------------------------------------------------------------
- * MIT Kerberos authentication system - protocol version 4
- *----------------------------------------------------------------
- */
-
- #include "krb.h"
-
- /*
- * pg_krb4_recvauth -- server routine to receive authentication information
- * from the client
- *
- * Nothing unusual here, except that we compare the username obtained from
- * the client's setup packet to the authenticated name. (We have to retain
- * the name in the setup packet since we have to retain the ability to handle
- * unauthenticated connections.)
- */
- static int
- pg_krb4_recvauth(Port *port)
- {
- long krbopts = 0; /* one-way authentication */
- KTEXT_ST clttkt;
- char instance[INST_SZ + 1],
- version[KRB_SENDAUTH_VLEN + 1];
- AUTH_DAT auth_data;
- Key_schedule key_sched;
- int status;
-
- strcpy(instance, "*"); /* don't care, but arg gets expanded
- * anyway */
- status = krb_recvauth(krbopts,
- port->sock,
- &clttkt,
- pg_krb_srvnam,
- instance,
- &port->raddr.in,
- &port->laddr.in,
- &auth_data,
- pg_krb_server_keyfile,
- key_sched,
- version);
- if (status != KSUCCESS)
- {
- ereport(LOG,
- (errmsg("Kerberos error: %s", krb_err_txt[status])));
- return STATUS_ERROR;
- }
- if (strncmp(version, PG_KRB4_VERSION, KRB_SENDAUTH_VLEN) != 0)
- {
- ereport(LOG,
- (errmsg("unexpected Kerberos protocol version received from client (received \"%s\", expected \"%s\")",
- version, PG_KRB4_VERSION)));
- return STATUS_ERROR;
- }
- if (strncmp(port->user_name, auth_data.pname, SM_DATABASE_USER) != 0)
- {
- ereport(LOG,
- (errmsg("unexpected Kerberos user name received from client (received \"%s\", expected \"%s\")",
- port->user_name, auth_data.pname)));
- return STATUS_ERROR;
- }
- return STATUS_OK;
- }
-
- #else
-
- static int
- pg_krb4_recvauth(Port *port)
- {
- ereport(LOG,
- (errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
- errmsg("Kerberos 4 not implemented on this server")));
- return STATUS_ERROR;
- }
- #endif /* KRB4 */
-
-
#ifdef KRB5
/*----------------------------------------------------------------
* MIT Kerberos authentication system - protocol version 5
--- 69,74 ----
***************
*** 252,259 ****
* from the client
*
* We still need to compare the username obtained from the client's setup
! * packet to the authenticated name, as described in pg_krb4_recvauth. This
! * is a bit more problematic in v5, as described above in pg_an_to_ln.
*
* We have our own keytab file because postgres is unlikely to run as root,
* and so cannot read the default keytab.
--- 175,181 ----
* from the client
*
* We still need to compare the username obtained from the client's setup
! * packet to the authenticated name.
*
* We have our own keytab file because postgres is unlikely to run as root,
* and so cannot read the default keytab.
***************
*** 380,388 ****
case uaReject:
errstr = gettext_noop("authentication failed for user \"%s\": host rejected");
break;
- case uaKrb4:
- errstr = gettext_noop("Kerberos 4 authentication failed for user \"%s\"");
- break;
case uaKrb5:
errstr = gettext_noop("Kerberos 5 authentication failed for user \"%s\"");
break;
--- 302,307 ----
***************
*** 471,487 ****
break;
}
- case uaKrb4:
- /* Kerberos 4 only seems to work with AF_INET. */
- if (port->raddr.addr.ss_family != AF_INET
- || port->laddr.addr.ss_family != AF_INET)
- ereport(FATAL,
- (errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
- errmsg("Kerberos 4 only supports IPv4 connections")));
- sendAuthRequest(port, AUTH_REQ_KRB4);
- status = pg_krb4_recvauth(port);
- break;
-
case uaKrb5:
sendAuthRequest(port, AUTH_REQ_KRB5);
status = pg_krb5_recvauth(port);
--- 390,395 ----
Index: src/backend/libpq/hba.c
===================================================================
RCS file: /projects/cvsroot/pgsql/src/backend/libpq/hba.c,v
retrieving revision 1.141
diff -c -r1.141 hba.c
*** src/backend/libpq/hba.c 21 Jun 2005 01:20:09 -0000 1.141
--- src/backend/libpq/hba.c 21 Jun 2005 20:27:48 -0000
***************
*** 607,614 ****
*userauth_p = uaIdent;
else if (strcmp(token, "password") == 0)
*userauth_p = uaPassword;
- else if (strcmp(token, "krb4") == 0)
- *userauth_p = uaKrb4;
else if (strcmp(token, "krb5") == 0)
*userauth_p = uaKrb5;
else if (strcmp(token, "reject") == 0)
--- 607,612 ----
***************
*** 694,701 ****
goto hba_syntax;
/* Disallow auth methods that always need TCP/IP sockets to work */
! if (port->auth_method == uaKrb4 ||
! port->auth_method == uaKrb5)
goto hba_syntax;
/* Does not match if connection isn't AF_UNIX */
--- 692,698 ----
goto hba_syntax;
/* Disallow auth methods that always need TCP/IP sockets to work */
! if (port->auth_method == uaKrb5)
goto hba_syntax;
/* Does not match if connection isn't AF_UNIX */
Index: src/backend/libpq/pg_hba.conf.sample
===================================================================
RCS file: /projects/cvsroot/pgsql/src/backend/libpq/pg_hba.conf.sample,v
retrieving revision 1.57
diff -c -r1.57 pg_hba.conf.sample
*** src/backend/libpq/pg_hba.conf.sample 7 Jan 2005 23:59:17 -0000 1.57
--- src/backend/libpq/pg_hba.conf.sample 21 Jun 2005 20:27:48 -0000
***************
*** 35,41 ****
# an IP address and netmask in separate columns to specify the set of hosts.
#
# METHOD can be "trust", "reject", "md5", "crypt", "password",
! # "krb4", "krb5", "ident", or "pam". Note that "password" sends passwords
# in clear text; "md5" is preferred since it sends encrypted passwords.
#
# OPTION is the ident map or the name of the PAM service, depending on METHOD.
--- 35,41 ----
# an IP address and netmask in separate columns to specify the set of hosts.
#
# METHOD can be "trust", "reject", "md5", "crypt", "password",
! # "krb5", "ident", or "pam". Note that "password" sends passwords
# in clear text; "md5" is preferred since it sends encrypted passwords.
#
# OPTION is the ident map or the name of the PAM service, depending on METHOD.
Index: src/include/pg_config.h.in
===================================================================
RCS file: /projects/cvsroot/pgsql/src/include/pg_config.h.in,v
retrieving revision 1.84
diff -c -r1.84 pg_config.h.in
*** src/include/pg_config.h.in 4 Jun 2005 20:42:42 -0000 1.84
--- src/include/pg_config.h.in 21 Jun 2005 20:27:48 -0000
***************
*** 575,583 ****
/* Define to the appropriate snprintf format for 64-bit ints, if any. */
#undef INT64_FORMAT
- /* Define to build with Kerberos 4 support. (--with-krb4) */
- #undef KRB4
-
/* Define to build with Kerberos 5 support. (--with-krb5) */
#undef KRB5
--- 575,580 ----
Index: src/include/port.h
===================================================================
RCS file: /projects/cvsroot/pgsql/src/include/port.h,v
retrieving revision 1.75
diff -c -r1.75 port.h
*** src/include/port.h 25 May 2005 21:40:41 -0000 1.75
--- src/include/port.h 21 Jun 2005 20:27:48 -0000
***************
*** 267,276 ****
extern int isinf(double x);
#endif
- #if !defined(HAVE_GETHOSTNAME) && defined(KRB4)
- extern int gethostname(char *name, int namelen);
- #endif
-
#ifndef HAVE_RINT
extern double rint(double x);
#endif
--- 267,272 ----
Index: src/include/libpq/auth.h
===================================================================
RCS file: /projects/cvsroot/pgsql/src/include/libpq/auth.h,v
retrieving revision 1.28
diff -c -r1.28 auth.h
*** src/include/libpq/auth.h 14 Jun 2005 17:43:14 -0000 1.28
--- src/include/libpq/auth.h 21 Jun 2005 20:27:48 -0000
***************
*** 23,30 ****
extern void ClientAuthentication(Port *port);
! #define PG_KRB4_VERSION "PGVER4.1" /* at most KRB_SENDAUTH_VLEN chars */
! #define PG_KRB5_VERSION "PGVER5.1"
extern char *pg_krb_server_keyfile;
extern char *pg_krb_srvnam;
--- 23,29 ----
extern void ClientAuthentication(Port *port);
! #define PG_KRB5_VERSION "PGVER5.1" /* at most KRB_SENDAUTH_VLEN chars */
extern char *pg_krb_server_keyfile;
extern char *pg_krb_srvnam;
Index: src/include/libpq/hba.h
===================================================================
RCS file: /projects/cvsroot/pgsql/src/include/libpq/hba.h,v
retrieving revision 1.36
diff -c -r1.36 hba.h
*** src/include/libpq/hba.h 26 Feb 2005 18:43:34 -0000 1.36
--- src/include/libpq/hba.h 21 Jun 2005 20:27:48 -0000
***************
*** 17,23 ****
typedef enum UserAuth
{
uaReject,
! uaKrb4,
uaKrb5,
uaTrust,
uaIdent,
--- 17,23 ----
typedef enum UserAuth
{
uaReject,
! uaKrb4, /* Not supported any more */
uaKrb5,
uaTrust,
uaIdent,
Index: src/include/libpq/pqcomm.h
===================================================================
RCS file: /projects/cvsroot/pgsql/src/include/libpq/pqcomm.h,v
retrieving revision 1.96
diff -c -r1.96 pqcomm.h
*** src/include/libpq/pqcomm.h 31 Dec 2004 22:03:32 -0000 1.96
--- src/include/libpq/pqcomm.h 21 Jun 2005 20:27:48 -0000
***************
*** 160,166 ****
/* These are the authentication request codes sent by the backend. */
#define AUTH_REQ_OK 0 /* User is authenticated */
! #define AUTH_REQ_KRB4 1 /* Kerberos V4 */
#define AUTH_REQ_KRB5 2 /* Kerberos V5 */
#define AUTH_REQ_PASSWORD 3 /* Password */
#define AUTH_REQ_CRYPT 4 /* crypt password */
--- 160,166 ----
/* These are the authentication request codes sent by the backend. */
#define AUTH_REQ_OK 0 /* User is authenticated */
! #define AUTH_REQ_KRB4 1 /* Kerberos V4. Not supported any more. */
#define AUTH_REQ_KRB5 2 /* Kerberos V5 */
#define AUTH_REQ_PASSWORD 3 /* Password */
#define AUTH_REQ_CRYPT 4 /* crypt password */
Index: src/interfaces/libpq/Makefile
===================================================================
RCS file: /projects/cvsroot/pgsql/src/interfaces/libpq/Makefile,v
retrieving revision 1.133
diff -c -r1.133 Makefile
*** src/interfaces/libpq/Makefile 29 Apr 2005 14:07:27 -0000 1.133
--- src/interfaces/libpq/Makefile 21 Jun 2005 20:27:49 -0000
***************
*** 53,59 ****
# Add libraries that libpq depends (or might depend) on into the
# shared library link. (The order in which you list them here doesn't
# matter.)
! SHLIB_LINK += $(filter -lcrypt -ldes -lkrb -lcom_err -lcrypto -lk5crypto -lkrb5 -lssl -lsocket -lnsl -lresolv -lintl, $(LIBS)) $(PTHREAD_LIBS)
ifeq ($(PORTNAME), win32)
SHLIB_LINK += -lshfolder -lwsock32 -lws2_32 $(filter -leay32 -lssleay32 -lcomerr32 -lkrb5_32, $(LIBS))
endif
--- 53,59 ----
# Add libraries that libpq depends (or might depend) on into the
# shared library link. (The order in which you list them here doesn't
# matter.)
! SHLIB_LINK += $(filter -lcrypt -ldes -lcom_err -lcrypto -lk5crypto -lkrb5 -lssl -lsocket -lnsl -lresolv -lintl, $(LIBS)) $(PTHREAD_LIBS)
ifeq ($(PORTNAME), win32)
SHLIB_LINK += -lshfolder -lwsock32 -lws2_32 $(filter -leay32 -lssleay32 -lcomerr32 -lkrb5_32, $(LIBS))
endif
Index: src/interfaces/libpq/fe-auth.c
===================================================================
RCS file: /projects/cvsroot/pgsql/src/interfaces/libpq/fe-auth.c,v
retrieving revision 1.101
diff -c -r1.101 fe-auth.c
*** src/interfaces/libpq/fe-auth.c 4 Jun 2005 20:42:43 -0000 1.101
--- src/interfaces/libpq/fe-auth.c 21 Jun 2005 20:27:49 -0000
***************
*** 64,70 ****
*/
#define STARTUP_MSG 7 /* Initialise a connection */
! #define STARTUP_KRB4_MSG 10 /* krb4 session follows */
#define STARTUP_KRB5_MSG 11 /* krb5 session follows */
#define STARTUP_PASSWORD_MSG 14 /* Password follows */
--- 64,70 ----
*/
#define STARTUP_MSG 7 /* Initialise a connection */
! #define STARTUP_KRB4_MSG 10 /* krb4 session follows. Not supported any more. */
#define STARTUP_KRB5_MSG 11 /* krb5 session follows */
#define STARTUP_PASSWORD_MSG 14 /* Password follows */
***************
*** 87,243 ****
* isn't any authentication system.
*/
static const struct authsvc authsvcs[] = {
- #ifdef KRB4
- {"krb4", STARTUP_KRB4_MSG, 1},
- {"kerberos", STARTUP_KRB4_MSG, 1},
- #endif /* KRB4 */
#ifdef KRB5
{"krb5", STARTUP_KRB5_MSG, 1},
{"kerberos", STARTUP_KRB5_MSG, 1},
#endif /* KRB5 */
{UNAUTHNAME, STARTUP_MSG,
! #if defined(KRB4) || defined(KRB5)
0
! #else /* !(KRB4 || KRB5) */
1
! #endif /* !(KRB4 || KRB5) */
},
{"password", STARTUP_PASSWORD_MSG, 0}
};
static const int n_authsvcs = sizeof(authsvcs) / sizeof(struct authsvc);
- #ifdef KRB4
- /*
- * MIT Kerberos authentication system - protocol version 4
- */
-
- #include "krb.h"
-
- /* for some reason, this is not defined in krb.h ... */
- extern char *tkt_string(void);
-
- /*
- * pg_krb4_init -- initialization performed before any Kerberos calls are made
- *
- * For v4, all we need to do is make sure the library routines get the right
- * ticket file if we want them to see a special one. (They will open the file
- * themselves.)
- */
- static void
- pg_krb4_init()
- {
- char *realm;
- static int init_done = 0;
-
- if (init_done)
- return;
- init_done = 1;
-
- /*
- * If the user set PGREALM, then we use a ticket file with a special
- * name: <usual-ticket-file-name>@<PGREALM-value>
- */
- if ((realm = getenv("PGREALM")))
- {
- char tktbuf[MAXPGPATH];
-
- (void) snprintf(tktbuf, sizeof(tktbuf), "%s@%s", tkt_string(), realm);
- krb_set_tkt_string(tktbuf);
- }
- }
-
- /*
- * pg_krb4_authname -- returns a pointer to static space containing whatever
- * name the user has authenticated to the system
- *
- * We obtain this information by digging around in the ticket file.
- */
- static char *
- pg_krb4_authname(char *PQerrormsg)
- {
- char instance[INST_SZ + 1];
- char realm[REALM_SZ + 1];
- int status;
- static char name[SNAME_SZ + 1] = "";
-
- if (name[0])
- return name;
-
- pg_krb4_init();
-
- name[SNAME_SZ] = '\0';
- status = krb_get_tf_fullname(tkt_string(), name, instance, realm);
- if (status != KSUCCESS)
- {
- snprintf(PQerrormsg, PQERRORMSG_LENGTH,
- "pg_krb4_authname: krb_get_tf_fullname: %s\n",
- krb_err_txt[status]);
- return NULL;
- }
- return name;
- }
-
- /*
- * pg_krb4_sendauth -- client routine to send authentication information to
- * the server
- *
- * This routine does not do mutual authentication, nor does it return enough
- * information to do encrypted connections. But then, if we want to do
- * encrypted connections, we'll have to redesign the whole RPC mechanism
- * anyway.
- *
- * If the user is too lazy to feed us a hostname, we try to come up with
- * something other than "localhost" since the hostname is used as an
- * instance and instance names in v4 databases are usually actual hostnames
- * (canonicalized to omit all domain suffixes).
- */
- static int
- pg_krb4_sendauth(char *PQerrormsg, int sock,
- struct sockaddr_in * laddr,
- struct sockaddr_in * raddr,
- const char *hostname,
- const char *servicename)
- {
- long krbopts = 0; /* one-way authentication */
- KTEXT_ST clttkt;
- int status;
- char hostbuf[MAXHOSTNAMELEN];
- const char *realm = getenv("PGREALM"); /* NULL == current realm */
-
- if (!hostname || !(*hostname))
- {
- if (gethostname(hostbuf, MAXHOSTNAMELEN) < 0)
- strcpy(hostbuf, "localhost");
- hostname = hostbuf;
- }
-
- pg_krb4_init();
-
- status = krb_sendauth(krbopts,
- sock,
- &clttkt,
- servicename,
- hostname,
- realm,
- (u_long) 0,
- NULL,
- NULL,
- NULL,
- laddr,
- raddr,
- PG_KRB4_VERSION);
- if (status != KSUCCESS)
- {
- snprintf(PQerrormsg, PQERRORMSG_LENGTH,
- libpq_gettext("Kerberos 4 error: %s\n"),
- krb_err_txt[status]);
- return STATUS_ERROR;
- }
- return STATUS_OK;
- }
- #endif /* KRB4 */
-
#ifdef KRB5
/*
* MIT Kerberos authentication system - protocol version 5
--- 87,108 ----
* isn't any authentication system.
*/
static const struct authsvc authsvcs[] = {
#ifdef KRB5
{"krb5", STARTUP_KRB5_MSG, 1},
{"kerberos", STARTUP_KRB5_MSG, 1},
#endif /* KRB5 */
{UNAUTHNAME, STARTUP_MSG,
! #ifdef KRB5
0
! #else /* !KRB5 */
1
! #endif /* !KRB5 */
},
{"password", STARTUP_PASSWORD_MSG, 0}
};
static const int n_authsvcs = sizeof(authsvcs) / sizeof(struct authsvc);
#ifdef KRB5
/*
* MIT Kerberos authentication system - protocol version 5
***************
*** 597,603 ****
fe_sendauth(AuthRequest areq, PGconn *conn, const char *hostname,
const char *password, char *PQerrormsg)
{
! #if !defined(KRB4) && !defined(KRB5)
(void) hostname; /* not used */
#endif
--- 462,468 ----
fe_sendauth(AuthRequest areq, PGconn *conn, const char *hostname,
const char *password, char *PQerrormsg)
{
! #ifndef KRB5
(void) hostname; /* not used */
#endif
***************
*** 607,630 ****
break;
case AUTH_REQ_KRB4:
- #ifdef KRB4
- pglock_thread();
- if (pg_krb4_sendauth(PQerrormsg, conn->sock,
- (struct sockaddr_in *) & conn->laddr.addr,
- (struct sockaddr_in *) & conn->raddr.addr,
- hostname, conn->krbsrvname) != STATUS_OK)
- {
- /* PQerrormsg already filled in */
- pgunlock_thread();
- return STATUS_ERROR;
- }
- pgunlock_thread();
- break;
- #else
snprintf(PQerrormsg, PQERRORMSG_LENGTH,
libpq_gettext("Kerberos 4 authentication not supported\n"));
return STATUS_ERROR;
- #endif
case AUTH_REQ_KRB5:
#ifdef KRB5
--- 472,480 ----
***************
*** 754,770 ****
pglock_thread();
- #ifdef KRB4
- if (authsvc == STARTUP_KRB4_MSG)
- name = pg_krb4_authname(PQerrormsg);
- #endif
#ifdef KRB5
if (authsvc == STARTUP_KRB5_MSG)
name = pg_krb5_authname(PQerrormsg);
#endif
if (authsvc == STARTUP_MSG
- || (authsvc == STARTUP_KRB4_MSG && !name)
|| (authsvc == STARTUP_KRB5_MSG && !name))
{
#ifdef WIN32
--- 604,615 ----
***************
*** 776,782 ****
#endif
}
! if (authsvc != STARTUP_MSG && authsvc != STARTUP_KRB4_MSG && authsvc != STARTUP_KRB5_MSG)
snprintf(PQerrormsg, PQERRORMSG_LENGTH,
libpq_gettext("fe_getauthname: invalid authentication system: %d\n"),
authsvc);
--- 621,627 ----
#endif
}
! if (authsvc != STARTUP_MSG && authsvc != STARTUP_KRB5_MSG)
snprintf(PQerrormsg, PQERRORMSG_LENGTH,
libpq_gettext("fe_getauthname: invalid authentication system: %d\n"),
authsvc);
Index: src/interfaces/libpq/fe-auth.h
===================================================================
RCS file: /projects/cvsroot/pgsql/src/interfaces/libpq/fe-auth.h,v
retrieving revision 1.20
diff -c -r1.20 fe-auth.h
*** src/interfaces/libpq/fe-auth.h 31 Dec 2004 22:03:50 -0000 1.20
--- src/interfaces/libpq/fe-auth.h 21 Jun 2005 20:27:49 -0000
***************
*** 27,37 ****
#define UNAUTHNAME "unauth"
/* what a frontend uses by default */
! #if !defined(KRB4) && !defined(KRB5)
#define DEFAULT_CLIENT_AUTHSVC UNAUTHNAME
! #else /* KRB4 || KRB5 */
#define DEFAULT_CLIENT_AUTHSVC "kerberos"
! #endif /* KRB4 || KRB5 */
extern int fe_sendauth(AuthRequest areq, PGconn *conn, const char *hostname,
const char *password, char *PQerrormsg);
--- 27,37 ----
#define UNAUTHNAME "unauth"
/* what a frontend uses by default */
! #ifndef KRB5
#define DEFAULT_CLIENT_AUTHSVC UNAUTHNAME
! #else /* KRB5 */
#define DEFAULT_CLIENT_AUTHSVC "kerberos"
! #endif /* KRB5 */
extern int fe_sendauth(AuthRequest areq, PGconn *conn, const char *hostname,
const char *password, char *PQerrormsg);
***************
*** 39,45 ****
extern void fe_setauthsvc(const char *name, char *PQerrormsg);
extern char *fe_getauthname(char *PQerrormsg);
! #define PG_KRB4_VERSION "PGVER4.1" /* at most KRB_SENDAUTH_VLEN chars */
! #define PG_KRB5_VERSION "PGVER5.1"
#endif /* FE_AUTH_H */
--- 39,44 ----
extern void fe_setauthsvc(const char *name, char *PQerrormsg);
extern char *fe_getauthname(char *PQerrormsg);
! #define PG_KRB5_VERSION "PGVER5.1" /* at most KRB_SENDAUTH_VLEN chars */
#endif /* FE_AUTH_H */
Index: src/interfaces/libpq/fe-connect.c
===================================================================
RCS file: /projects/cvsroot/pgsql/src/interfaces/libpq/fe-connect.c,v
retrieving revision 1.312
diff -c -r1.312 fe-connect.c
*** src/interfaces/libpq/fe-connect.c 19 Jun 2005 13:10:55 -0000 1.312
--- src/interfaces/libpq/fe-connect.c 21 Jun 2005 20:27:49 -0000
***************
*** 170,176 ****
{"sslmode", "PGSSLMODE", DefaultSSLMode, NULL,
"SSL-Mode", "", 8}, /* sizeof("disable") == 8 */
! #if defined(KRB4) || defined(KRB5)
/* Kerberos authentication supports specifying the service name */
{"krbsrvname", "PGKRBSRVNAME", PG_KRB_SRVNAM, NULL,
"Kerberos-service-name", "", 20},
--- 170,176 ----
{"sslmode", "PGSSLMODE", DefaultSSLMode, NULL,
"SSL-Mode", "", 8}, /* sizeof("disable") == 8 */
! #ifdef KRB5
/* Kerberos authentication supports specifying the service name */
{"krbsrvname", "PGKRBSRVNAME", PG_KRB_SRVNAM, NULL,
"Kerberos-service-name", "", 20},
***************
*** 401,407 ****
conn->sslmode = strdup("require");
}
#endif
! #if defined(KRB4) || defined(KRB5)
tmp = conninfo_getval(connOptions, "krbsrvname");
conn->krbsrvname = tmp ? strdup(tmp) : NULL;
#endif
--- 401,407 ----
conn->sslmode = strdup("require");
}
#endif
! #ifdef KRB5
tmp = conninfo_getval(connOptions, "krbsrvname");
conn->krbsrvname = tmp ? strdup(tmp) : NULL;
#endif
***************
*** 1916,1922 ****
free(conn->pgpass);
if (conn->sslmode)
free(conn->sslmode);
! #if defined(KRB4) || defined(KRB5)
if (conn->krbsrvname)
free(conn->krbsrvname);
#endif
--- 1916,1922 ----
free(conn->pgpass);
if (conn->sslmode)
free(conn->sslmode);
! #ifdef KRB5
if (conn->krbsrvname)
free(conn->krbsrvname);
#endif
Index: src/interfaces/libpq/libpq-int.h
===================================================================
RCS file: /projects/cvsroot/pgsql/src/interfaces/libpq/libpq-int.h,v
retrieving revision 1.103
diff -c -r1.103 libpq-int.h
*** src/interfaces/libpq/libpq-int.h 13 Jun 2005 02:26:53 -0000 1.103
--- src/interfaces/libpq/libpq-int.h 21 Jun 2005 20:27:49 -0000
***************
*** 262,268 ****
char *pguser; /* Postgres username and password, if any */
char *pgpass;
char *sslmode; /* SSL mode (require,prefer,allow,disable) */
! #if defined(KRB5) || defined(KRB4)
char *krbsrvname; /* Kerberos service name */
#endif
--- 262,268 ----
char *pguser; /* Postgres username and password, if any */
char *pgpass;
char *sslmode; /* SSL mode (require,prefer,allow,disable) */
! #ifdef KRB5
char *krbsrvname; /* Kerberos service name */
#endif
Re: [PATCHES] Removing Kerberos 4
"Magnus Hagander" <mha@sollentuna.net> writes:
This patch removes Kerberos version 4 support from the backend and
libpq. Per previous mail, I sent a mail to both hackers and -general
about a month ago asking for ppl who use it, for zero responses. I also
looked back in the archives and it seems it has been asked before and
also not responded, so I think it's safe to say it's not in widespread
use ATM. Finally, kerberos version 4 is deprecated by the kerberos
people - for security reasons amongst others.
Last chance for any Kerberos 4 users to speak up --- otherwise I'll
apply this soon.
regards, tom lane
Re: Removing Kerberos 4
Magnus Hagander wrote:
This patch removes Kerberos version 4 support from the backend and
libpq.
I'll apply this later today, barring any objections.
-Neil
Re: [HACKERS] [PATCHES] Removing Kerberos 4
Tom Lane <tgl@sss.pgh.pa.us> writes:
Last chance for any Kerberos 4 users to speak up --- otherwise I'll
apply this soon.
If you just want someone to test it I can do that. I don't actually use it
normally though.
As far as security issues the only issues I'm aware of is a) it uses plain DES
which is just a 56 bit key and crackable by brute force and b) cross-domain
authentication is broken.
But if you just have a single domain it's a lot simpler to set up than the
poster child for second system effect, Kerberos 5.
--
greg
Re: [HACKERS] [PATCHES] Removing Kerberos 4
Last chance for any Kerberos 4 users to speak up --- otherwise I'll
apply this soon.If you just want someone to test it I can do that. I don't
actually use it normally though.
I don't think "just testing" is enough - somebody needs to actually
maintain it...
As far as security issues the only issues I'm aware of is a)
it uses plain DES which is just a 56 bit key and crackable by
brute force and b) cross-domain authentication is broken.
Yeah. But it has been declared dead by the Kerberos folks
(http://www.faqs.org/faqs/kerberos-faq/general/section-7.html. And this
document is from 2000, an dit was declared already then)...
//Magnus
Import Notes
Resolved by subject fallback
Re: [HACKERS] [PATCHES] Removing Kerberos 4
"Magnus Hagander" <mha@sollentuna.net> writes:
Yeah. But it has been declared dead by the Kerberos folks
(http://www.faqs.org/faqs/kerberos-faq/general/section-7.html. And this
document is from 2000, an dit was declared already then)...
Right. The real question here is who's going to be using a 2005
database release with a pre-2000 security system? There's a fair
amount of code there and no evidence that time spent on testing
and maintaining it is going to benefit anyone anymore.
If someone wakes up and says "hey, I'm still ACTUALLY using that code",
I'm willing to forbear ... but otherwise I think its time is long gone.
regards, tom lane
Re: [HACKERS] [PATCHES] Removing Kerberos 4
On Wed, Jun 22, 2005 at 04:39:15PM -0400, Tom Lane wrote:
"Magnus Hagander" <mha@sollentuna.net> writes:
Yeah. But it has been declared dead by the Kerberos folks
(http://www.faqs.org/faqs/kerberos-faq/general/section-7.html. And this
document is from 2000, an dit was declared already then)...Right. The real question here is who's going to be using a 2005
database release with a pre-2000 security system? There's a fair
amount of code there and no evidence that time spent on testing
and maintaining it is going to benefit anyone anymore.If someone wakes up and says "hey, I'm still ACTUALLY using that code",
I'm willing to forbear ... but otherwise I think its time is long gone.
While I agree, if it's easy to just disable kerb without actually
ripping the code out right now that might be a tad 'safer', as there
might be some users who are using it but don't read the mailling lists.
Has Kerb4 been marked as depricated in the docs at all? If not it might
be best to just do that and then yank it later.
--
Jim C. Nasby, Database Consultant decibel@decibel.org
Give your computer some brain candy! www.distributed.net Team #1828
Windows: "Where do you want to go today?"
Linux: "Where do you want to go tomorrow?"
FreeBSD: "Are you guys coming, or what?"
Re: [HACKERS] [PATCHES] Removing Kerberos 4
Has Kerb4 been marked as depricated in the docs at all? If
not it might be best to just do that and then yank it later.
Yes, since 7.4.
http://www.postgresql.org/docs/8.0/static/auth-methods.html#KERBEROS-AUT
H
http://www.postgresql.org/docs/7.4/static/auth-methods.html#KERBEROS-AUT
H
"Kerberos 4 is considered insecure and no longer recommended for general
use."
//Magnus
Import Notes
Resolved by subject fallback
Re: [HACKERS] [PATCHES] Removing Kerberos 4
On Thu, Jun 23, 2005 at 07:34:30PM +0200, Magnus Hagander wrote:
Has Kerb4 been marked as depricated in the docs at all? If
not it might be best to just do that and then yank it later.Yes, since 7.4.
http://www.postgresql.org/docs/8.0/static/auth-methods.html#KERBEROS-AUT
H
http://www.postgresql.org/docs/7.4/static/auth-methods.html#KERBEROS-AUT
H"Kerberos 4 is considered insecure and no longer recommended for general
use."
Just as a nitpick, in the future it would probably be better to
explicitely say if something is considered depricated and will be
removed in the future. Having said that, that statement means it's
removal shouldn't come as a shock to anyone.
--
Jim C. Nasby, Database Consultant decibel@decibel.org
Give your computer some brain candy! www.distributed.net Team #1828
Windows: "Where do you want to go today?"
Linux: "Where do you want to go tomorrow?"
FreeBSD: "Are you guys coming, or what?"
Re: Removing Kerberos 4
Magnus Hagander wrote:
This patch removes Kerberos version 4 support from the backend and
libpq.
Applied, thanks.
Bruce, can you mark the "Remove krb4" TODO item as finished? Thanks.
-Neil
Re: Removing Kerberos 4
Neil Conway wrote:
Magnus Hagander wrote:
This patch removes Kerberos version 4 support from the backend and
libpq.Applied, thanks.
Bruce, can you mark the "Remove krb4" TODO item as finished? Thanks.
Thanks, done.
--
Bruce Momjian | http://candle.pha.pa.us
pgman@candle.pha.pa.us | (610) 359-1001
+ If your life is a hard drive, | 13 Roberts Road
+ Christ can be your backup. | Newtown Square, Pennsylvania 19073