Proposal: BSD Authentication support
Hi,
I would like to add support for BSD authentication, used on OpenBSD. BSD authentication works similarly to PAM and allows authentication using local accounts.
We use OpenBSD on our Postgres servers at work.
I have attached an initial implementation of the proposal.
Cheers,
Marisa Emerson
Attachments:
bsd_auth.patchapplication/octet-stream; name=bsd_auth.patchDownload
diff --git a/configure b/configure
index 5772d0e..c982e2b 100755
--- a/configure
+++ b/configure
@@ -826,6 +826,7 @@ with_python
with_gssapi
with_krb_srvnam
with_pam
+with_bsd_auth
with_ldap
with_bonjour
with_openssl
@@ -1514,6 +1515,7 @@ Optional Packages:
--with-krb-srvnam=NAME default service principal name in Kerberos (GSSAPI)
[postgres]
--with-pam build with PAM support
+ --with-bsd-auth build with BSD Authentication support
--with-ldap build with LDAP support
--with-bonjour build with Bonjour support
--with-openssl build with OpenSSL support
@@ -5557,6 +5559,41 @@ $as_echo "$with_pam" >&6; }
#
+# BSD
+#
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to build with BSD support" >&5
+$as_echo_n "checking whether to build with BSD support... " >&6; }
+
+
+
+# Check whether --with-bsd-auth was given.
+if test "${with_bsd_auth+set}" = set; then :
+ withval=$with_bsd_auth;
+ case $withval in
+ yes)
+
+$as_echo "#define USE_BSD_AUTH 1" >>confdefs.h
+
+ ;;
+ no)
+ :
+ ;;
+ *)
+ as_fn_error $? "no argument expected for --with-bsd-auth option" "$LINENO" 5
+ ;;
+ esac
+
+else
+ with_bsd_auth=no
+
+fi
+
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $with_bsd" >&5
+$as_echo "$with_bsd" >&6; }
+
+
+#
# LDAP
#
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to build with LDAP support" >&5
@@ -10475,6 +10512,23 @@ done
fi
+if test "$with_bsd" = yes ; then
+ for ac_header in bsd_auth.h
+do :
+ ac_fn_c_check_header_mongrel "$LINENO" "bsd_auth.h" "ac_cv_header_bsd_auth_h" "$ac_includes_default"
+if test "x$ac_cv_header_bsd_auth_h" = xyes; then :
+ cat >>confdefs.h <<_ACEOF
+#define HAVE_BSD_AUTH_H 1
+_ACEOF
+
+else
+ as_fn_error $? "header file <bsd_auth.h> is required for BSD Authentication support" "$LINENO" 5
+fi
+
+done
+
+fi
+
if test "$with_libxml" = yes ; then
ac_fn_c_check_header_mongrel "$LINENO" "libxml/parser.h" "ac_cv_header_libxml_parser_h" "$ac_includes_default"
if test "x$ac_cv_header_libxml_parser_h" = xyes; then :
diff --git a/configure.in b/configure.in
index 44f832f..d5fb726 100644
--- a/configure.in
+++ b/configure.in
@@ -663,6 +663,16 @@ AC_MSG_RESULT([$with_pam])
#
+# BSD AUTH
+#
+AC_MSG_CHECKING([whether to build with BSD support])
+PGAC_ARG_BOOL(with, bsd-auth, no,
+ [build with BSD Authentication support],
+ [AC_DEFINE([USE_BSD_AUTH], 1, [Define to 1 to build with BSD support. (--with-bsd-auth)])])
+AC_MSG_RESULT([$with_bsd])
+
+
+#
# LDAP
#
AC_MSG_CHECKING([whether to build with LDAP support])
@@ -1249,6 +1259,10 @@ if test "$with_pam" = yes ; then
[AC_MSG_ERROR([header file <security/pam_appl.h> or <pam/pam_appl.h> is required for PAM.])])])
fi
+if test "$with_bsd" = yes ; then
+ AC_CHECK_HEADERS(bsd_auth.h, [], [AC_MSG_ERROR([header file <bsd_auth.h> is required for BSD Authentication support])])
+fi
+
if test "$with_libxml" = yes ; then
AC_CHECK_HEADER(libxml/parser.h, [], [AC_MSG_ERROR([header file <libxml/parser.h> is required for XML support])])
fi
diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c
index cdc5bf1..43673fa 100644
--- a/src/backend/libpq/auth.c
+++ b/src/backend/libpq/auth.c
@@ -89,6 +89,16 @@ static Port *pam_port_cludge; /* Workaround for passing "Port *port" into
/*----------------------------------------------------------------
+ * BSD authentication
+ *----------------------------------------------------------------
+ */
+#ifdef USE_BSD_AUTH
+#include <bsd_auth.h>
+
+static int CheckBSDAuth(Port *port, char *user);
+#endif /* USE_BSD_AUTH */
+
+/*----------------------------------------------------------------
* LDAP authentication
*----------------------------------------------------------------
*/
@@ -258,6 +268,9 @@ auth_failed(Port *port, int status, char *logdetail)
case uaPAM:
errstr = gettext_noop("PAM authentication failed for user \"%s\"");
break;
+ case uaBSD:
+ errstr = gettext_noop("BSD authentication failed for user \"%s\"");
+ break;
case uaLDAP:
errstr = gettext_noop("LDAP authentication failed for user \"%s\"");
break;
@@ -529,6 +542,14 @@ ClientAuthentication(Port *port)
#endif /* USE_PAM */
break;
+ case uaBSD:
+#ifdef USE_BSD_AUTH
+ status = CheckBSDAuth(port, port->user_name);
+#else
+ Assert(false);
+#endif /* USE_BSD_AUTH */
+ break;
+
case uaLDAP:
#ifdef USE_LDAP
status = CheckLDAPAuth(port);
@@ -1828,7 +1849,32 @@ CheckPAMAuth(Port *port, char *user, char *password)
}
#endif /* USE_PAM */
+/*----------------------------------------------------------------
+ * BSD authentication system
+ *----------------------------------------------------------------
+ */
+#ifdef USE_BSD_AUTH
+int
+CheckBSDAuth(Port *port, char *user)
+{
+ char *passwd;
+ int retval;
+
+ /* Send regular password request to client, and get the response */
+ sendAuthRequest(port, AUTH_REQ_PASSWORD);
+
+ passwd = recv_password_packet(port);
+ if (passwd == NULL)
+ return STATUS_EOF;
+
+ retval = auth_userokay(user, NULL, "pg-auth", passwd);
+
+ if (!retval)
+ return STATUS_ERROR;
+ return STATUS_OK;
+}
+#endif /* USE_BSD_AUTH */
/*----------------------------------------------------------------
* LDAP authentication system
diff --git a/src/backend/libpq/hba.c b/src/backend/libpq/hba.c
index 94f7cfa..220f8b3 100644
--- a/src/backend/libpq/hba.c
+++ b/src/backend/libpq/hba.c
@@ -1190,6 +1190,12 @@ parse_hba_line(List *line, int line_num, char *raw_line)
#else
unsupauth = "pam";
#endif
+ else if (strcmp(token->string, "bsd") == 0)
+#ifdef USE_BSD_AUTH
+ parsedline->auth_method = uaBSD;
+#else
+ unsupauth = "bsd";
+#endif
else if (strcmp(token->string, "ldap") == 0)
#ifdef USE_LDAP
parsedline->auth_method = uaLDAP;
diff --git a/src/bin/initdb/initdb.c b/src/bin/initdb/initdb.c
index a27706f..8b26627 100644
--- a/src/bin/initdb/initdb.c
+++ b/src/bin/initdb/initdb.c
@@ -90,6 +90,9 @@ static const char *const auth_methods_host[] = {
#ifdef USE_PAM
"pam", "pam ",
#endif
+#ifdef USE_BSD_AUTH
+ "bsd",
+#endif
#ifdef USE_LDAP
"ldap",
#endif
@@ -103,6 +106,9 @@ static const char *const auth_methods_local[] = {
#ifdef USE_PAM
"pam", "pam ",
#endif
+#ifdef USE_BSD_AUTH
+ "bsd",
+#endif
#ifdef USE_LDAP
"ldap",
#endif
diff --git a/src/include/libpq/hba.h b/src/include/libpq/hba.h
index 68a953a..0e2a61b 100644
--- a/src/include/libpq/hba.h
+++ b/src/include/libpq/hba.h
@@ -27,6 +27,7 @@ typedef enum UserAuth
uaGSS,
uaSSPI,
uaPAM,
+ uaBSD,
uaLDAP,
uaCert,
uaRADIUS,
diff --git a/src/include/pg_config.h.in b/src/include/pg_config.h.in
index 16a272e..e347d1b 100644
--- a/src/include/pg_config.h.in
+++ b/src/include/pg_config.h.in
@@ -821,6 +821,9 @@
/* Define to 1 to build with PAM support. (--with-pam) */
#undef USE_PAM
+/* Define to 1 to build with BSD support. (--with-bsd-auth) */
+#undef USE_BSD_AUTH
+
/* Use replacement snprintf() functions. */
#undef USE_REPL_SNPRINTF
This sounds like a sensible thing to me. I'm actually surprised, it
sounds like something we would have already seen. Do some people just
use PAM on OpenBSD? Are both supported?
You should add the patch to https://commitfest.postgresql.org to
ensure it doesn't slip through the cracks. It's too late for January
though there's nothing stopping people from commenting on or even
committing patches outside the commitfest.
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
There's a port for PAM, but we would prefer to use BSD Auth as its quite
a lot cleaner and is standard on OpenBSD.
I've attached an updated patch that includes documentation. It has been
tested against OpenBSD 5.8. I'll add this thread to the commitfest.
Show quoted text
On 07/01/16 23:26, Greg Stark wrote:
This sounds like a sensible thing to me. I'm actually surprised, it
sounds like something we would have already seen. Do some people just
use PAM on OpenBSD? Are both supported?You should add the patch to https://commitfest.postgresql.org to
ensure it doesn't slip through the cracks. It's too late for January
though there's nothing stopping people from commenting on or even
committing patches outside the commitfest.
Attachments:
bsd_auth.patchtext/x-patch; name=bsd_auth.patchDownload
diff --git a/configure b/configure
index 5772d0e..c982e2b 100755
--- a/configure
+++ b/configure
@@ -826,6 +826,7 @@ with_python
with_gssapi
with_krb_srvnam
with_pam
+with_bsd_auth
with_ldap
with_bonjour
with_openssl
@@ -1514,6 +1515,7 @@ Optional Packages:
--with-krb-srvnam=NAME default service principal name in Kerberos (GSSAPI)
[postgres]
--with-pam build with PAM support
+ --with-bsd-auth build with BSD Authentication support
--with-ldap build with LDAP support
--with-bonjour build with Bonjour support
--with-openssl build with OpenSSL support
@@ -5557,6 +5559,41 @@ $as_echo "$with_pam" >&6; }
#
+# BSD
+#
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to build with BSD support" >&5
+$as_echo_n "checking whether to build with BSD support... " >&6; }
+
+
+
+# Check whether --with-bsd-auth was given.
+if test "${with_bsd_auth+set}" = set; then :
+ withval=$with_bsd_auth;
+ case $withval in
+ yes)
+
+$as_echo "#define USE_BSD_AUTH 1" >>confdefs.h
+
+ ;;
+ no)
+ :
+ ;;
+ *)
+ as_fn_error $? "no argument expected for --with-bsd-auth option" "$LINENO" 5
+ ;;
+ esac
+
+else
+ with_bsd_auth=no
+
+fi
+
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $with_bsd" >&5
+$as_echo "$with_bsd" >&6; }
+
+
+#
# LDAP
#
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to build with LDAP support" >&5
@@ -10475,6 +10512,23 @@ done
fi
+if test "$with_bsd" = yes ; then
+ for ac_header in bsd_auth.h
+do :
+ ac_fn_c_check_header_mongrel "$LINENO" "bsd_auth.h" "ac_cv_header_bsd_auth_h" "$ac_includes_default"
+if test "x$ac_cv_header_bsd_auth_h" = xyes; then :
+ cat >>confdefs.h <<_ACEOF
+#define HAVE_BSD_AUTH_H 1
+_ACEOF
+
+else
+ as_fn_error $? "header file <bsd_auth.h> is required for BSD Authentication support" "$LINENO" 5
+fi
+
+done
+
+fi
+
if test "$with_libxml" = yes ; then
ac_fn_c_check_header_mongrel "$LINENO" "libxml/parser.h" "ac_cv_header_libxml_parser_h" "$ac_includes_default"
if test "x$ac_cv_header_libxml_parser_h" = xyes; then :
diff --git a/configure.in b/configure.in
index 44f832f..d5fb726 100644
--- a/configure.in
+++ b/configure.in
@@ -663,6 +663,16 @@ AC_MSG_RESULT([$with_pam])
#
+# BSD AUTH
+#
+AC_MSG_CHECKING([whether to build with BSD support])
+PGAC_ARG_BOOL(with, bsd-auth, no,
+ [build with BSD Authentication support],
+ [AC_DEFINE([USE_BSD_AUTH], 1, [Define to 1 to build with BSD support. (--with-bsd-auth)])])
+AC_MSG_RESULT([$with_bsd])
+
+
+#
# LDAP
#
AC_MSG_CHECKING([whether to build with LDAP support])
@@ -1249,6 +1259,10 @@ if test "$with_pam" = yes ; then
[AC_MSG_ERROR([header file <security/pam_appl.h> or <pam/pam_appl.h> is required for PAM.])])])
fi
+if test "$with_bsd" = yes ; then
+ AC_CHECK_HEADERS(bsd_auth.h, [], [AC_MSG_ERROR([header file <bsd_auth.h> is required for BSD Authentication support])])
+fi
+
if test "$with_libxml" = yes ; then
AC_CHECK_HEADER(libxml/parser.h, [], [AC_MSG_ERROR([header file <libxml/parser.h> is required for XML support])])
fi
diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml
index 3b2935c..b2c8a43 100644
--- a/doc/src/sgml/client-auth.sgml
+++ b/doc/src/sgml/client-auth.sgml
@@ -522,6 +522,17 @@ hostnossl <replaceable>database</replaceable> <replaceable>user</replaceable>
</para>
</listitem>
</varlistentry>
+
+ <varlistentry>
+ <term><literal>bsd</></term>
+ <listitem>
+ <para>
+ Authenticate using BSD Authentication (BSD Auth) provided
+ by the operating system. See <xref linkend="auth-bsd">
+ for details.
+ </para>
+ </listitem>
+ </varlistentry>
</variablelist>
</para>
@@ -1647,6 +1658,33 @@ host ... ldap ldapurl="ldap://ldap.example.net/dc=example,dc=net?uid?sub"
</para>
</note>
</sect2>
+
+ <sect2 id="auth-bsd">
+ <title>BSD Authentication</title>
+
+ <indexterm zone="auth-bsd">
+ <primary>BSD</primary>
+ </indexterm>
+
+ <para>
+ This authentication method operates similarly to
+ <literal>password</literal> except that it uses BSD
+ Authentication as the authentication mechanism. BSD Authentication
+ is used only to validate user name/password pairs.
+ Therefore the user must already exist in the database before BSD
+ Authentication can be used for authentication. For more information
+ about BSD Authentication, please read the
+ <ulink url="http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man3/auth_call.3?query=bsd_auth">
+ <productname>BSD Authentication</> Page</ulink>.
+ </para>
+
+ <note>
+ <para>
+ To use BSD Authentication, the postgresql user must first be added
+ to the <literal>auth</literal> group.
+ </para>
+ </note>
+ </sect2>
</sect1>
<sect1 id="client-authentication-problems">
diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c
index cdc5bf1..43673fa 100644
--- a/src/backend/libpq/auth.c
+++ b/src/backend/libpq/auth.c
@@ -89,6 +89,16 @@ static Port *pam_port_cludge; /* Workaround for passing "Port *port" into
/*----------------------------------------------------------------
+ * BSD authentication
+ *----------------------------------------------------------------
+ */
+#ifdef USE_BSD_AUTH
+#include <bsd_auth.h>
+
+static int CheckBSDAuth(Port *port, char *user);
+#endif /* USE_BSD_AUTH */
+
+/*----------------------------------------------------------------
* LDAP authentication
*----------------------------------------------------------------
*/
@@ -258,6 +268,9 @@ auth_failed(Port *port, int status, char *logdetail)
case uaPAM:
errstr = gettext_noop("PAM authentication failed for user \"%s\"");
break;
+ case uaBSD:
+ errstr = gettext_noop("BSD authentication failed for user \"%s\"");
+ break;
case uaLDAP:
errstr = gettext_noop("LDAP authentication failed for user \"%s\"");
break;
@@ -529,6 +542,14 @@ ClientAuthentication(Port *port)
#endif /* USE_PAM */
break;
+ case uaBSD:
+#ifdef USE_BSD_AUTH
+ status = CheckBSDAuth(port, port->user_name);
+#else
+ Assert(false);
+#endif /* USE_BSD_AUTH */
+ break;
+
case uaLDAP:
#ifdef USE_LDAP
status = CheckLDAPAuth(port);
@@ -1828,7 +1849,32 @@ CheckPAMAuth(Port *port, char *user, char *password)
}
#endif /* USE_PAM */
+/*----------------------------------------------------------------
+ * BSD authentication system
+ *----------------------------------------------------------------
+ */
+#ifdef USE_BSD_AUTH
+int
+CheckBSDAuth(Port *port, char *user)
+{
+ char *passwd;
+ int retval;
+
+ /* Send regular password request to client, and get the response */
+ sendAuthRequest(port, AUTH_REQ_PASSWORD);
+
+ passwd = recv_password_packet(port);
+ if (passwd == NULL)
+ return STATUS_EOF;
+
+ retval = auth_userokay(user, NULL, "pg-auth", passwd);
+
+ if (!retval)
+ return STATUS_ERROR;
+ return STATUS_OK;
+}
+#endif /* USE_BSD_AUTH */
/*----------------------------------------------------------------
* LDAP authentication system
diff --git a/src/backend/libpq/hba.c b/src/backend/libpq/hba.c
index 94f7cfa..220f8b3 100644
--- a/src/backend/libpq/hba.c
+++ b/src/backend/libpq/hba.c
@@ -1190,6 +1190,12 @@ parse_hba_line(List *line, int line_num, char *raw_line)
#else
unsupauth = "pam";
#endif
+ else if (strcmp(token->string, "bsd") == 0)
+#ifdef USE_BSD_AUTH
+ parsedline->auth_method = uaBSD;
+#else
+ unsupauth = "bsd";
+#endif
else if (strcmp(token->string, "ldap") == 0)
#ifdef USE_LDAP
parsedline->auth_method = uaLDAP;
diff --git a/src/bin/initdb/initdb.c b/src/bin/initdb/initdb.c
index a27706f..8b26627 100644
--- a/src/bin/initdb/initdb.c
+++ b/src/bin/initdb/initdb.c
@@ -90,6 +90,9 @@ static const char *const auth_methods_host[] = {
#ifdef USE_PAM
"pam", "pam ",
#endif
+#ifdef USE_BSD_AUTH
+ "bsd",
+#endif
#ifdef USE_LDAP
"ldap",
#endif
@@ -103,6 +106,9 @@ static const char *const auth_methods_local[] = {
#ifdef USE_PAM
"pam", "pam ",
#endif
+#ifdef USE_BSD_AUTH
+ "bsd",
+#endif
#ifdef USE_LDAP
"ldap",
#endif
diff --git a/src/include/libpq/hba.h b/src/include/libpq/hba.h
index 68a953a..0e2a61b 100644
--- a/src/include/libpq/hba.h
+++ b/src/include/libpq/hba.h
@@ -27,6 +27,7 @@ typedef enum UserAuth
uaGSS,
uaSSPI,
uaPAM,
+ uaBSD,
uaLDAP,
uaCert,
uaRADIUS,
diff --git a/src/include/pg_config.h.in b/src/include/pg_config.h.in
index 16a272e..e347d1b 100644
--- a/src/include/pg_config.h.in
+++ b/src/include/pg_config.h.in
@@ -821,6 +821,9 @@
/* Define to 1 to build with PAM support. (--with-pam) */
#undef USE_PAM
+/* Define to 1 to build with BSD support. (--with-bsd-auth) */
+#undef USE_BSD_AUTH
+
/* Use replacement snprintf() functions. */
#undef USE_REPL_SNPRINTF
I've attached the latest version of this patch. I've fixed up an issue
with the configuration scripts that I missed.
Show quoted text
On 08/01/16 12:40, Marisa Emerson wrote:
There's a port for PAM, but we would prefer to use BSD Auth as its quite
a lot cleaner and is standard on OpenBSD.I've attached an updated patch that includes documentation. It has been
tested against OpenBSD 5.8. I'll add this thread to the commitfest.On 07/01/16 23:26, Greg Stark wrote:
This sounds like a sensible thing to me. I'm actually surprised, it
sounds like something we would have already seen. Do some people just
use PAM on OpenBSD? Are both supported?You should add the patch to https://commitfest.postgresql.org to
ensure it doesn't slip through the cracks. It's too late for January
though there's nothing stopping people from commenting on or even
committing patches outside the commitfest.
Attachments:
bsd_auth.patchtext/x-patch; name=bsd_auth.patchDownload
diff --git a/configure b/configure
index 5772d0e..84c1c3e 100755
--- a/configure
+++ b/configure
@@ -826,6 +826,7 @@ with_python
with_gssapi
with_krb_srvnam
with_pam
+with_bsd_auth
with_ldap
with_bonjour
with_openssl
@@ -1514,6 +1515,7 @@ Optional Packages:
--with-krb-srvnam=NAME default service principal name in Kerberos (GSSAPI)
[postgres]
--with-pam build with PAM support
+ --with-bsd-auth build with BSD Authentication support
--with-ldap build with LDAP support
--with-bonjour build with Bonjour support
--with-openssl build with OpenSSL support
@@ -5557,6 +5559,41 @@ $as_echo "$with_pam" >&6; }
#
+# BSD AUTH
+#
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to build with BSD support" >&5
+$as_echo_n "checking whether to build with BSD support... " >&6; }
+
+
+
+# Check whether --with-bsd-auth was given.
+if test "${with_bsd_auth+set}" = set; then :
+ withval=$with_bsd_auth;
+ case $withval in
+ yes)
+
+$as_echo "#define USE_BSD_AUTH 1" >>confdefs.h
+
+ ;;
+ no)
+ :
+ ;;
+ *)
+ as_fn_error $? "no argument expected for --with-bsd-auth option" "$LINENO" 5
+ ;;
+ esac
+
+else
+ with_bsd_auth=no
+
+fi
+
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $with_bsd_auth" >&5
+$as_echo "$with_bsd_auth" >&6; }
+
+
+#
# LDAP
#
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to build with LDAP support" >&5
@@ -10475,6 +10512,23 @@ done
fi
+if test "$with_bsd_auth" = yes ; then
+ for ac_header in bsd_auth.h
+do :
+ ac_fn_c_check_header_mongrel "$LINENO" "bsd_auth.h" "ac_cv_header_bsd_auth_h" "$ac_includes_default"
+if test "x$ac_cv_header_bsd_auth_h" = xyes; then :
+ cat >>confdefs.h <<_ACEOF
+#define HAVE_BSD_AUTH_H 1
+_ACEOF
+
+else
+ as_fn_error $? "header file <bsd_auth.h> is required for BSD Authentication support" "$LINENO" 5
+fi
+
+done
+
+fi
+
if test "$with_libxml" = yes ; then
ac_fn_c_check_header_mongrel "$LINENO" "libxml/parser.h" "ac_cv_header_libxml_parser_h" "$ac_includes_default"
if test "x$ac_cv_header_libxml_parser_h" = xyes; then :
diff --git a/configure.in b/configure.in
index 44f832f..8eb98a8 100644
--- a/configure.in
+++ b/configure.in
@@ -663,6 +663,16 @@ AC_MSG_RESULT([$with_pam])
#
+# BSD AUTH
+#
+AC_MSG_CHECKING([whether to build with BSD support])
+PGAC_ARG_BOOL(with, bsd-auth, no,
+ [build with BSD Authentication support],
+ [AC_DEFINE([USE_BSD_AUTH], 1, [Define to 1 to build with BSD support. (--with-bsd-auth)])])
+AC_MSG_RESULT([$with_bsd_auth])
+
+
+#
# LDAP
#
AC_MSG_CHECKING([whether to build with LDAP support])
@@ -1249,6 +1259,10 @@ if test "$with_pam" = yes ; then
[AC_MSG_ERROR([header file <security/pam_appl.h> or <pam/pam_appl.h> is required for PAM.])])])
fi
+if test "$with_bsd_auth" = yes ; then
+ AC_CHECK_HEADERS(bsd_auth.h, [], [AC_MSG_ERROR([header file <bsd_auth.h> is required for BSD Authentication support])])
+fi
+
if test "$with_libxml" = yes ; then
AC_CHECK_HEADER(libxml/parser.h, [], [AC_MSG_ERROR([header file <libxml/parser.h> is required for XML support])])
fi
diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml
index 3b2935c..ffb5178 100644
--- a/doc/src/sgml/client-auth.sgml
+++ b/doc/src/sgml/client-auth.sgml
@@ -522,6 +522,17 @@ hostnossl <replaceable>database</replaceable> <replaceable>user</replaceable>
</para>
</listitem>
</varlistentry>
+
+ <varlistentry>
+ <term><literal>bsd</></term>
+ <listitem>
+ <para>
+ Authenticate using BSD Authentication (BSD Auth) provided
+ by the operating system. See <xref linkend="auth-bsd">
+ for details.
+ </para>
+ </listitem>
+ </varlistentry>
</variablelist>
</para>
@@ -1647,6 +1658,30 @@ host ... ldap ldapurl="ldap://ldap.example.net/dc=example,dc=net?uid?sub"
</para>
</note>
</sect2>
+
+ <sect2 id="auth-bsd">
+ <title>BSD Authentication</title>
+
+ <indexterm zone="auth-bsd">
+ <primary>BSD</primary>
+ </indexterm>
+
+ <para>
+ This authentication method operates similarly to
+ <literal>password</literal> except that it uses BSD
+ Authentication as the authentication mechanism. BSD Authentication
+ is used only to validate user name/password pairs.
+ Therefore the user must already exist in the database before BSD
+ Authentication can be used for authentication.
+ </para>
+
+ <note>
+ <para>
+ To use BSD Authentication, the postgresql user must first be added
+ to the <literal>auth</literal> group.
+ </para>
+ </note>
+ </sect2>
</sect1>
<sect1 id="client-authentication-problems">
diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c
index cdc5bf1..43673fa 100644
--- a/src/backend/libpq/auth.c
+++ b/src/backend/libpq/auth.c
@@ -89,6 +89,16 @@ static Port *pam_port_cludge; /* Workaround for passing "Port *port" into
/*----------------------------------------------------------------
+ * BSD authentication
+ *----------------------------------------------------------------
+ */
+#ifdef USE_BSD_AUTH
+#include <bsd_auth.h>
+
+static int CheckBSDAuth(Port *port, char *user);
+#endif /* USE_BSD_AUTH */
+
+/*----------------------------------------------------------------
* LDAP authentication
*----------------------------------------------------------------
*/
@@ -258,6 +268,9 @@ auth_failed(Port *port, int status, char *logdetail)
case uaPAM:
errstr = gettext_noop("PAM authentication failed for user \"%s\"");
break;
+ case uaBSD:
+ errstr = gettext_noop("BSD authentication failed for user \"%s\"");
+ break;
case uaLDAP:
errstr = gettext_noop("LDAP authentication failed for user \"%s\"");
break;
@@ -529,6 +542,14 @@ ClientAuthentication(Port *port)
#endif /* USE_PAM */
break;
+ case uaBSD:
+#ifdef USE_BSD_AUTH
+ status = CheckBSDAuth(port, port->user_name);
+#else
+ Assert(false);
+#endif /* USE_BSD_AUTH */
+ break;
+
case uaLDAP:
#ifdef USE_LDAP
status = CheckLDAPAuth(port);
@@ -1828,7 +1849,32 @@ CheckPAMAuth(Port *port, char *user, char *password)
}
#endif /* USE_PAM */
+/*----------------------------------------------------------------
+ * BSD authentication system
+ *----------------------------------------------------------------
+ */
+#ifdef USE_BSD_AUTH
+int
+CheckBSDAuth(Port *port, char *user)
+{
+ char *passwd;
+ int retval;
+
+ /* Send regular password request to client, and get the response */
+ sendAuthRequest(port, AUTH_REQ_PASSWORD);
+
+ passwd = recv_password_packet(port);
+ if (passwd == NULL)
+ return STATUS_EOF;
+
+ retval = auth_userokay(user, NULL, "pg-auth", passwd);
+
+ if (!retval)
+ return STATUS_ERROR;
+ return STATUS_OK;
+}
+#endif /* USE_BSD_AUTH */
/*----------------------------------------------------------------
* LDAP authentication system
diff --git a/src/backend/libpq/hba.c b/src/backend/libpq/hba.c
index 94f7cfa..220f8b3 100644
--- a/src/backend/libpq/hba.c
+++ b/src/backend/libpq/hba.c
@@ -1190,6 +1190,12 @@ parse_hba_line(List *line, int line_num, char *raw_line)
#else
unsupauth = "pam";
#endif
+ else if (strcmp(token->string, "bsd") == 0)
+#ifdef USE_BSD_AUTH
+ parsedline->auth_method = uaBSD;
+#else
+ unsupauth = "bsd";
+#endif
else if (strcmp(token->string, "ldap") == 0)
#ifdef USE_LDAP
parsedline->auth_method = uaLDAP;
diff --git a/src/bin/initdb/initdb.c b/src/bin/initdb/initdb.c
index a27706f..8b26627 100644
--- a/src/bin/initdb/initdb.c
+++ b/src/bin/initdb/initdb.c
@@ -90,6 +90,9 @@ static const char *const auth_methods_host[] = {
#ifdef USE_PAM
"pam", "pam ",
#endif
+#ifdef USE_BSD_AUTH
+ "bsd",
+#endif
#ifdef USE_LDAP
"ldap",
#endif
@@ -103,6 +106,9 @@ static const char *const auth_methods_local[] = {
#ifdef USE_PAM
"pam", "pam ",
#endif
+#ifdef USE_BSD_AUTH
+ "bsd",
+#endif
#ifdef USE_LDAP
"ldap",
#endif
diff --git a/src/include/libpq/hba.h b/src/include/libpq/hba.h
index 68a953a..0e2a61b 100644
--- a/src/include/libpq/hba.h
+++ b/src/include/libpq/hba.h
@@ -27,6 +27,7 @@ typedef enum UserAuth
uaGSS,
uaSSPI,
uaPAM,
+ uaBSD,
uaLDAP,
uaCert,
uaRADIUS,
diff --git a/src/include/pg_config.h.in b/src/include/pg_config.h.in
index 16a272e..e347d1b 100644
--- a/src/include/pg_config.h.in
+++ b/src/include/pg_config.h.in
@@ -821,6 +821,9 @@
/* Define to 1 to build with PAM support. (--with-pam) */
#undef USE_PAM
+/* Define to 1 to build with BSD support. (--with-bsd-auth) */
+#undef USE_BSD_AUTH
+
/* Use replacement snprintf() functions. */
#undef USE_REPL_SNPRINTF
On Tue, Jan 12, 2016 at 2:27 AM, Marisa Emerson <mje@insec.sh> wrote:
I've attached the latest version of this patch. I've fixed up an issue with
the configuration scripts that I missed.
Looks reasonable on a quick read-through. Can anyone with access to a
BSD system review and test?
--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
Forgive my late comment ... I haven't used the PAM support in postgresql
either, or I'd know. PAM (I know for sure), and I suppose similarly BSD
Authentication, models a generalized auth interaction where a given
authentication module can send a number of arbitrary prompts back to the
client (via callbacks so different protocols and UIs can be used), and
demand a number of arbitrary responses, so that a variety of authentication
schemes can easily be supported.
Is the PostgreSQL support (for either PAM or BSD Authentication) able to
handle that in its designed generality, or only for the case (number of
requested items = 1, item 1 = a password)?
Could the general form be handled with the existing fe/be protocol,
or would the protocol have to grow?
-Chap
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
On Thu, Jan 14, 2016 at 11:59 PM, Chapman Flack <chap@anastigmatix.net> wrote:
Forgive my late comment ... I haven't used the PAM support in postgresql
either, or I'd know. PAM (I know for sure), and I suppose similarly BSD
Authentication, models a generalized auth interaction where a given
authentication module can send a number of arbitrary prompts back to the
client (via callbacks so different protocols and UIs can be used), and
demand a number of arbitrary responses, so that a variety of authentication
schemes can easily be supported.Is the PostgreSQL support (for either PAM or BSD Authentication) able to
handle that in its designed generality, or only for the case (number of
requested items = 1, item 1 = a password)?Could the general form be handled with the existing fe/be protocol,
or would the protocol have to grow?
We support something like this for GSS, but not for other
authentication methods. See:
http://www.postgresql.org/docs/current/static/protocol-flow.html
--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
On 1/14/16 11:22 PM, Robert Haas wrote:
On Tue, Jan 12, 2016 at 2:27 AM, Marisa Emerson <mje@insec.sh> wrote:
I've attached the latest version of this patch. I've fixed up an issue with
the configuration scripts that I missed.Looks reasonable on a quick read-through. Can anyone with access to a
BSD system review and test?
Is anyone with access to/experience with BSD able to review and test
this patch? Seems like it would make a great addition to 9.6.
Thanks,
--
-David
david@pgmasters.net
On Sat, Mar 12, 2016 at 5:14 AM, David Steele <david@pgmasters.net> wrote:
On 1/14/16 11:22 PM, Robert Haas wrote:
On Tue, Jan 12, 2016 at 2:27 AM, Marisa Emerson <mje@insec.sh> wrote:
I've attached the latest version of this patch. I've fixed up an issue with
the configuration scripts that I missed.Looks reasonable on a quick read-through. Can anyone with access to a
BSD system review and test?Is anyone with access to/experience with BSD able to review and test
this patch? Seems like it would make a great addition to 9.6.
It looks like this needs review from an OpenBSD user specifically.
FreeBSD and NetBSD use PAM instead of BSD auth.
--
Thomas Munro
http://www.enterprisedb.com
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
On 1/7/16 9:40 PM, Marisa Emerson wrote:
There's a port for PAM, but we would prefer to use BSD Auth as its quite
a lot cleaner and is standard on OpenBSD.I've attached an updated patch that includes documentation. It has been
tested against OpenBSD 5.8. I'll add this thread to the commitfest.
(Not a BSD user, just reviewing the code.)
configure.in has "build with BSD support", which should be "build with
BSD Authentication support".
There should be some documentation of the new configure option in
installation.sgml.
The documentation in client-auth.sgml speaks of a postgresql user and an
auth group. Maybe that's clear to users of BSD, but I don't know
whether these are OS entities or groups that I need to create or what.
The auth_userokay() call hardcodes a "type" of "pg-auth". That seems
important and should probably be documented. Extrapolating from PAM, I
think that should perhaps be an option in pg_hba.conf.
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
On 3/11/16 4:38 PM, Thomas Munro wrote:
It looks like this needs review from an OpenBSD user specifically.
FreeBSD and NetBSD use PAM instead of BSD auth.
FreeBSD has man pages for this stuff, so maybe they also have it now.
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
On Sat, Mar 12, 2016 at 5:14 AM, David Steele <david@pgmasters.net> wrote:
On 1/14/16 11:22 PM, Robert Haas wrote:
On Tue, Jan 12, 2016 at 2:27 AM, Marisa Emerson <mje@insec.sh> wrote:
I've attached the latest version of this patch. I've fixed up an issue with
the configuration scripts that I missed.Looks reasonable on a quick read-through. Can anyone with access to a
BSD system review and test?Is anyone with access to/experience with BSD able to review and test
this patch? Seems like it would make a great addition to 9.6.
(Disclaimer: I am not a regular OpenBSD user or a security expert.)
I tried this out on OpenBSD 5.8 and it works as described, using
default "passwd" style authentication.
+ <note>
+ <para>
+ To use BSD Authentication, the postgresql user must first be added
+ to the <literal>auth</literal> group.
+ </para>
+ </note>Our usual wording is "the PostgreSQL user account". Perhaps we should
be more explicit about the fact that membership of this Unix group is
needed on *OpenBSD*, since other current or future BSD forks could
vary. I see that the specific reason this is needed on this OpenBSD
5.8 box is so that it can fork/exec the setuid login_XXX binaries that
live under /usr/libexec/auth.
auth_userokay is called with a type of "pg-auth". I noticed from
looking at man page and source of some other applications that the
convention is usually a hardcoded string like "auth-myserver",
"auth-sockd", "auth-ssh", "auth-doas", "auth-popa3d" etc. So perhaps
we should have "auth-postgresql" (or "auth-postgres" or "auth-pgsql")
here? And as Peter E already said, that string should probably be
documented: it looks a bit like it is useful for allowing the
available authentication styles to be restricted or defaulted
specifically for PostgreSQL in login.conf based on that string.
(Though when I tried to set that up, it seemed to ignore my
possibly-incorrectly-specified rule asking it to use "reject" so I may
have misunderstood.)
The style argument is hard coded as NULL, as I see is the case in some
other applications. From the man page: "If style is not NULL, it
specifies the desired style of authentication to be used. If it is
NULL then the default style for the user is used. In this case, name
may include the desired style by appending it to the user's name with
a single colon (‘:’) as a separator." I wonder if such
user-controllable styles are OK (though I guess would require username
mapping to strip them off if we do want that as a feature). I wonder
if it should be possible to provide the style argument that we pass to
auth_userokay explicitly in pg_hba.conf, so that the DBA could
explicitly say BSD auth with style=radius.
I also tested on a system with no BSD auth support and configure
behaved sensibly with and without the new option ('error: header file
<bsd_auth.h> is required for BSD Authentication support'). I tried
configuring BSD auth in pg_hba.conf on a system built without the new
feature and it behaved sensibly ('invalid authentication method "bsd":
not supported by this build').
--
Thomas Munro
http://www.enterprisedb.com
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
Our usual wording is "the PostgreSQL user account". Perhaps we should
be more explicit about the fact that membership of this Unix group is
needed on *OpenBSD*, since other current or future BSD forks could
vary. I see that the specific reason this is needed on this OpenBSD
5.8 box is so that it can fork/exec the setuid login_XXX binaries that
live under /usr/libexec/auth.
The BSD Authentication framework currently only exists on OpenBSD. I've added some explicit documentation that this mechanism is currently only supported on OpenBSD and I've tried to be a bit more explicit about the auth group as suggested by Peter.
auth_userokay is called with a type of "pg-auth". I noticed from
looking at man page and source of some other applications that the
convention is usually a hardcoded string like "auth-myserver",
"auth-sockd", "auth-ssh", "auth-doas", "auth-popa3d" etc. So perhaps
we should have "auth-postgresql" (or "auth-postgres" or "auth-pgsql")
here? And as Peter E already said, that string should probably be
documented: it looks a bit like it is useful for allowing the
available authentication styles to be restricted or defaulted
specifically for PostgreSQL in login.conf based on that string.
(Though when I tried to set that up, it seemed to ignore my
possibly-incorrectly-specified rule asking it to use "reject" so I may
have misunderstood.)
This is correct, although so far I've only tested using the default login class. The attached patch includes some more explicit documentation about this string.
The style argument is hard coded as NULL, as I see is the case in some
other applications. From the man page: "If style is not NULL, it
specifies the desired style of authentication to be used. If it is
NULL then the default style for the user is used. In this case, name
may include the desired style by appending it to the user's name with
a single colon (‘:’) as a separator." I wonder if such
user-controllable styles are OK (though I guess would require username
mapping to strip them off if we do want that as a feature). I wonder
if it should be possible to provide the style argument that we pass to
auth_userokay explicitly in pg_hba.conf, so that the DBA could
explicitly say BSD auth with style=radius.
I've so far only tested passwd authentication. I'd be interested to test some of the other authentication styles, I think this would be a useful feature.
Attachments:
bsd_auth.patchapplication/octet-stream; name=bsd_auth.patchDownload
diff --git a/configure b/configure
index a45be67..8f305eb 100755
--- a/configure
+++ b/configure
@@ -827,6 +827,7 @@ with_python
with_gssapi
with_krb_srvnam
with_pam
+with_bsd_auth
with_ldap
with_bonjour
with_openssl
@@ -1516,6 +1517,7 @@ Optional Packages:
--with-krb-srvnam=NAME default service principal name in Kerberos (GSSAPI)
[postgres]
--with-pam build with PAM support
+ --with-bsd-auth build with BSD Authentication support
--with-ldap build with LDAP support
--with-bonjour build with Bonjour support
--with-openssl build with OpenSSL support
@@ -5571,6 +5573,41 @@ $as_echo "$with_pam" >&6; }
#
+# BSD AUTH
+#
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to build with BSD Authentication support" >&5
+$as_echo_n "checking whether to build with BSD Authentication support... " >&6; }
+
+
+
+# Check whether --with-bsd-auth was given.
+if test "${with_bsd_auth+set}" = set; then :
+ withval=$with_bsd_auth;
+ case $withval in
+ yes)
+
+$as_echo "#define USE_BSD_AUTH 1" >>confdefs.h
+
+ ;;
+ no)
+ :
+ ;;
+ *)
+ as_fn_error $? "no argument expected for --with-bsd-auth option" "$LINENO" 5
+ ;;
+ esac
+
+else
+ with_bsd_auth=no
+
+fi
+
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $with_bsd_auth" >&5
+$as_echo "$with_bsd_auth" >&6; }
+
+
+#
# LDAP
#
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to build with LDAP support" >&5
@@ -10524,6 +10561,23 @@ done
fi
+if test "$with_bsd_auth" = yes ; then
+ for ac_header in bsd_auth.h
+do :
+ ac_fn_c_check_header_mongrel "$LINENO" "bsd_auth.h" "ac_cv_header_bsd_auth_h" "$ac_includes_default"
+if test "x$ac_cv_header_bsd_auth_h" = xyes; then :
+ cat >>confdefs.h <<_ACEOF
+#define HAVE_BSD_AUTH_H 1
+_ACEOF
+
+else
+ as_fn_error $? "header file <bsd_auth.h> is required for BSD Authentication support" "$LINENO" 5
+fi
+
+done
+
+fi
+
if test "$with_systemd" = yes ; then
ac_fn_c_check_header_mongrel "$LINENO" "systemd/sd-daemon.h" "ac_cv_header_systemd_sd_daemon_h" "$ac_includes_default"
if test "x$ac_cv_header_systemd_sd_daemon_h" = xyes; then :
diff --git a/configure.in b/configure.in
index c298926..f17bfcc 100644
--- a/configure.in
+++ b/configure.in
@@ -674,6 +674,16 @@ AC_MSG_RESULT([$with_pam])
#
+# BSD AUTH
+#
+AC_MSG_CHECKING([whether to build with BSD Authentication support])
+PGAC_ARG_BOOL(with, bsd-auth, no,
+ [build with BSD Authentication support],
+ [AC_DEFINE([USE_BSD_AUTH], 1, [Define to 1 to build with BSD support. (--with-bsd-auth)])])
+AC_MSG_RESULT([$with_bsd_auth])
+
+
+#
# LDAP
#
AC_MSG_CHECKING([whether to build with LDAP support])
@@ -1269,6 +1279,10 @@ if test "$with_pam" = yes ; then
[AC_MSG_ERROR([header file <security/pam_appl.h> or <pam/pam_appl.h> is required for PAM.])])])
fi
+if test "$with_bsd_auth" = yes ; then
+ AC_CHECK_HEADERS(bsd_auth.h, [], [AC_MSG_ERROR([header file <bsd_auth.h> is required for BSD Authentication support])])
+fi
+
if test "$with_systemd" = yes ; then
AC_CHECK_HEADER(systemd/sd-daemon.h, [], [AC_MSG_ERROR([header file <systemd/sd-daemon.h> is required for systemd support])])
fi
diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml
index 3b2935c..7c67841 100644
--- a/doc/src/sgml/client-auth.sgml
+++ b/doc/src/sgml/client-auth.sgml
@@ -522,6 +522,17 @@ hostnossl <replaceable>database</replaceable> <replaceable>user</replaceable>
</para>
</listitem>
</varlistentry>
+
+ <varlistentry>
+ <term><literal>bsd</></term>
+ <listitem>
+ <para>
+ Authenticate using BSD Authentication provided by the
+ operating system. See <xref linkend="auth-bsd"> for
+ details.
+ </para>
+ </listitem>
+ </varlistentry>
</variablelist>
</para>
@@ -1647,6 +1658,40 @@ host ... ldap ldapurl="ldap://ldap.example.net/dc=example,dc=net?uid?sub"
</para>
</note>
</sect2>
+
+ <sect2 id="auth-bsd">
+ <title>BSD Authentication</title>
+
+ <indexterm zone="auth-bsd">
+ <primary>BSD</primary>
+ </indexterm>
+
+ <para>
+ This authentication method operates similarly to
+ <literal>password</literal> except that it uses BSD
+ Authentication as the authentication mechanism. BSD Authentication
+ is used only to validate user name/password pairs.
+ Therefore the user must already exist in the database before BSD
+ Authentication can be used for authentication. The BSD Authentication
+ framework is currently only available on OpenBSD.
+ </para>
+
+ <para>
+ BSD Authentication on PostgreSQL uses the <literal>auth-postgres</literal>
+ login type and authenticates with the <literal>postgres</literal> login
+ class if defined in <filename>login.conf</filename>. By default this
+ login class does not exist, and PostgreSQL will use the default login
+ class.
+ </para>
+
+ <note>
+ <para>
+ To use BSD Authentication, the PostgreSQL user account must first be
+ added to the <literal>auth</literal> group. The auth group exists by
+ default on OpenBSD systems.
+ </para>
+ </note>
+ </sect2>
</sect1>
<sect1 id="client-authentication-problems">
diff --git a/doc/src/sgml/installation.sgml b/doc/src/sgml/installation.sgml
index 1564b8e..0128bd7 100644
--- a/doc/src/sgml/installation.sgml
+++ b/doc/src/sgml/installation.sgml
@@ -261,6 +261,14 @@ su - postgres
<listitem>
<para>
+ You will need to be using the OpenBSD operating system to use
+ BSD Authentication, as the BSD Authentication framework is
+ currently only available on OpenBSD.
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
To build the <productname>PostgreSQL</productname> documentation,
there is a separate set of requirements; see
<![%standalone-ignore;[<xref linkend="docguide-toolsets">.]]>
@@ -793,6 +801,15 @@ su - postgres
</varlistentry>
<varlistentry>
+ <term><option>--with-bsd-auth</option></term>
+ <listitem>
+ <para>
+ Build with BSD Authentication support.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
<term><option>--with-ldap</option></term>
<listitem>
<para>
diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c
index 7f1ae8c..a19e5fd 100644
--- a/src/backend/libpq/auth.c
+++ b/src/backend/libpq/auth.c
@@ -89,6 +89,16 @@ static Port *pam_port_cludge; /* Workaround for passing "Port *port" into
/*----------------------------------------------------------------
+ * BSD authentication
+ *----------------------------------------------------------------
+ */
+#ifdef USE_BSD_AUTH
+#include <bsd_auth.h>
+
+static int CheckBSDAuth(Port *port, char *user);
+#endif /* USE_BSD_AUTH */
+
+/*----------------------------------------------------------------
* LDAP authentication
*----------------------------------------------------------------
*/
@@ -258,6 +268,9 @@ auth_failed(Port *port, int status, char *logdetail)
case uaPAM:
errstr = gettext_noop("PAM authentication failed for user \"%s\"");
break;
+ case uaBSD:
+ errstr = gettext_noop("BSD authentication failed for user \"%s\"");
+ break;
case uaLDAP:
errstr = gettext_noop("LDAP authentication failed for user \"%s\"");
break;
@@ -529,6 +542,14 @@ ClientAuthentication(Port *port)
#endif /* USE_PAM */
break;
+ case uaBSD:
+#ifdef USE_BSD_AUTH
+ status = CheckBSDAuth(port, port->user_name);
+#else
+ Assert(false);
+#endif /* USE_BSD_AUTH */
+ break;
+
case uaLDAP:
#ifdef USE_LDAP
status = CheckLDAPAuth(port);
@@ -1830,7 +1851,32 @@ CheckPAMAuth(Port *port, char *user, char *password)
}
#endif /* USE_PAM */
+/*----------------------------------------------------------------
+ * BSD authentication system
+ *----------------------------------------------------------------
+ */
+#ifdef USE_BSD_AUTH
+int
+CheckBSDAuth(Port *port, char *user)
+{
+ char *passwd;
+ int retval;
+
+ /* Send regular password request to client, and get the response */
+ sendAuthRequest(port, AUTH_REQ_PASSWORD);
+
+ passwd = recv_password_packet(port);
+ if (passwd == NULL)
+ return STATUS_EOF;
+
+ retval = auth_userokay(user, NULL, "auth-postgresql", passwd);
+
+ if (!retval)
+ return STATUS_ERROR;
+ return STATUS_OK;
+}
+#endif /* USE_BSD_AUTH */
/*----------------------------------------------------------------
* LDAP authentication system
diff --git a/src/backend/libpq/hba.c b/src/backend/libpq/hba.c
index 28f9fb5..9f14ab0 100644
--- a/src/backend/libpq/hba.c
+++ b/src/backend/libpq/hba.c
@@ -1190,6 +1190,12 @@ parse_hba_line(List *line, int line_num, char *raw_line)
#else
unsupauth = "pam";
#endif
+ else if (strcmp(token->string, "bsd") == 0)
+#ifdef USE_BSD_AUTH
+ parsedline->auth_method = uaBSD;
+#else
+ unsupauth = "bsd";
+#endif
else if (strcmp(token->string, "ldap") == 0)
#ifdef USE_LDAP
parsedline->auth_method = uaLDAP;
diff --git a/src/bin/initdb/initdb.c b/src/bin/initdb/initdb.c
index ed3ba7b..59aeb10 100644
--- a/src/bin/initdb/initdb.c
+++ b/src/bin/initdb/initdb.c
@@ -90,6 +90,9 @@ static const char *const auth_methods_host[] = {
#ifdef USE_PAM
"pam", "pam ",
#endif
+#ifdef USE_BSD_AUTH
+ "bsd",
+#endif
#ifdef USE_LDAP
"ldap",
#endif
@@ -103,6 +106,9 @@ static const char *const auth_methods_local[] = {
#ifdef USE_PAM
"pam", "pam ",
#endif
+#ifdef USE_BSD_AUTH
+ "bsd",
+#endif
#ifdef USE_LDAP
"ldap",
#endif
diff --git a/src/include/libpq/hba.h b/src/include/libpq/hba.h
index 68a953a..0e2a61b 100644
--- a/src/include/libpq/hba.h
+++ b/src/include/libpq/hba.h
@@ -27,6 +27,7 @@ typedef enum UserAuth
uaGSS,
uaSSPI,
uaPAM,
+ uaBSD,
uaLDAP,
uaCert,
uaRADIUS,
diff --git a/src/include/pg_config.h.in b/src/include/pg_config.h.in
index 3813226..a35605c 100644
--- a/src/include/pg_config.h.in
+++ b/src/include/pg_config.h.in
@@ -821,6 +821,9 @@
/* Define to 1 to build with PAM support. (--with-pam) */
#undef USE_PAM
+/* Define to 1 to build with BSD support. (--with-bsd-auth) */
+#undef USE_BSD_AUTH
+
/* Use replacement snprintf() functions. */
#undef USE_REPL_SNPRINTF
On Fri, Mar 18, 2016 at 2:58 AM, Marisa Emerson <mje@insec.sh> wrote:
Our usual wording is "the PostgreSQL user account". Perhaps we should
be more explicit about the fact that membership of this Unix group is
needed on *OpenBSD*, since other current or future BSD forks could
vary. I see that the specific reason this is needed on this OpenBSD
5.8 box is so that it can fork/exec the setuid login_XXX binaries that
live under /usr/libexec/auth.The BSD Authentication framework currently only exists on OpenBSD. I've added some explicit documentation that this mechanism is currently only supported on OpenBSD and I've tried to be a bit more explicit about the auth group as suggested by Peter.
auth_userokay is called with a type of "pg-auth". I noticed from
looking at man page and source of some other applications that the
convention is usually a hardcoded string like "auth-myserver",
"auth-sockd", "auth-ssh", "auth-doas", "auth-popa3d" etc. So perhaps
we should have "auth-postgresql" (or "auth-postgres" or "auth-pgsql")
here? And as Peter E already said, that string should probably be
documented: it looks a bit like it is useful for allowing the
available authentication styles to be restricted or defaulted
specifically for PostgreSQL in login.conf based on that string.
(Though when I tried to set that up, it seemed to ignore my
possibly-incorrectly-specified rule asking it to use "reject" so I may
have misunderstood.)This is correct, although so far I've only tested using the default login class. The attached patch includes some more explicit documentation about this string.
You used one name in the docs and another in the code:
+ BSD Authentication on PostgreSQL uses the <literal>auth-postgres</literal>
+ login type and authenticates with the <literal>postgres</literal> login+ retval = auth_userokay(user, NULL, "auth-postgresql", passwd);
The style argument is hard coded as NULL, as I see is the case in some
other applications. From the man page: "If style is not NULL, it
specifies the desired style of authentication to be used. If it is
NULL then the default style for the user is used. In this case, name
may include the desired style by appending it to the user's name with
a single colon (‘:’) as a separator." I wonder if such
user-controllable styles are OK (though I guess would require username
mapping to strip them off if we do want that as a feature). I wonder
if it should be possible to provide the style argument that we pass to
auth_userokay explicitly in pg_hba.conf, so that the DBA could
explicitly say BSD auth with style=radius.I've so far only tested passwd authentication. I'd be interested to test some of the other authentication styles, I think this would be a useful feature.
Agreed.
It looks like this is still very useful with the default, and maybe
adding support for specifying the auth style in pg_hba.conf could be a
follow-up patch if anyone is interested in writing that.
Except for the string mismatch above I would personally say this is
ready for a committer to look at. Since Stas Kelvich also signed up
as a reviewer I'll give it a few days to see if he has feedback before
updating the commitfest status.
--
Thomas Munro
http://www.enterprisedb.com
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
On 18/03/16 03:57, Thomas Munro wrote:
You used one name in the docs and another in the code:
+ BSD Authentication on PostgreSQL uses the <literal>auth-postgres</literal> + login type and authenticates with the <literal>postgres</literal> login+ retval = auth_userokay(user, NULL, "auth-postgresql", passwd);
Woops, fix attached.
Attachments:
bsd_auth.patchtext/x-patch; name=bsd_auth.patchDownload
diff --git a/configure b/configure
index a45be67..8f305eb 100755
--- a/configure
+++ b/configure
@@ -827,6 +827,7 @@ with_python
with_gssapi
with_krb_srvnam
with_pam
+with_bsd_auth
with_ldap
with_bonjour
with_openssl
@@ -1516,6 +1517,7 @@ Optional Packages:
--with-krb-srvnam=NAME default service principal name in Kerberos (GSSAPI)
[postgres]
--with-pam build with PAM support
+ --with-bsd-auth build with BSD Authentication support
--with-ldap build with LDAP support
--with-bonjour build with Bonjour support
--with-openssl build with OpenSSL support
@@ -5571,6 +5573,41 @@ $as_echo "$with_pam" >&6; }
#
+# BSD AUTH
+#
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to build with BSD Authentication support" >&5
+$as_echo_n "checking whether to build with BSD Authentication support... " >&6; }
+
+
+
+# Check whether --with-bsd-auth was given.
+if test "${with_bsd_auth+set}" = set; then :
+ withval=$with_bsd_auth;
+ case $withval in
+ yes)
+
+$as_echo "#define USE_BSD_AUTH 1" >>confdefs.h
+
+ ;;
+ no)
+ :
+ ;;
+ *)
+ as_fn_error $? "no argument expected for --with-bsd-auth option" "$LINENO" 5
+ ;;
+ esac
+
+else
+ with_bsd_auth=no
+
+fi
+
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $with_bsd_auth" >&5
+$as_echo "$with_bsd_auth" >&6; }
+
+
+#
# LDAP
#
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to build with LDAP support" >&5
@@ -10524,6 +10561,23 @@ done
fi
+if test "$with_bsd_auth" = yes ; then
+ for ac_header in bsd_auth.h
+do :
+ ac_fn_c_check_header_mongrel "$LINENO" "bsd_auth.h" "ac_cv_header_bsd_auth_h" "$ac_includes_default"
+if test "x$ac_cv_header_bsd_auth_h" = xyes; then :
+ cat >>confdefs.h <<_ACEOF
+#define HAVE_BSD_AUTH_H 1
+_ACEOF
+
+else
+ as_fn_error $? "header file <bsd_auth.h> is required for BSD Authentication support" "$LINENO" 5
+fi
+
+done
+
+fi
+
if test "$with_systemd" = yes ; then
ac_fn_c_check_header_mongrel "$LINENO" "systemd/sd-daemon.h" "ac_cv_header_systemd_sd_daemon_h" "$ac_includes_default"
if test "x$ac_cv_header_systemd_sd_daemon_h" = xyes; then :
diff --git a/configure.in b/configure.in
index c298926..f17bfcc 100644
--- a/configure.in
+++ b/configure.in
@@ -674,6 +674,16 @@ AC_MSG_RESULT([$with_pam])
#
+# BSD AUTH
+#
+AC_MSG_CHECKING([whether to build with BSD Authentication support])
+PGAC_ARG_BOOL(with, bsd-auth, no,
+ [build with BSD Authentication support],
+ [AC_DEFINE([USE_BSD_AUTH], 1, [Define to 1 to build with BSD support. (--with-bsd-auth)])])
+AC_MSG_RESULT([$with_bsd_auth])
+
+
+#
# LDAP
#
AC_MSG_CHECKING([whether to build with LDAP support])
@@ -1269,6 +1279,10 @@ if test "$with_pam" = yes ; then
[AC_MSG_ERROR([header file <security/pam_appl.h> or <pam/pam_appl.h> is required for PAM.])])])
fi
+if test "$with_bsd_auth" = yes ; then
+ AC_CHECK_HEADERS(bsd_auth.h, [], [AC_MSG_ERROR([header file <bsd_auth.h> is required for BSD Authentication support])])
+fi
+
if test "$with_systemd" = yes ; then
AC_CHECK_HEADER(systemd/sd-daemon.h, [], [AC_MSG_ERROR([header file <systemd/sd-daemon.h> is required for systemd support])])
fi
diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml
index 3b2935c..0b63e42 100644
--- a/doc/src/sgml/client-auth.sgml
+++ b/doc/src/sgml/client-auth.sgml
@@ -522,6 +522,17 @@ hostnossl <replaceable>database</replaceable> <replaceable>user</replaceable>
</para>
</listitem>
</varlistentry>
+
+ <varlistentry>
+ <term><literal>bsd</></term>
+ <listitem>
+ <para>
+ Authenticate using BSD Authentication provided by the
+ operating system. See <xref linkend="auth-bsd"> for
+ details.
+ </para>
+ </listitem>
+ </varlistentry>
</variablelist>
</para>
@@ -1647,6 +1658,40 @@ host ... ldap ldapurl="ldap://ldap.example.net/dc=example,dc=net?uid?sub"
</para>
</note>
</sect2>
+
+ <sect2 id="auth-bsd">
+ <title>BSD Authentication</title>
+
+ <indexterm zone="auth-bsd">
+ <primary>BSD</primary>
+ </indexterm>
+
+ <para>
+ This authentication method operates similarly to
+ <literal>password</literal> except that it uses BSD Authentication
+ as the authentication mechanism. BSD Authentication is used only
+ to validate user name/password pairs. Therefore the user must
+ already exist in the database before BSD Authentication can be used
+ for authentication. The BSD Authentication framework is currently
+ only available on OpenBSD.
+ </para>
+
+ <para>
+ BSD Authentication on PostgreSQL uses the <literal>auth-postgresql</literal>
+ login type and authenticates with the <literal>postgresql</literal>
+ login class if defined in <filename>login.conf</filename>. By default
+ this login class does not exist, and PostgreSQL will use the default
+ login class.
+ </para>
+
+ <note>
+ <para>
+ To use BSD Authentication, the PostgreSQL user account must first be
+ added to the <literal>auth</literal> group. The auth group exists by
+ default on OpenBSD systems.
+ </para>
+ </note>
+ </sect2>
</sect1>
<sect1 id="client-authentication-problems">
diff --git a/doc/src/sgml/installation.sgml b/doc/src/sgml/installation.sgml
index 1564b8e..e378f5f 100644
--- a/doc/src/sgml/installation.sgml
+++ b/doc/src/sgml/installation.sgml
@@ -261,6 +261,14 @@ su - postgres
<listitem>
<para>
+ You will need to be using the OpenBSD operating system to use
+ BSD Authentication, as the BSD Authentication framework is
+ currently only available on OpenBSD.
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
To build the <productname>PostgreSQL</productname> documentation,
there is a separate set of requirements; see
<![%standalone-ignore;[<xref linkend="docguide-toolsets">.]]>
@@ -793,6 +801,15 @@ su - postgres
</varlistentry>
<varlistentry>
+ <term><option>--with-bsd-auth</option></term>
+ <listitem>
+ <para>
+ Build with BSD Authentication support.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
<term><option>--with-ldap</option></term>
<listitem>
<para>
diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c
index 7f1ae8c..a19e5fd 100644
--- a/src/backend/libpq/auth.c
+++ b/src/backend/libpq/auth.c
@@ -89,6 +89,16 @@ static Port *pam_port_cludge; /* Workaround for passing "Port *port" into
/*----------------------------------------------------------------
+ * BSD authentication
+ *----------------------------------------------------------------
+ */
+#ifdef USE_BSD_AUTH
+#include <bsd_auth.h>
+
+static int CheckBSDAuth(Port *port, char *user);
+#endif /* USE_BSD_AUTH */
+
+/*----------------------------------------------------------------
* LDAP authentication
*----------------------------------------------------------------
*/
@@ -258,6 +268,9 @@ auth_failed(Port *port, int status, char *logdetail)
case uaPAM:
errstr = gettext_noop("PAM authentication failed for user \"%s\"");
break;
+ case uaBSD:
+ errstr = gettext_noop("BSD authentication failed for user \"%s\"");
+ break;
case uaLDAP:
errstr = gettext_noop("LDAP authentication failed for user \"%s\"");
break;
@@ -529,6 +542,14 @@ ClientAuthentication(Port *port)
#endif /* USE_PAM */
break;
+ case uaBSD:
+#ifdef USE_BSD_AUTH
+ status = CheckBSDAuth(port, port->user_name);
+#else
+ Assert(false);
+#endif /* USE_BSD_AUTH */
+ break;
+
case uaLDAP:
#ifdef USE_LDAP
status = CheckLDAPAuth(port);
@@ -1830,7 +1851,32 @@ CheckPAMAuth(Port *port, char *user, char *password)
}
#endif /* USE_PAM */
+/*----------------------------------------------------------------
+ * BSD authentication system
+ *----------------------------------------------------------------
+ */
+#ifdef USE_BSD_AUTH
+int
+CheckBSDAuth(Port *port, char *user)
+{
+ char *passwd;
+ int retval;
+
+ /* Send regular password request to client, and get the response */
+ sendAuthRequest(port, AUTH_REQ_PASSWORD);
+
+ passwd = recv_password_packet(port);
+ if (passwd == NULL)
+ return STATUS_EOF;
+
+ retval = auth_userokay(user, NULL, "auth-postgresql", passwd);
+
+ if (!retval)
+ return STATUS_ERROR;
+ return STATUS_OK;
+}
+#endif /* USE_BSD_AUTH */
/*----------------------------------------------------------------
* LDAP authentication system
diff --git a/src/backend/libpq/hba.c b/src/backend/libpq/hba.c
index 28f9fb5..9f14ab0 100644
--- a/src/backend/libpq/hba.c
+++ b/src/backend/libpq/hba.c
@@ -1190,6 +1190,12 @@ parse_hba_line(List *line, int line_num, char *raw_line)
#else
unsupauth = "pam";
#endif
+ else if (strcmp(token->string, "bsd") == 0)
+#ifdef USE_BSD_AUTH
+ parsedline->auth_method = uaBSD;
+#else
+ unsupauth = "bsd";
+#endif
else if (strcmp(token->string, "ldap") == 0)
#ifdef USE_LDAP
parsedline->auth_method = uaLDAP;
diff --git a/src/bin/initdb/initdb.c b/src/bin/initdb/initdb.c
index ed3ba7b..59aeb10 100644
--- a/src/bin/initdb/initdb.c
+++ b/src/bin/initdb/initdb.c
@@ -90,6 +90,9 @@ static const char *const auth_methods_host[] = {
#ifdef USE_PAM
"pam", "pam ",
#endif
+#ifdef USE_BSD_AUTH
+ "bsd",
+#endif
#ifdef USE_LDAP
"ldap",
#endif
@@ -103,6 +106,9 @@ static const char *const auth_methods_local[] = {
#ifdef USE_PAM
"pam", "pam ",
#endif
+#ifdef USE_BSD_AUTH
+ "bsd",
+#endif
#ifdef USE_LDAP
"ldap",
#endif
diff --git a/src/include/libpq/hba.h b/src/include/libpq/hba.h
index 68a953a..0e2a61b 100644
--- a/src/include/libpq/hba.h
+++ b/src/include/libpq/hba.h
@@ -27,6 +27,7 @@ typedef enum UserAuth
uaGSS,
uaSSPI,
uaPAM,
+ uaBSD,
uaLDAP,
uaCert,
uaRADIUS,
diff --git a/src/include/pg_config.h.in b/src/include/pg_config.h.in
index 3813226..a35605c 100644
--- a/src/include/pg_config.h.in
+++ b/src/include/pg_config.h.in
@@ -821,6 +821,9 @@
/* Define to 1 to build with PAM support. (--with-pam) */
#undef USE_PAM
+/* Define to 1 to build with BSD support. (--with-bsd-auth) */
+#undef USE_BSD_AUTH
+
/* Use replacement snprintf() functions. */
#undef USE_REPL_SNPRINTF
On Fri, Mar 18, 2016 at 12:49 PM, Marisa Emerson <mje@insec.sh> wrote:
On 18/03/16 03:57, Thomas Munro wrote:
You used one name in the docs and another in the code:
+ BSD Authentication on PostgreSQL uses the <literal>auth-postgres</literal> + login type and authenticates with the <literal>postgres</literal> login+ retval = auth_userokay(user, NULL, "auth-postgresql", passwd);
Woops, fix attached.
Thanks!
I'm CCng Pierre-Emmanuel André, maintainer of the OpenBSD postgresql
port/package, just in case he has any feedback.
Pierre-Emmanuel, here's the full thread in case you missed it:
/messages/by-id/1521c2f9465.e357a543197915.6912077634413325318@insec.sh
--
Thomas Munro
http://www.enterprisedb.com
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
On Fri, Mar 18, 2016 at 06:30:35PM +1300, Thomas Munro wrote:
On Fri, Mar 18, 2016 at 12:49 PM, Marisa Emerson <mje@insec.sh> wrote:
On 18/03/16 03:57, Thomas Munro wrote:
You used one name in the docs and another in the code:
+ BSD Authentication on PostgreSQL uses the <literal>auth-postgres</literal> + login type and authenticates with the <literal>postgres</literal> login+ retval = auth_userokay(user, NULL, "auth-postgresql", passwd);
Woops, fix attached.
Thanks!
I'm CCng Pierre-Emmanuel Andrᅵ, maintainer of the OpenBSD postgresql
port/package, just in case he has any feedback.Pierre-Emmanuel, here's the full thread in case you missed it:
/messages/by-id/1521c2f9465.e357a543197915.6912077634413325318@insec.sh
Hi,
Sorry for the late answer.
I've tested the patch on @amd64 with the latest PostgreSQL 9.6devel. I can't judge the diff
itself (it looks good but i'm not a PostgreSQL developper) but everything works fine.
It would be a nice feature to have on OpenBSD.
Regards,
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
On Fri, Apr 8, 2016 at 6:48 AM, Pierre-Emmanuel André <pea@openbsd.org> wrote:
On Fri, Mar 18, 2016 at 06:30:35PM +1300, Thomas Munro wrote:
On Fri, Mar 18, 2016 at 12:49 PM, Marisa Emerson <mje@insec.sh> wrote:
On 18/03/16 03:57, Thomas Munro wrote:
You used one name in the docs and another in the code:
+ BSD Authentication on PostgreSQL uses the <literal>auth-postgres</literal> + login type and authenticates with the <literal>postgres</literal> login+ retval = auth_userokay(user, NULL, "auth-postgresql", passwd);
Woops, fix attached.
Thanks!
I'm CCng Pierre-Emmanuel André, maintainer of the OpenBSD postgresql
port/package, just in case he has any feedback.Pierre-Emmanuel, here's the full thread in case you missed it:
/messages/by-id/1521c2f9465.e357a543197915.6912077634413325318@insec.shSorry for the late answer.
I've tested the patch on @amd64 with the latest PostgreSQL 9.6devel. I can't judge the diff
itself (it looks good but i'm not a PostgreSQL developper) but everything works fine.
It would be a nice feature to have on OpenBSD.
Opinion poll:
Should we commit this patch?
--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
On 4/8/16 11:20 AM, Robert Haas wrote:
On Fri, Apr 8, 2016 at 6:48 AM, Pierre-Emmanuel André <pea@openbsd.org> wrote:
On Fri, Mar 18, 2016 at 06:30:35PM +1300, Thomas Munro wrote:
On Fri, Mar 18, 2016 at 12:49 PM, Marisa Emerson <mje@insec.sh> wrote:
On 18/03/16 03:57, Thomas Munro wrote:
You used one name in the docs and another in the code:
+ BSD Authentication on PostgreSQL uses the <literal>auth-postgres</literal> + login type and authenticates with the <literal>postgres</literal> login+ retval = auth_userokay(user, NULL, "auth-postgresql", passwd);
Woops, fix attached.
Thanks!
I'm CCng Pierre-Emmanuel André, maintainer of the OpenBSD postgresql
port/package, just in case he has any feedback.Pierre-Emmanuel, here's the full thread in case you missed it:
/messages/by-id/1521c2f9465.e357a543197915.6912077634413325318@insec.shSorry for the late answer.
I've tested the patch on @amd64 with the latest PostgreSQL 9.6devel. I can't judge the diff
itself (it looks good but i'm not a PostgreSQL developper) but everything works fine.
It would be a nice feature to have on OpenBSD.Opinion poll:
Should we commit this patch?
To summarize:
Robert Haas and Peter Eisentraut have done code-only reviews. Thomas
Munro has reviewed and tested with a caveat that he is no BSD expert.
Pierre-Emmanuel tested but did not do a code review review due to his
unfamiliarity with the Postgres code-base.
The patch does not seem invasive or likely to cause problems on non-BSD
systems. From my perspective this has gotten about as much review as it
can, so +1 from me at least.
--
-David
david@pgmasters.net
David Steele <david@pgmasters.net> writes:
On 4/8/16 11:20 AM, Robert Haas wrote:
Should we commit this patch?
To summarize:
Robert Haas and Peter Eisentraut have done code-only reviews. Thomas
Munro has reviewed and tested with a caveat that he is no BSD expert.
Pierre-Emmanuel tested but did not do a code review review due to his
unfamiliarity with the Postgres code-base.
The patch does not seem invasive or likely to cause problems on non-BSD
systems. From my perspective this has gotten about as much review as it
can, so +1 from me at least.
Given our lack of BSD developers, there's probably not much more we can
do, but one more set of eyeballs on the patch wouldn't hurt. I'll take
it, unless somebody else wants to.
regards, tom lane
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
Marisa Emerson <mje@insec.sh> writes:
Woops, fix attached.
Pushed with minor adjustments.
regards, tom lane
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers