diff options
| author | Magnus Hagander <magnus@hagander.net> | 2011-03-19 18:44:35 +0100 |
|---|---|---|
| committer | Magnus Hagander <magnus@hagander.net> | 2011-03-19 18:44:35 +0100 |
| commit | 6f9192df61e183826211ad2eaf325c6de5cf3656 (patch) | |
| tree | 98fc926f92e7073432cc813c1a69646be6301bb9 /src/backend/libpq/hba.c | |
| parent | 4a0014806d909bbb490f568af0b8f1ede06149ed (diff) | |
Rename ident authentication over local connections to peer
This removes an overloading of two authentication options where
one is very secure (peer) and one is often insecure (ident). Peer
is also the name used in libpq from 9.1 to specify the same type
of authentication.
Also make initdb select peer for local connections when ident is
chosen, and ident for TCP connections when peer is chosen.
ident keyword in pg_hba.conf is still accepted and maps to peer
authentication.
Diffstat (limited to 'src/backend/libpq/hba.c')
| -rw-r--r-- | src/backend/libpq/hba.c | 24 |
1 files changed, 23 insertions, 1 deletions
diff --git a/src/backend/libpq/hba.c b/src/backend/libpq/hba.c index 1b3a71431c9..2def6cea894 100644 --- a/src/backend/libpq/hba.c +++ b/src/backend/libpq/hba.c @@ -1060,6 +1060,8 @@ parse_hba_line(List *line, int line_num, HbaLine *parsedline) parsedline->auth_method = uaTrust; else if (strcmp(token, "ident") == 0) parsedline->auth_method = uaIdent; + else if (strcmp(token, "peer") == 0) + parsedline->auth_method = uaPeer; else if (strcmp(token, "password") == 0) parsedline->auth_method = uaPassword; else if (strcmp(token, "krb5") == 0) @@ -1137,6 +1139,14 @@ parse_hba_line(List *line, int line_num, HbaLine *parsedline) return false; } + /* + * XXX: When using ident on local connections, change it to peer, for + * backwards compatibility. + */ + if (parsedline->conntype == ctLocal && + parsedline->auth_method == uaIdent) + parsedline->auth_method = uaPeer; + /* Invalid authentication combinations */ if (parsedline->conntype == ctLocal && parsedline->auth_method == uaKrb5) @@ -1160,6 +1170,17 @@ parse_hba_line(List *line, int line_num, HbaLine *parsedline) return false; } + if (parsedline->conntype != ctLocal && + parsedline->auth_method == uaPeer) + { + ereport(LOG, + (errcode(ERRCODE_CONFIG_FILE_ERROR), + errmsg("peer authentication is only supported on local sockets"), + errcontext("line %d of configuration file \"%s\"", + line_num, HbaFileName))); + return false; + } + /* * SSPI authentication can never be enabled on ctLocal connections, * because it's only supported on Windows, where ctLocal isn't supported. @@ -1203,11 +1224,12 @@ parse_hba_line(List *line, int line_num, HbaLine *parsedline) if (strcmp(token, "map") == 0) { if (parsedline->auth_method != uaIdent && + parsedline->auth_method != uaPeer && parsedline->auth_method != uaKrb5 && parsedline->auth_method != uaGSS && parsedline->auth_method != uaSSPI && parsedline->auth_method != uaCert) - INVALID_AUTH_OPTION("map", gettext_noop("ident, krb5, gssapi, sspi and cert")); + INVALID_AUTH_OPTION("map", gettext_noop("ident, peer, krb5, gssapi, sspi and cert")); parsedline->usermap = pstrdup(c); } else if (strcmp(token, "clientcert") == 0) |