Re: Problem with ssl and psql in Postgresql 13
| От | Tom Lane |
|---|---|
| Тема | Re: Problem with ssl and psql in Postgresql 13 |
| Дата | |
| Msg-id | 1528843.1609108374@sss.pgh.pa.us обсуждение исходный текст |
| Ответ на | Re: Problem with ssl and psql in Postgresql 13 (Tom Lane <tgl@sss.pgh.pa.us>) |
| Ответы |
Re: Problem with ssl and psql in Postgresql 13
|
| Список | pgsql-general |
Here's a more complete patchset.
0001 is the same libpq fixes I posted before.
0002 fixes a collection of random server-side issues, including:
* The GSS encryption code figured it could just ereport(ERROR) or
ereport(FATAL) for unrecoverable errors. This seems entirely unsafe,
because elog.c will try to send the error message to the client,
likely re-triggering the same error and leading to infinite recursion.
Even if that doesn't happen, we might have sent a partial packet
to the client meaning that protocol synchronization is lost. The
right thing to do is like what the SSL encryption code has long done:
log the error at COMMERROR level and then return errno = ECONNRESET
to shut things down.
* Fix sloppiness about whether pg_GSS_error()'s message parameter
is already translated or not. (BTW, I'm a bit inclined to remove
pg_GSS_error()'s elevel parameter altogether and hardwire it as
COMMERROR, thus removing a bug temptation and making it more like the
similarly-named frontend function. I didn't pull the trigger on that
here, though.)
* I really didn't like that we had the postmaster allocating the
port->gss struct (and committing hara-kiri if it could not).
Admittedly, the struct is not so large that an OOM failure is
likely, but it's just dumb to make the postmaster allocate a
struct it has zero use for. I moved that allocation to the code
that actually needs it, GSSAPI encryption or auth startup.
* That also allows fixing a bug I noticed earlier, that the
"connection authorized" log message fails to mention GSS if we are
only using GSS for encryption without invoking GSS auth. We can
use whether or not port->gss is non-null to figure out whether
the GSS clause of the message should appear. (This is related to,
but distinct from, the pg_hba.conf-related log message fixes
discussed upthread. I've not included those changes here, but
they're still on the table.)
* BackendStatusShmemSize failed to account for GSS-related space.
With large max_connections this could make a serious dent in our
shared-memory slop space.
* Various places knew more than they needed to about whether
port->gss->auth being set is equivalent to port->gss->princ being set.
* Remove long-dead call of secure_close() in postmaster's
ConnFree subroutine.
The 0003 patch removes the restriction I griped of earlier about
which auth methods can be used on a GSS-encrypted connection.
I made that a separate patch just in case it's controversial.
Finally, 0004 tries to improve the documentation in this area.
Some of that is reflective of 0003, but most of it is just
cleanup.
I propose to back-patch all of this as far as v12.
regards, tom lane
diff --git a/src/interfaces/libpq/fe-connect.c b/src/interfaces/libpq/fe-connect.c
index 7d04d3664e..ec7c4c5e87 100644
--- a/src/interfaces/libpq/fe-connect.c
+++ b/src/interfaces/libpq/fe-connect.c
@@ -2909,11 +2909,16 @@ keep_going: /* We will come back to here until there is
#ifdef USE_SSL
/*
- * If SSL is enabled and we haven't already got it running,
- * request it instead of sending the startup message.
+ * If SSL is enabled and we haven't already got encryption of
+ * some sort running, request SSL instead of sending the
+ * startup message.
*/
if (conn->allow_ssl_try && !conn->wait_ssl_try &&
- !conn->ssl_in_use)
+ !conn->ssl_in_use
+#ifdef ENABLE_GSS
+ && !conn->gssenc
+#endif
+ )
{
ProtocolVersion pv;
@@ -3042,6 +3047,7 @@ keep_going: /* We will come back to here until there is
}
/* Otherwise, proceed with normal startup */
conn->allow_ssl_try = false;
+ /* We can proceed using this connection */
conn->status = CONNECTION_MADE;
return PGRES_POLLING_WRITING;
}
@@ -3139,8 +3145,7 @@ keep_going: /* We will come back to here until there is
* don't hang up the socket, though.
*/
conn->try_gss = false;
- pqDropConnection(conn, true);
- conn->status = CONNECTION_NEEDED;
+ need_new_connection = true;
goto keep_going;
}
@@ -3158,6 +3163,7 @@ keep_going: /* We will come back to here until there is
}
conn->try_gss = false;
+ /* We can proceed using this connection */
conn->status = CONNECTION_MADE;
return PGRES_POLLING_WRITING;
}
@@ -3186,8 +3192,7 @@ keep_going: /* We will come back to here until there is
* the current connection to do so, though.
*/
conn->try_gss = false;
- pqDropConnection(conn, true);
- conn->status = CONNECTION_NEEDED;
+ need_new_connection = true;
goto keep_going;
}
return pollres;
@@ -3354,10 +3359,9 @@ keep_going: /* We will come back to here until there is
*/
if (conn->gssenc && conn->gssencmode[0] == 'p')
{
- /* postmaster expects us to drop the connection */
+ /* only retry once */
conn->try_gss = false;
- pqDropConnection(conn, true);
- conn->status = CONNECTION_NEEDED;
+ need_new_connection = true;
goto keep_going;
}
#endif
diff --git a/src/interfaces/libpq/fe-secure-gssapi.c b/src/interfaces/libpq/fe-secure-gssapi.c
index bfc0f55214..9416306eea 100644
--- a/src/interfaces/libpq/fe-secure-gssapi.c
+++ b/src/interfaces/libpq/fe-secure-gssapi.c
@@ -647,17 +647,14 @@ pqsecure_open_gss(PGconn *conn)
if (output.length == 0)
{
/*
- * We're done - hooray! Kind of gross, but we need to disable SSL
- * here so that we don't accidentally tunnel one over the other.
+ * We're done - hooray! Set flag to tell the low-level I/O routines
+ * to do GSS wrapping/unwrapping.
*/
-#ifdef USE_SSL
- conn->allow_ssl_try = false;
-#endif
+ conn->gssenc = true;
/* Clean up */
gss_release_cred(&minor, &conn->gcred);
conn->gcred = GSS_C_NO_CREDENTIAL;
- conn->gssenc = true;
gss_release_buffer(&minor, &output);
/*
diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c
index 3d80930968..7f65310c14 100644
--- a/src/backend/libpq/auth.c
+++ b/src/backend/libpq/auth.c
@@ -383,7 +383,7 @@ ClientAuthentication(Port *port)
}
#ifdef ENABLE_GSS
- if (port->gss->enc && port->hba->auth_method != uaReject &&
+ if (port->gss && port->gss->enc && port->hba->auth_method != uaReject &&
port->hba->auth_method != uaImplicitReject &&
port->hba->auth_method != uaTrust &&
port->hba->auth_method != uaGSS)
@@ -533,7 +533,17 @@ ClientAuthentication(Port *port)
case uaGSS:
#ifdef ENABLE_GSS
+ /* We might or might not have the gss workspace already */
+ if (port->gss == NULL)
+ port->gss = (pg_gssinfo *)
+ MemoryContextAllocZero(TopMemoryContext,
+ sizeof(pg_gssinfo));
port->gss->auth = true;
+
+ /*
+ * If GSS state was set up while enabling encryption, we can just
+ * check the client's principal. Otherwise, ask for it.
+ */
if (port->gss->enc)
status = pg_GSS_checkauth(port);
else
@@ -548,6 +558,10 @@ ClientAuthentication(Port *port)
case uaSSPI:
#ifdef ENABLE_SSPI
+ if (port->gss == NULL)
+ port->gss = (pg_gssinfo *)
+ MemoryContextAllocZero(TopMemoryContext,
+ sizeof(pg_gssinfo));
sendAuthRequest(port, AUTH_REQ_SSPI, NULL, 0);
status = pg_SSPI_recvauth(port);
#else
@@ -1185,9 +1199,10 @@ pg_GSS_recvauth(Port *port)
if (maj_stat != GSS_S_COMPLETE && maj_stat != GSS_S_CONTINUE_NEEDED)
{
gss_delete_sec_context(&lmin_s, &port->gss->ctx, GSS_C_NO_BUFFER);
- pg_GSS_error(ERROR,
+ pg_GSS_error(COMMERROR,
_("accepting GSS security context failed"),
maj_stat, min_stat);
+ return STATUS_ERROR;
}
if (maj_stat == GSS_S_CONTINUE_NEEDED)
@@ -1224,9 +1239,12 @@ pg_GSS_checkauth(Port *port)
*/
maj_stat = gss_display_name(&min_stat, port->gss->name, &gbuf, NULL);
if (maj_stat != GSS_S_COMPLETE)
- pg_GSS_error(ERROR,
+ {
+ pg_GSS_error(COMMERROR,
_("retrieving GSS user name failed"),
maj_stat, min_stat);
+ return STATUS_ERROR;
+ }
/*
* Copy the original name of the authenticated principal into our backend
diff --git a/src/backend/libpq/be-gssapi-common.c b/src/backend/libpq/be-gssapi-common.c
index ef9b8ebd6d..a7006a0ab7 100644
--- a/src/backend/libpq/be-gssapi-common.c
+++ b/src/backend/libpq/be-gssapi-common.c
@@ -42,14 +42,22 @@ pg_GSS_error_int(char *s, size_t len, OM_uint32 stat, int type)
while (msg_ctx && i < len);
if (msg_ctx || i == len)
- ereport(WARNING,
- (errmsg_internal("incomplete GSS error report")));
+ elog(COMMERROR, "incomplete GSS error report");
}
/*
- * Fetch and report all error messages from GSSAPI. To avoid allocation,
- * total error size is capped (at 128 bytes for each of major and minor). No
- * known mechanisms will produce error messages beyond this cap.
+ * Report the GSSAPI error described by maj_stat/min_stat.
+ *
+ * errmsg should be an already-translated primary error message.
+ * The GSSAPI info is appended as errdetail.
+ *
+ * Caution: although we allow the caller to specify the ereport severity,
+ * passing anything but COMMERROR is almost certainly wrong, as it'd lead
+ * to infinite recursion when elog.c tries to write to the client.
+ *
+ * To avoid memory allocation, total error size is capped (at 128 bytes for
+ * each of major and minor). No known mechanisms will produce error messages
+ * beyond this cap.
*/
void
pg_GSS_error(int severity, const char *errmsg,
diff --git a/src/backend/libpq/be-secure-gssapi.c b/src/backend/libpq/be-secure-gssapi.c
index 5a73302b7b..b70d74ca83 100644
--- a/src/backend/libpq/be-secure-gssapi.c
+++ b/src/backend/libpq/be-secure-gssapi.c
@@ -21,6 +21,7 @@
#include "libpq/pqformat.h"
#include "miscadmin.h"
#include "pgstat.h"
+#include "utils/memutils.h"
/*
@@ -81,10 +82,14 @@ static uint32 PqGSSMaxPktSize; /* Maximum size we can encrypt and fit the
* transport negotiation is complete).
*
* On success, returns the number of data bytes consumed (possibly less than
- * len). On failure, returns -1 with errno set appropriately. (For fatal
- * errors, we may just elog and exit, if errno wouldn't be sufficient to
- * describe the error.) For retryable errors, caller should call again
- * (passing the same data) once the socket is ready.
+ * len). On failure, returns -1 with errno set appropriately. For retryable
+ * errors, caller should call again (passing the same data) once the socket
+ * is ready.
+ *
+ * Dealing with fatal errors here is a bit tricky: we can't invoke elog(FATAL)
+ * since it would try to write to the client, probably resulting in infinite
+ * recursion. Instead, use elog(COMMERROR) to log extra info about the
+ * failure if necessary, and then return an errno indicating connection loss.
*/
ssize_t
be_gssapi_write(Port *port, void *ptr, size_t len)
@@ -108,8 +113,11 @@ be_gssapi_write(Port *port, void *ptr, size_t len)
* again, so if it offers a len less than that, something is wrong.
*/
if (len < PqGSSSendConsumed)
- elog(FATAL, "GSSAPI caller failed to retransmit all data needing to be retried");
-
+ {
+ elog(COMMERROR, "GSSAPI caller failed to retransmit all data needing to be retried");
+ errno = ECONNRESET;
+ return -1;
+ }
/* Discount whatever source data we already encrypted. */
bytes_to_encrypt = len - PqGSSSendConsumed;
bytes_encrypted = PqGSSSendConsumed;
@@ -192,17 +200,27 @@ be_gssapi_write(Port *port, void *ptr, size_t len)
major = gss_wrap(&minor, gctx, 1, GSS_C_QOP_DEFAULT,
&input, &conf_state, &output);
if (major != GSS_S_COMPLETE)
- pg_GSS_error(FATAL, gettext_noop("GSSAPI wrap error"), major, minor);
-
+ {
+ pg_GSS_error(COMMERROR, _("GSSAPI wrap error"), major, minor);
+ errno = ECONNRESET;
+ return -1;
+ }
if (conf_state == 0)
- ereport(FATAL,
+ {
+ ereport(COMMERROR,
(errmsg("outgoing GSSAPI message would not use confidentiality")));
-
+ errno = ECONNRESET;
+ return -1;
+ }
if (output.length > PQ_GSS_SEND_BUFFER_SIZE - sizeof(uint32))
- ereport(FATAL,
+ {
+ ereport(COMMERROR,
(errmsg("server tried to send oversize GSSAPI packet (%zu > %zu)",
(size_t) output.length,
PQ_GSS_SEND_BUFFER_SIZE - sizeof(uint32))));
+ errno = ECONNRESET;
+ return -1;
+ }
bytes_encrypted += input.length;
bytes_to_encrypt -= input.length;
@@ -234,9 +252,11 @@ be_gssapi_write(Port *port, void *ptr, size_t len)
* transport negotiation is complete).
*
* Returns the number of data bytes read, or on failure, returns -1
- * with errno set appropriately. (For fatal errors, we may just elog and
- * exit, if errno wouldn't be sufficient to describe the error.) For
- * retryable errors, caller should call again once the socket is ready.
+ * with errno set appropriately. For retryable errors, caller should call
+ * again once the socket is ready.
+ *
+ * We treat fatal errors the same as in be_gssapi_write(), even though the
+ * argument about infinite recursion doesn't apply here.
*/
ssize_t
be_gssapi_read(Port *port, void *ptr, size_t len)
@@ -326,10 +346,14 @@ be_gssapi_read(Port *port, void *ptr, size_t len)
input.length = pg_ntoh32(*(uint32 *) PqGSSRecvBuffer);
if (input.length > PQ_GSS_RECV_BUFFER_SIZE - sizeof(uint32))
- ereport(FATAL,
+ {
+ ereport(COMMERROR,
(errmsg("oversize GSSAPI packet sent by the client (%zu > %zu)",
(size_t) input.length,
PQ_GSS_RECV_BUFFER_SIZE - sizeof(uint32))));
+ errno = ECONNRESET;
+ return -1;
+ }
/*
* Read as much of the packet as we are able to on this call into
@@ -361,12 +385,18 @@ be_gssapi_read(Port *port, void *ptr, size_t len)
major = gss_unwrap(&minor, gctx, &input, &output, &conf_state, NULL);
if (major != GSS_S_COMPLETE)
- pg_GSS_error(FATAL, gettext_noop("GSSAPI unwrap error"),
- major, minor);
-
+ {
+ pg_GSS_error(COMMERROR, _("GSSAPI unwrap error"), major, minor);
+ errno = ECONNRESET;
+ return -1;
+ }
if (conf_state == 0)
- ereport(FATAL,
+ {
+ ereport(COMMERROR,
(errmsg("incoming GSSAPI message did not use confidentiality")));
+ errno = ECONNRESET;
+ return -1;
+ }
memcpy(PqGSSResultBuffer, output.value, output.length);
PqGSSResultLength = output.length;
@@ -468,6 +498,12 @@ secure_open_gssapi(Port *port)
OM_uint32 major,
minor;
+ /*
+ * Allocate subsidiary Port data for GSSAPI operations.
+ */
+ port->gss = (pg_gssinfo *)
+ MemoryContextAllocZero(TopMemoryContext, sizeof(pg_gssinfo));
+
/*
* Allocate buffers and initialize state variables. By malloc'ing the
* buffers at this point, we avoid wasting static data space in processes
@@ -521,10 +557,13 @@ secure_open_gssapi(Port *port)
* Verify on our side that the client doesn't do something funny.
*/
if (input.length > PQ_GSS_RECV_BUFFER_SIZE)
- ereport(FATAL,
+ {
+ ereport(COMMERROR,
(errmsg("oversize GSSAPI packet sent by the client (%zu > %d)",
(size_t) input.length,
PQ_GSS_RECV_BUFFER_SIZE)));
+ return -1;
+ }
/*
* Get the rest of the packet so we can pass it to GSSAPI to accept
@@ -544,7 +583,7 @@ secure_open_gssapi(Port *port)
NULL, NULL);
if (GSS_ERROR(major))
{
- pg_GSS_error(ERROR, gettext_noop("could not accept GSSAPI security context"),
+ pg_GSS_error(COMMERROR, _("could not accept GSSAPI security context"),
major, minor);
gss_release_buffer(&minor, &output);
return -1;
@@ -570,10 +609,14 @@ secure_open_gssapi(Port *port)
uint32 netlen = pg_hton32(output.length);
if (output.length > PQ_GSS_SEND_BUFFER_SIZE - sizeof(uint32))
- ereport(FATAL,
+ {
+ ereport(COMMERROR,
(errmsg("server tried to send oversize GSSAPI packet (%zu > %zu)",
(size_t) output.length,
PQ_GSS_SEND_BUFFER_SIZE - sizeof(uint32))));
+ gss_release_buffer(&minor, &output);
+ return -1;
+ }
memcpy(PqGSSSendBuffer, (char *) &netlen, sizeof(uint32));
PqGSSSendLength += sizeof(uint32);
@@ -634,8 +677,10 @@ secure_open_gssapi(Port *port)
&PqGSSMaxPktSize);
if (GSS_ERROR(major))
- pg_GSS_error(FATAL, gettext_noop("GSSAPI size check error"),
- major, minor);
+ {
+ pg_GSS_error(COMMERROR, _("GSSAPI size check error"), major, minor);
+ return -1;
+ }
port->gss->enc = true;
@@ -667,12 +712,13 @@ be_gssapi_get_enc(Port *port)
}
/*
- * Return the GSSAPI principal used for authentication on this connection.
+ * Return the GSSAPI principal used for authentication on this connection
+ * (NULL if we did not perform GSSAPI authentication).
*/
const char *
be_gssapi_get_princ(Port *port)
{
- if (!port || !port->gss->auth)
+ if (!port || !port->gss)
return NULL;
return port->gss->princ;
diff --git a/src/backend/libpq/be-secure.c b/src/backend/libpq/be-secure.c
index 2ae507a902..59bc02e79c 100644
--- a/src/backend/libpq/be-secure.c
+++ b/src/backend/libpq/be-secure.c
@@ -160,7 +160,7 @@ retry:
else
#endif
#ifdef ENABLE_GSS
- if (port->gss->enc)
+ if (port->gss && port->gss->enc)
{
n = be_gssapi_read(port, ptr, len);
waitfor = WL_SOCKET_READABLE;
@@ -273,7 +273,7 @@ retry:
else
#endif
#ifdef ENABLE_GSS
- if (port->gss->enc)
+ if (port->gss && port->gss->enc)
{
n = be_gssapi_write(port, ptr, len);
waitfor = WL_SOCKET_WRITEABLE;
diff --git a/src/backend/libpq/hba.c b/src/backend/libpq/hba.c
index 0cc4397769..41ca0791ea 100644
--- a/src/backend/libpq/hba.c
+++ b/src/backend/libpq/hba.c
@@ -2134,9 +2134,11 @@ check_hba(hbaPort *port)
/* Check GSSAPI state */
#ifdef ENABLE_GSS
- if (port->gss->enc && hba->conntype == ctHostNoGSS)
+ if (port->gss && port->gss->enc &&
+ hba->conntype == ctHostNoGSS)
continue;
- else if (!port->gss->enc && hba->conntype == ctHostGSS)
+ else if (!(port->gss && port->gss->enc) &&
+ hba->conntype == ctHostGSS)
continue;
#else
if (hba->conntype == ctHostGSS)
diff --git a/src/backend/libpq/pqcomm.c b/src/backend/libpq/pqcomm.c
index 0b511008fc..3ea7c6167e 100644
--- a/src/backend/libpq/pqcomm.c
+++ b/src/backend/libpq/pqcomm.c
@@ -256,29 +256,26 @@ socket_close(int code, Datum arg)
/* Nothing to do in a standalone backend, where MyProcPort is NULL. */
if (MyProcPort != NULL)
{
-#if defined(ENABLE_GSS) || defined(ENABLE_SSPI)
#ifdef ENABLE_GSS
- OM_uint32 min_s;
-
/*
* Shutdown GSSAPI layer. This section does nothing when interrupting
* BackendInitialize(), because pg_GSS_recvauth() makes first use of
* "ctx" and "cred".
+ *
+ * Note that we don't bother to free MyProcPort->gss, since we're
+ * about to exit anyway.
*/
- if (MyProcPort->gss->ctx != GSS_C_NO_CONTEXT)
- gss_delete_sec_context(&min_s, &MyProcPort->gss->ctx, NULL);
+ if (MyProcPort->gss)
+ {
+ OM_uint32 min_s;
- if (MyProcPort->gss->cred != GSS_C_NO_CREDENTIAL)
- gss_release_cred(&min_s, &MyProcPort->gss->cred);
-#endif /* ENABLE_GSS */
+ if (MyProcPort->gss->ctx != GSS_C_NO_CONTEXT)
+ gss_delete_sec_context(&min_s, &MyProcPort->gss->ctx, NULL);
- /*
- * GSS and SSPI share the port->gss struct. Since nowhere else does a
- * postmaster child free this, doing so is safe when interrupting
- * BackendInitialize().
- */
- free(MyProcPort->gss);
-#endif /* ENABLE_GSS || ENABLE_SSPI */
+ if (MyProcPort->gss->cred != GSS_C_NO_CREDENTIAL)
+ gss_release_cred(&min_s, &MyProcPort->gss->cred);
+ }
+#endif /* ENABLE_GSS */
/*
* Cleanly shut down SSL layer. Nowhere else does a postmaster child
diff --git a/src/backend/postmaster/pgstat.c b/src/backend/postmaster/pgstat.c
index 71f2b90ca8..7fba907479 100644
--- a/src/backend/postmaster/pgstat.c
+++ b/src/backend/postmaster/pgstat.c
@@ -2888,6 +2888,11 @@ BackendStatusShmemSize(void)
/* BackendSslStatusBuffer: */
size = add_size(size,
mul_size(sizeof(PgBackendSSLStatus), NumBackendStatSlots));
+#endif
+#ifdef ENABLE_GSS
+ /* BackendGssStatusBuffer: */
+ size = add_size(size,
+ mul_size(sizeof(PgBackendGSSStatus), NumBackendStatSlots));
#endif
return size;
}
@@ -3172,12 +3177,13 @@ pgstat_bestart(void)
#ifdef ENABLE_GSS
if (MyProcPort && MyProcPort->gss != NULL)
{
+ const char *princ = be_gssapi_get_princ(MyProcPort);
+
lbeentry.st_gss = true;
lgssstatus.gss_auth = be_gssapi_get_auth(MyProcPort);
lgssstatus.gss_enc = be_gssapi_get_enc(MyProcPort);
-
- if (lgssstatus.gss_auth)
- strlcpy(lgssstatus.gss_princ, be_gssapi_get_princ(MyProcPort), NAMEDATALEN);
+ if (princ)
+ strlcpy(lgssstatus.gss_princ, princ, NAMEDATALEN);
}
else
{
diff --git a/src/backend/postmaster/postmaster.c b/src/backend/postmaster/postmaster.c
index bf883184b1..0bb85a18f6 100644
--- a/src/backend/postmaster/postmaster.c
+++ b/src/backend/postmaster/postmaster.c
@@ -2063,6 +2063,7 @@ retry1:
else if (proto == NEGOTIATE_GSS_CODE && !gss_done)
{
char GSSok = 'N';
+
#ifdef ENABLE_GSS
/* No GSSAPI encryption when on Unix socket */
if (!IS_AF_UNIX(port->laddr.addr.ss_family))
@@ -2531,37 +2532,19 @@ ConnCreate(int serverFd)
return NULL;
}
- /*
- * Allocate GSSAPI specific state struct
- */
-#ifndef EXEC_BACKEND
-#if defined(ENABLE_GSS) || defined(ENABLE_SSPI)
- port->gss = (pg_gssinfo *) calloc(1, sizeof(pg_gssinfo));
- if (!port->gss)
- {
- ereport(LOG,
- (errcode(ERRCODE_OUT_OF_MEMORY),
- errmsg("out of memory")));
- ExitPostmaster(1);
- }
-#endif
-#endif
-
return port;
}
/*
* ConnFree -- free a local connection data structure
+ *
+ * Caller has already closed the socket if any, so there's not much
+ * to do here.
*/
static void
ConnFree(Port *conn)
{
-#ifdef USE_SSL
- secure_close(conn);
-#endif
- if (conn->gss)
- free(conn->gss);
free(conn);
}
@@ -4917,18 +4900,6 @@ SubPostmasterMain(int argc, char *argv[])
/* Setup as postmaster child */
InitPostmasterChild();
- /*
- * Set up memory area for GSS information. Mirrors the code in ConnCreate
- * for the non-exec case.
- */
-#if defined(ENABLE_GSS) || defined(ENABLE_SSPI)
- port.gss = (pg_gssinfo *) calloc(1, sizeof(pg_gssinfo));
- if (!port.gss)
- ereport(FATAL,
- (errcode(ERRCODE_OUT_OF_MEMORY),
- errmsg("out of memory")));
-#endif
-
/*
* If appropriate, physically re-attach to shared memory segment. We want
* to do this before going any further to ensure that we can attach at the
diff --git a/src/backend/utils/init/postinit.c b/src/backend/utils/init/postinit.c
index 82d451569d..9723e457ce 100644
--- a/src/backend/utils/init/postinit.c
+++ b/src/backend/utils/init/postinit.c
@@ -270,11 +270,22 @@ PerformAuthentication(Port *port)
be_tls_get_compression(port) ? _("on") : _("off"));
#endif
#ifdef ENABLE_GSS
- if (be_gssapi_get_princ(port))
- appendStringInfo(&logmsg, _(" GSS (authenticated=%s, encrypted=%s, principal=%s)"),
- be_gssapi_get_auth(port) ? _("yes") : _("no"),
- be_gssapi_get_enc(port) ? _("yes") : _("no"),
- be_gssapi_get_princ(port));
+ if (port->gss)
+ {
+ const char *princ = be_gssapi_get_princ(port);
+
+ if (princ)
+ appendStringInfo(&logmsg,
+ _(" GSS (authenticated=%s, encrypted=%s, principal=%s)"),
+ be_gssapi_get_auth(port) ? _("yes") : _("no"),
+ be_gssapi_get_enc(port) ? _("yes") : _("no"),
+ princ);
+ else
+ appendStringInfo(&logmsg,
+ _(" GSS (authenticated=%s, encrypted=%s)"),
+ be_gssapi_get_auth(port) ? _("yes") : _("no"),
+ be_gssapi_get_enc(port) ? _("yes") : _("no"));
+ }
#endif
ereport(LOG, errmsg_internal("%s", logmsg.data));
diff --git a/src/include/libpq/libpq-be.h b/src/include/libpq/libpq-be.h
index 0a23281ad5..fa778e1192 100644
--- a/src/include/libpq/libpq-be.h
+++ b/src/include/libpq/libpq-be.h
@@ -176,8 +176,9 @@ typedef struct Port
#if defined(ENABLE_GSS) || defined(ENABLE_SSPI)
/*
- * If GSSAPI is supported, store GSSAPI information. Otherwise, store a
- * NULL pointer to make sure offsets in the struct remain the same.
+ * If GSSAPI is supported and used on this connection, store GSSAPI
+ * information. Even when GSSAPI is not compiled in, store a NULL pointer
+ * to keep struct offsets the same (for extension ABI compatibility).
*/
pg_gssinfo *gss;
#else
diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c
index 7f65310c14..aad7f982bf 100644
--- a/src/backend/libpq/auth.c
+++ b/src/backend/libpq/auth.c
@@ -382,17 +382,6 @@ ClientAuthentication(Port *port)
errmsg("connection requires a valid client certificate")));
}
-#ifdef ENABLE_GSS
- if (port->gss && port->gss->enc && port->hba->auth_method != uaReject &&
- port->hba->auth_method != uaImplicitReject &&
- port->hba->auth_method != uaTrust &&
- port->hba->auth_method != uaGSS)
- {
- ereport(FATAL, (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
- errmsg("GSSAPI encryption can only be used with gss, trust, or reject authentication
methods")));
- }
-#endif
-
/*
* Now proceed to do the actual authentication check
*/
diff --git a/src/backend/libpq/hba.c b/src/backend/libpq/hba.c
index 41ca0791ea..99319b273a 100644
--- a/src/backend/libpq/hba.c
+++ b/src/backend/libpq/hba.c
@@ -1447,19 +1447,6 @@ parse_hba_line(TokenizedLine *tok_line, int elevel)
*err_msg = "gssapi authentication is not supported on local sockets";
return NULL;
}
- if (parsedline->conntype == ctHostGSS &&
- parsedline->auth_method != uaGSS &&
- parsedline->auth_method != uaReject &&
- parsedline->auth_method != uaTrust)
- {
- ereport(elevel,
- (errcode(ERRCODE_CONFIG_FILE_ERROR),
- errmsg("GSSAPI encryption only supports gss, trust, or reject authentication"),
- errcontext("line %d of configuration file \"%s\"",
- line_num, HbaFileName)));
- *err_msg = "GSSAPI encryption only supports gss, trust, or reject authentication";
- return NULL;
- }
if (parsedline->conntype != ctLocal &&
parsedline->auth_method == uaPeer)
diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml
index a0a9ac9eed..9a5c9318ce 100644
--- a/doc/src/sgml/client-auth.sgml
+++ b/doc/src/sgml/client-auth.sgml
@@ -198,14 +198,6 @@ hostnogssenc <replaceable>database</replaceable> <replaceable>user</replaceabl
the <literal>hostgssenc</literal> record is ignored except for logging
a warning that it cannot match any connections.
</para>
-
- <para>
- Note that the only supported
- <link linkend="auth-methods">authentication methods</link> for use
- with <acronym>GSSAPI</acronym> encryption
- are <literal>gss</literal>, <literal>reject</literal>,
- and <literal>trust</literal>.
- </para>
</listitem>
</varlistentry>
@@ -1201,14 +1193,13 @@ omicron bryanh guest1
<productname>GSSAPI</productname> is an industry-standard protocol
for secure authentication defined in
<ulink url="https://tools.ietf.org/html/rfc2743">RFC 2743</ulink>.
-
<productname>PostgreSQL</productname>
- supports <productname>GSSAPI</productname> for use as either an encrypted,
- authenticated layer, or for authentication only.
+ supports <productname>GSSAPI</productname> for authentication,
+ communications encryption, or both.
<productname>GSSAPI</productname> provides automatic authentication
(single sign-on) for systems that support it. The authentication itself is
secure. If <productname>GSSAPI</productname> encryption
- (see <literal>hostgssenc</literal>) or <acronym>SSL</acronym> encryption are
+ or <acronym>SSL</acronym> encryption is
used, the data sent along the database connection will be encrypted;
otherwise, it will not.
</para>
@@ -1220,37 +1211,46 @@ omicron bryanh guest1
<para>
When <productname>GSSAPI</productname> uses
- <productname>Kerberos</productname>, it uses a standard principal
- in the format
+ <productname>Kerberos</productname>, it uses a standard service
+ principal (authentication identity) name in the format
<literal><replaceable>servicename</replaceable>/<replaceable>hostname</replaceable>@<replaceable>realm</replaceable></literal>.
- The PostgreSQL server will accept any principal that is included in the keytab used by
- the server, but care needs to be taken to specify the correct principal details when
- making the connection from the client using the <literal>krbsrvname</literal> connection parameter. (See
- also <xref linkend="libpq-paramkeywords"/>.) The installation default can be
- changed from the default <literal>postgres</literal> at build time using
- <literal>./configure --with-krb-srvnam=</literal><replaceable>whatever</replaceable>.
- In most environments,
- this parameter never needs to be changed.
- Some Kerberos implementations might require a different service name,
- such as Microsoft Active Directory which requires the service name
- to be in upper case (<literal>POSTGRES</literal>).
- </para>
- <para>
- <replaceable>hostname</replaceable> is the fully qualified host name of the
- server machine. The service principal's realm is the preferred realm
- of the server machine.
- </para>
-
- <para>
- Client principals can be mapped to different <productname>PostgreSQL</productname>
- database user names with <filename>pg_ident.conf</filename>. For example,
+ The principal name used by a particular installation is not encoded in
+ the <productname>PostgreSQL</productname> server in any way; rather it
+ is specified in the <firstterm>keytab</firstterm> file that the server
+ reads to determine its identity. If multiple principals are listed in
+ the keytab file, the server will accept any one of them.
+ The server's realm name is the preferred realm specified in the Kerberos
+ configuration file(s) accessible to the server.
+ </para>
+
+ <para>
+ When connecting, the client must know the principal name of the server
+ it intends to connect to. The <replaceable>servicename</replaceable>
+ part of the principal is ordinarily <literal>postgres</literal>,
+ but another value can be selected via <application>libpq</application>'s
+ <xref linkend="libpq-connect-krbsrvname"/> connection parameter.
+ The <replaceable>hostname</replaceable> part is the fully qualified
+ host name that <application>libpq</application> is told to connect to.
+ The realm name is the preferred realm specified in the Kerberos
+ configuration file(s) accessible to the client.
+ </para>
+
+ <para>
+ The client will also have a principal name for its own identity
+ (and it must have a valid ticket for this principal). To
+ use <productname>GSSAPI</productname> for authentication, the client
+ principal must be associated with
+ a <productname>PostgreSQL</productname> database user name.
+ The <filename>pg_ident.conf</filename> configuration file can be used
+ to map principals to user names; for example,
<literal>pgusername@realm</literal> could be mapped to just <literal>pgusername</literal>.
Alternatively, you can use the full <literal>username@realm</literal> principal as
the role name in <productname>PostgreSQL</productname> without any mapping.
</para>
<para>
- <productname>PostgreSQL</productname> also supports a parameter to strip the realm from
+ <productname>PostgreSQL</productname> also supports mapping
+ client principals to user names by just stripping the realm from
the principal. This method is supported for backwards compatibility and is
strongly discouraged as it is then impossible to distinguish different users
with the same user name but coming from different realms. To enable this,
@@ -1264,39 +1264,34 @@ omicron bryanh guest1
</para>
<para>
- Make sure that your server keytab file is readable (and preferably
- only readable, not writable) by the <productname>PostgreSQL</productname>
- server account. (See also <xref linkend="postgres-user"/>.) The location
- of the key file is specified by the <xref
+ The location of the server's keytab file is specified by the <xref
linkend="guc-krb-server-keyfile"/> configuration
parameter. The default is
- <filename>/usr/local/pgsql/etc/krb5.keytab</filename> (or whatever
- directory was specified as <varname>sysconfdir</varname> at build time).
+ <filename>FILE:/usr/local/pgsql/etc/krb5.keytab</filename>
+ (where the directory part is whatever was specified
+ as <varname>sysconfdir</varname> at build time).
For security reasons, it is recommended to use a separate keytab
just for the <productname>PostgreSQL</productname> server rather
- than opening up permissions on the system keytab file.
+ than allowing the server to read the system keytab file.
+ Make sure that your server keytab file is readable (and preferably
+ only readable, not writable) by the <productname>PostgreSQL</productname>
+ server account. (See also <xref linkend="postgres-user"/>.)
</para>
+
<para>
- The keytab file is generated by the Kerberos software; see the
- Kerberos documentation for details. The following example is
- for MIT-compatible Kerberos 5 implementations:
+ The keytab file is generated using the Kerberos software; see the
+ Kerberos documentation for details. The following example shows
+ doing this using the <application>kadmin</application> tool of
+ MIT-compatible Kerberos 5 implementations:
<screen>
-<prompt>kadmin% </prompt><userinput>ank -randkey postgres/server.my.domain.org</userinput>
+<prompt>kadmin% </prompt><userinput>addprinc -randkey postgres/server.my.domain.org</userinput>
<prompt>kadmin% </prompt><userinput>ktadd -k krb5.keytab postgres/server.my.domain.org</userinput>
</screen>
</para>
<para>
- When connecting to the database make sure you have a ticket for a
- principal matching the requested database user name. For example, for
- database user name <literal>fred</literal>, principal
- <literal>fred@EXAMPLE.COM</literal> would be able to connect. To also allow
- principal <literal>fred/users.example.com@EXAMPLE.COM</literal>, use a user name
- map, as described in <xref linkend="auth-username-maps"/>.
- </para>
-
- <para>
- The following configuration options are supported for <productname>GSSAPI</productname>:
+ The following authentication options are supported for
+ the <productname>GSSAPI</productname> authentication method:
<variablelist>
<varlistentry>
<term><literal>include_realm</literal></term>
@@ -1319,7 +1314,7 @@ omicron bryanh guest1
<term><literal>map</literal></term>
<listitem>
<para>
- Allows for mapping between system and database user names. See
+ Allows mapping from client principals to database user names. See
<xref linkend="auth-username-maps"/> for details. For a GSSAPI/Kerberos
principal, such as <literal>username@EXAMPLE.COM</literal> (or, less
commonly, <literal>username/hostbased@EXAMPLE.COM</literal>), the
@@ -1346,6 +1341,15 @@ omicron bryanh guest1
</varlistentry>
</variablelist>
</para>
+
+ <para>
+ In addition to these settings, which can be different for
+ different <filename>pg_hba.conf</filename> entries, there is the
+ server-wide <xref linkend="guc-krb-caseins-users"/> configuration
+ parameter. If that is set to true, client principals are matched to
+ user map entries case-insensitively. <literal>krb_realm</literal>, if
+ set, is also matched case-insensitively.
+ </para>
</sect1>
<sect1 id="sspi-auth">
diff --git a/doc/src/sgml/libpq.sgml b/doc/src/sgml/libpq.sgml
index 67c5d4c36b..a5db58d468 100644
--- a/doc/src/sgml/libpq.sgml
+++ b/doc/src/sgml/libpq.sgml
@@ -1581,6 +1581,16 @@ postgresql://%2Fvar%2Flib%2Fpostgresql/dbname
connection.<indexterm><primary>SSL</primary><secondary
sortas="libpq">with libpq</secondary></indexterm>
</para>
+
+ <para>
+ Note that if <acronym>GSSAPI</acronym> encryption is possible,
+ that will be used in preference to <acronym>SSL</acronym>
+ encryption, regardless of the value of <literal>sslmode</literal>.
+ To force use of <acronym>SSL</acronym> encryption in an
+ environment that has working <acronym>GSSAPI</acronym>
+ infrastructure (such as a Kerberos server), also
+ set <literal>gssencmode</literal> to <literal>disable</literal>.
+ </para>
</listitem>
</varlistentry>
@@ -1784,6 +1794,15 @@ postgresql://%2Fvar%2Flib%2Fpostgresql/dbname
This must match the service name specified in the server
configuration for Kerberos authentication to succeed. (See also
<xref linkend="gssapi-auth"/>.)
+ The default value is normally <literal>postgres</literal>,
+ but that can be changed when
+ building <productname>PostgreSQL</productname> via
+ the <option>--with-krb-srvnam</option> option
+ of <application>configure</application>.
+ In most environments, this parameter never needs to be changed.
+ Some Kerberos implementations might require a different service name,
+ such as Microsoft Active Directory which requires the service name
+ to be in upper case (<literal>POSTGRES</literal>).
</para>
</listitem>
</varlistentry>
diff --git a/doc/src/sgml/protocol.sgml b/doc/src/sgml/protocol.sgml
index 4899bacda7..98b42bb269 100644
--- a/doc/src/sgml/protocol.sgml
+++ b/doc/src/sgml/protocol.sgml
@@ -1454,6 +1454,10 @@ SELCT 1/0;<!-- this typo is intentional -->
<acronym>SSL</acronym>-encrypted. To continue after
<literal>N</literal>, send the usual StartupMessage and proceed without
encryption.
+ (Alternatively, it is permissible to issue a GSSENCRequest message
+ after an <literal>N</literal> response to try to
+ use <acronym>GSSAPI</acronym> encryption instead
+ of <acronym>SSL</acronym>.)
</para>
<para>
@@ -1509,20 +1513,14 @@ SELCT 1/0;<!-- this typo is intentional -->
result from the server, until it returns no output. When sending the
results of <function>gss_init_sec_context()</function> to the server,
prepend the length of the message as a four byte integer in network byte
- order. If this is successful, then use <function>gss_wrap()</function> to
- encrypt the usual StartupMessage and all subsequent data, prepending the
- length of the result from <function>gss_wrap()</function> as a four byte
- integer in network byte order to the actual encrypted payload. Note that
- the server will only accept encrypted packets from the client which are less
- than 16kB; <function>gss_wrap_size_limit()</function> should be used by the
- client to determine the size of the unencrypted message which will fit
- within this limit and larger messages should be broken up into multiple
- <function>gss_wrap()</function> calls. Typical segments are 8kB of
- unencrypted data, resulting in encrypted packets of slightly larger than 8kB
- but well within the 16kB maximum. The server can be expected to not send
- encrypted packets of larger than 16kB to the client. To continue after
+ order.
+ To continue after
<literal>N</literal>, send the usual StartupMessage and proceed without
encryption.
+ (Alternatively, it is permissible to issue an SSLRequest message
+ after an <literal>N</literal> response to try to
+ use <acronym>SSL</acronym> encryption instead
+ of <acronym>GSSAPI</acronym>.)
</para>
<para>
@@ -1532,9 +1530,7 @@ SELCT 1/0;<!-- this typo is intentional -->
support to <productname>PostgreSQL</productname>. In this case the
connection must be closed, but the frontend might choose to open a fresh
connection and proceed without requesting <acronym>GSSAPI</acronym>
- encryption. Given the length limits specified above, the ErrorMessage can
- not be confused with a proper response from the server with an appropriate
- length.
+ encryption.
</para>
<para>
@@ -1542,6 +1538,22 @@ SELCT 1/0;<!-- this typo is intentional -->
opened to send a CancelRequest message.
</para>
+ <para>
+ Once <acronym>GSSAPI</acronym> encryption has been successfully
+ established, use <function>gss_wrap()</function> to
+ encrypt the usual StartupMessage and all subsequent data, prepending the
+ length of the result from <function>gss_wrap()</function> as a four byte
+ integer in network byte order to the actual encrypted payload. Note that
+ the server will only accept encrypted packets from the client which are less
+ than 16kB; <function>gss_wrap_size_limit()</function> should be used by the
+ client to determine the size of the unencrypted message which will fit
+ within this limit and larger messages should be broken up into multiple
+ <function>gss_wrap()</function> calls. Typical segments are 8kB of
+ unencrypted data, resulting in encrypted packets of slightly larger than 8kB
+ but well within the 16kB maximum. The server can be expected to not send
+ encrypted packets of larger than 16kB to the client.
+ </para>
+
<para>
While the protocol itself does not provide a way for the server to
force <acronym>GSSAPI</acronym> encryption, the administrator can
diff --git a/doc/src/sgml/runtime.sgml b/doc/src/sgml/runtime.sgml
index 17e938148c..283352d3a4 100644
--- a/doc/src/sgml/runtime.sgml
+++ b/doc/src/sgml/runtime.sgml
@@ -2563,7 +2563,7 @@ openssl x509 -req -in server.csr -text -days 365 \
<productname>PostgreSQL</productname> also has native support for
using <acronym>GSSAPI</acronym> to encrypt client/server communications for
increased security. Support requires that a <acronym>GSSAPI</acronym>
- implementation (such as MIT krb5) is installed on both client and server
+ implementation (such as MIT Kerberos) is installed on both client and server
systems, and that support in <productname>PostgreSQL</productname> is
enabled at build time (see <xref linkend="installation"/>).
</para>
@@ -2582,6 +2582,16 @@ openssl x509 -req -in server.csr -text -days 365 \
some or all connections.
</para>
+ <para>
+ When using <acronym>GSSAPI</acronym> for encryption, it is common to
+ use <acronym>GSSAPI</acronym> for authentication as well, since the
+ underlying mechanism will determine both client and server identities
+ (according to the <acronym>GSSAPI</acronym> implementation) in any
+ case. But this is not required;
+ another <productname>PostgreSQL</productname> authentication method
+ can be chosen to perform additional verification.
+ </para>
+
<para>
Other than configuration of the negotiation
behavior, <acronym>GSSAPI</acronym> encryption requires no setup beyond
В списке pgsql-general по дате отправления: