diff options
| author | Tom Lane <tgl@sss.pgh.pa.us> | 2016-04-08 13:51:54 -0400 |
|---|---|---|
| committer | Tom Lane <tgl@sss.pgh.pa.us> | 2016-04-08 13:52:06 -0400 |
| commit | 34c33a1f00259ce5e3e1d1b4a784037adfca6057 (patch) | |
| tree | 9d628647f542d8505e593bff45caecde5dd95210 /src/backend/libpq/auth.c | |
| parent | af025eed536d3842d085ed9e4f9107eb976575cc (diff) | |
Add BSD authentication method.
Create a "bsd" auth method that works the same as "password" so far as
clients are concerned, but calls the BSD Authentication service to
check the password. This is currently only available on OpenBSD.
Marisa Emerson, reviewed by Thomas Munro
Diffstat (limited to 'src/backend/libpq/auth.c')
| -rw-r--r-- | src/backend/libpq/auth.c | 54 |
1 files changed, 54 insertions, 0 deletions
diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c index 630762cc6b9..dbba712352f 100644 --- a/src/backend/libpq/auth.c +++ b/src/backend/libpq/auth.c @@ -89,6 +89,17 @@ static Port *pam_port_cludge; /* Workaround for passing "Port *port" into /*---------------------------------------------------------------- + * BSD authentication + *---------------------------------------------------------------- + */ +#ifdef USE_BSD_AUTH +#include <bsd_auth.h> + +static int CheckBSDAuth(Port *port, char *user); +#endif /* USE_BSD_AUTH */ + + +/*---------------------------------------------------------------- * LDAP authentication *---------------------------------------------------------------- */ @@ -258,6 +269,9 @@ auth_failed(Port *port, int status, char *logdetail) case uaPAM: errstr = gettext_noop("PAM authentication failed for user \"%s\""); break; + case uaBSD: + errstr = gettext_noop("BSD authentication failed for user \"%s\""); + break; case uaLDAP: errstr = gettext_noop("LDAP authentication failed for user \"%s\""); break; @@ -529,6 +543,14 @@ ClientAuthentication(Port *port) #endif /* USE_PAM */ break; + case uaBSD: +#ifdef USE_BSD_AUTH + status = CheckBSDAuth(port, port->user_name); +#else + Assert(false); +#endif /* USE_BSD_AUTH */ + break; + case uaLDAP: #ifdef USE_LDAP status = CheckLDAPAuth(port); @@ -1856,6 +1878,38 @@ CheckPAMAuth(Port *port, char *user, char *password) #endif /* USE_PAM */ +/*---------------------------------------------------------------- + * BSD authentication system + *---------------------------------------------------------------- + */ +#ifdef USE_BSD_AUTH +static int +CheckBSDAuth(Port *port, char *user) +{ + char *passwd; + int retval; + + /* Send regular password request to client, and get the response */ + sendAuthRequest(port, AUTH_REQ_PASSWORD); + + passwd = recv_password_packet(port); + if (passwd == NULL) + return STATUS_EOF; + + /* + * Ask the BSD auth system to verify password. Note that auth_userokay + * will overwrite the password string with zeroes, but it's just a + * temporary string so we don't care. + */ + retval = auth_userokay(user, NULL, "auth-postgresql", passwd); + + if (!retval) + return STATUS_ERROR; + + return STATUS_OK; +} +#endif /* USE_BSD_AUTH */ + /*---------------------------------------------------------------- * LDAP authentication system |