diff --git a/configure b/configure index 8760643a75..e1ff704ca5 100755 --- a/configure +++ b/configure @@ -817,7 +817,6 @@ with_tclconfig with_perl with_python with_gssapi -with_krb5 with_krb_srvnam with_pam with_ldap @@ -1502,8 +1501,7 @@ Optional Packages: --with-perl build Perl modules (PL/Perl) --with-python build Python modules (PL/Python) --with-gssapi build with GSSAPI support - --with-krb5 build with Kerberos 5 support - --with-krb-srvnam=NAME default service principal name in Kerberos + --with-krb-srvnam=NAME default service principal name in Kerberos (GSSAPI) [postgres] --with-pam build with PAM support --with-ldap build with LDAP support @@ -5336,43 +5334,6 @@ fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $with_gssapi" >&5 $as_echo "$with_gssapi" >&6; } -# -# Kerberos 5 -# -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to build with Kerberos 5 support" >&5 -$as_echo_n "checking whether to build with Kerberos 5 support... " >&6; } - - - -# Check whether --with-krb5 was given. -if test "${with_krb5+set}" = set; then : - withval=$with_krb5; - case $withval in - yes) - - -$as_echo "#define KRB5 1" >>confdefs.h - - krb_srvtab="FILE:\$(sysconfdir)/krb5.keytab" - - ;; - no) - : - ;; - *) - as_fn_error $? "no argument expected for --with-krb5 option" "$LINENO" 5 - ;; - esac - -else - with_krb5=no - -fi - - -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $with_krb5" >&5 -$as_echo "$with_krb5" >&6; } - @@ -8395,186 +8356,6 @@ fi fi fi -if test "$with_krb5" = yes ; then - if test "$PORTNAME" != "win32"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing com_err" >&5 -$as_echo_n "checking for library containing com_err... " >&6; } -if ${ac_cv_search_com_err+:} false; then : - $as_echo_n "(cached) " >&6 -else - ac_func_search_save_LIBS=$LIBS -cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -/* Override any GCC internal prototype to avoid an error. - Use char because int might match the return type of a GCC - builtin and then its argument prototype would still apply. */ -#ifdef __cplusplus -extern "C" -#endif -char com_err (); -int -main () -{ -return com_err (); - ; - return 0; -} -_ACEOF -for ac_lib in '' krb5 'krb5 -lcrypto -ldes -lasn1 -lroken' com_err 'com_err -lssl -lcrypto'; do - if test -z "$ac_lib"; then - ac_res="none required" - else - ac_res=-l$ac_lib - LIBS="-l$ac_lib $ac_func_search_save_LIBS" - fi - if ac_fn_c_try_link "$LINENO"; then : - ac_cv_search_com_err=$ac_res -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext - if ${ac_cv_search_com_err+:} false; then : - break -fi -done -if ${ac_cv_search_com_err+:} false; then : - -else - ac_cv_search_com_err=no -fi -rm conftest.$ac_ext -LIBS=$ac_func_search_save_LIBS -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_com_err" >&5 -$as_echo "$ac_cv_search_com_err" >&6; } -ac_res=$ac_cv_search_com_err -if test "$ac_res" != no; then : - test "$ac_res" = "none required" || LIBS="$ac_res $LIBS" - -else - as_fn_error $? "could not find function 'com_err' required for Kerberos 5" "$LINENO" 5 -fi - - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing krb5_sendauth" >&5 -$as_echo_n "checking for library containing krb5_sendauth... " >&6; } -if ${ac_cv_search_krb5_sendauth+:} false; then : - $as_echo_n "(cached) " >&6 -else - ac_func_search_save_LIBS=$LIBS -cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -/* Override any GCC internal prototype to avoid an error. - Use char because int might match the return type of a GCC - builtin and then its argument prototype would still apply. */ -#ifdef __cplusplus -extern "C" -#endif -char krb5_sendauth (); -int -main () -{ -return krb5_sendauth (); - ; - return 0; -} -_ACEOF -for ac_lib in '' krb5 'krb5 -lcrypto -ldes -lasn1 -lroken'; do - if test -z "$ac_lib"; then - ac_res="none required" - else - ac_res=-l$ac_lib - LIBS="-l$ac_lib $ac_func_search_save_LIBS" - fi - if ac_fn_c_try_link "$LINENO"; then : - ac_cv_search_krb5_sendauth=$ac_res -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext - if ${ac_cv_search_krb5_sendauth+:} false; then : - break -fi -done -if ${ac_cv_search_krb5_sendauth+:} false; then : - -else - ac_cv_search_krb5_sendauth=no -fi -rm conftest.$ac_ext -LIBS=$ac_func_search_save_LIBS -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_krb5_sendauth" >&5 -$as_echo "$ac_cv_search_krb5_sendauth" >&6; } -ac_res=$ac_cv_search_krb5_sendauth -if test "$ac_res" != no; then : - test "$ac_res" = "none required" || LIBS="$ac_res $LIBS" - -else - as_fn_error $? "could not find function 'krb5_sendauth' required for Kerberos 5" "$LINENO" 5 -fi - - else - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing com_err" >&5 -$as_echo_n "checking for library containing com_err... " >&6; } -if ${ac_cv_search_com_err+:} false; then : - $as_echo_n "(cached) " >&6 -else - ac_func_search_save_LIBS=$LIBS -cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -/* Override any GCC internal prototype to avoid an error. - Use char because int might match the return type of a GCC - builtin and then its argument prototype would still apply. */ -#ifdef __cplusplus -extern "C" -#endif -char com_err (); -int -main () -{ -return com_err (); - ; - return 0; -} -_ACEOF -for ac_lib in '' 'comerr32 -lkrb5_32'; do - if test -z "$ac_lib"; then - ac_res="none required" - else - ac_res=-l$ac_lib - LIBS="-l$ac_lib $ac_func_search_save_LIBS" - fi - if ac_fn_c_try_link "$LINENO"; then : - ac_cv_search_com_err=$ac_res -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext - if ${ac_cv_search_com_err+:} false; then : - break -fi -done -if ${ac_cv_search_com_err+:} false; then : - -else - ac_cv_search_com_err=no -fi -rm conftest.$ac_ext -LIBS=$ac_func_search_save_LIBS -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_com_err" >&5 -$as_echo "$ac_cv_search_com_err" >&6; } -ac_res=$ac_cv_search_com_err -if test "$ac_res" != no; then : - test "$ac_res" = "none required" || LIBS="$ac_res $LIBS" - -else - as_fn_error $? "could not find function 'com_err' required for Kerberos 5" "$LINENO" 5 -fi - - fi -fi - if test "$with_openssl" = yes ; then if test "$PORTNAME" != "win32"; then { $as_echo "$as_me:${as_lineno-$LINENO}: checking for CRYPTO_new_ex_data in -lcrypto" >&5 @@ -9494,17 +9275,6 @@ fi done -fi - -if test "$with_krb5" = yes ; then - ac_fn_c_check_header_mongrel "$LINENO" "krb5.h" "ac_cv_header_krb5_h" "$ac_includes_default" -if test "x$ac_cv_header_krb5_h" = xyes; then : - -else - as_fn_error $? "header file is required for Kerberos 5" "$LINENO" 5 -fi - - fi if test "$with_openssl" = yes ; then @@ -10772,88 +10542,6 @@ fi fi -if test "$with_krb5" = yes; then -# Check for differences between MIT and Heimdal (KTH) releases - ac_fn_c_check_member "$LINENO" "krb5_ticket" "enc_part2" "ac_cv_member_krb5_ticket_enc_part2" "#include -" -if test "x$ac_cv_member_krb5_ticket_enc_part2" = xyes; then : - -cat >>confdefs.h <<_ACEOF -#define HAVE_KRB5_TICKET_ENC_PART2 1 -_ACEOF - - -else - ac_fn_c_check_member "$LINENO" "krb5_ticket" "client" "ac_cv_member_krb5_ticket_client" "#include -" -if test "x$ac_cv_member_krb5_ticket_client" = xyes; then : - -cat >>confdefs.h <<_ACEOF -#define HAVE_KRB5_TICKET_CLIENT 1 -_ACEOF - - -else - as_fn_error $? "could not determine how to get client name from Kerberos 5 ticket" "$LINENO" 5 -fi - -fi - - ac_fn_c_check_member "$LINENO" "krb5_error" "text.data" "ac_cv_member_krb5_error_text_data" "#include -" -if test "x$ac_cv_member_krb5_error_text_data" = xyes; then : - -cat >>confdefs.h <<_ACEOF -#define HAVE_KRB5_ERROR_TEXT_DATA 1 -_ACEOF - - -else - ac_fn_c_check_member "$LINENO" "krb5_error" "e_data" "ac_cv_member_krb5_error_e_data" "#include -" -if test "x$ac_cv_member_krb5_error_e_data" = xyes; then : - -cat >>confdefs.h <<_ACEOF -#define HAVE_KRB5_ERROR_E_DATA 1 -_ACEOF - - -else - as_fn_error $? "could not determine how to extract Kerberos 5 error messages" "$LINENO" 5 -fi - -fi - - -# Win32 requires headers to be loaded for __stdcall, so can't use -# AC_CHECK_FUNCS here. - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for krb5_free_unparsed_name" >&5 -$as_echo_n "checking for krb5_free_unparsed_name... " >&6; } - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -#include -int -main () -{ -krb5_free_unparsed_name(NULL,NULL); - ; - return 0; -} -_ACEOF -if ac_fn_c_try_link "$LINENO"; then : - -$as_echo "#define HAVE_KRB5_FREE_UNPARSED_NAME 1" >>confdefs.h - -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 -$as_echo "yes" >&6; } -else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -$as_echo "no" >&6; } -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext -fi - # On PPC, check if assembler supports LWARX instruction's mutex hint bit case $host_cpu in ppc*|powerpc*) diff --git a/configure.in b/configure.in index 63c8d425eb..3826237410 100644 --- a/configure.in +++ b/configure.in @@ -608,17 +608,6 @@ PGAC_ARG_BOOL(with, gssapi, no, [build with GSSAPI support], ]) AC_MSG_RESULT([$with_gssapi]) -# -# Kerberos 5 -# -AC_MSG_CHECKING([whether to build with Kerberos 5 support]) -PGAC_ARG_BOOL(with, krb5, no, [build with Kerberos 5 support], -[ - AC_DEFINE(KRB5, 1, [Define to build with Kerberos 5 support. (--with-krb5)]) - krb_srvtab="FILE:\$(sysconfdir)/krb5.keytab" -]) -AC_MSG_RESULT([$with_krb5]) - AC_SUBST(krb_srvtab) @@ -627,11 +616,11 @@ AC_SUBST(krb_srvtab) # Kerberos configuration parameters # PGAC_ARG_REQ(with, krb-srvnam, - [NAME], [default service principal name in Kerberos [postgres]], + [NAME], [default service principal name in Kerberos (GSSAPI) [postgres]], [], [with_krb_srvnam="postgres"]) AC_DEFINE_UNQUOTED([PG_KRB_SRVNAM], ["$with_krb_srvnam"], - [Define to the name of the default PostgreSQL service principal in Kerberos. (--with-krb-srvnam=NAME)]) + [Define to the name of the default PostgreSQL service principal in Kerberos (GSSAPI). (--with-krb-srvnam=NAME)]) # @@ -929,18 +918,6 @@ if test "$with_gssapi" = yes ; then fi fi -if test "$with_krb5" = yes ; then - if test "$PORTNAME" != "win32"; then - AC_SEARCH_LIBS(com_err, [krb5 'krb5 -lcrypto -ldes -lasn1 -lroken' com_err 'com_err -lssl -lcrypto'], [], - [AC_MSG_ERROR([could not find function 'com_err' required for Kerberos 5])]) - AC_SEARCH_LIBS(krb5_sendauth, [krb5 'krb5 -lcrypto -ldes -lasn1 -lroken'], [], - [AC_MSG_ERROR([could not find function 'krb5_sendauth' required for Kerberos 5])]) - else - AC_SEARCH_LIBS(com_err, 'comerr32 -lkrb5_32', [], - [AC_MSG_ERROR([could not find function 'com_err' required for Kerberos 5])]) - fi -fi - if test "$with_openssl" = yes ; then dnl Order matters! if test "$PORTNAME" != "win32"; then @@ -1061,10 +1038,6 @@ if test "$with_gssapi" = yes ; then [AC_CHECK_HEADERS(gssapi.h, [], [AC_MSG_ERROR([gssapi.h header file is required for GSSAPI])])]) fi -if test "$with_krb5" = yes ; then - AC_CHECK_HEADER(krb5.h, [], [AC_MSG_ERROR([header file is required for Kerberos 5])]) -fi - if test "$with_openssl" = yes ; then AC_CHECK_HEADER(openssl/ssl.h, [], [AC_MSG_ERROR([header file is required for OpenSSL])]) AC_CHECK_HEADER(openssl/err.h, [], [AC_MSG_ERROR([header file is required for OpenSSL])]) @@ -1160,29 +1133,6 @@ Use --without-zlib to disable zlib support.])], [#include ]) fi -if test "$with_krb5" = yes; then -# Check for differences between MIT and Heimdal (KTH) releases - AC_CHECK_MEMBERS(krb5_ticket.enc_part2, [], - [AC_CHECK_MEMBERS(krb5_ticket.client, [], - [AC_MSG_ERROR([could not determine how to get client name from Kerberos 5 ticket])], - [#include ])], - [#include ]) - AC_CHECK_MEMBERS(krb5_error.text.data, [], - [AC_CHECK_MEMBERS(krb5_error.e_data, [], - [AC_MSG_ERROR([could not determine how to extract Kerberos 5 error messages])], - [#include ])], - [#include ]) - -# Win32 requires headers to be loaded for __stdcall, so can't use -# AC_CHECK_FUNCS here. - AC_MSG_CHECKING(for krb5_free_unparsed_name) - AC_TRY_LINK([#include ], - [krb5_free_unparsed_name(NULL,NULL);], - [AC_DEFINE(HAVE_KRB5_FREE_UNPARSED_NAME, 1, [Define to 1 if you have krb5_free_unparsed_name.]) -AC_MSG_RESULT(yes)], - [AC_MSG_RESULT(no)]) -fi - # On PPC, check if assembler supports LWARX instruction's mutex hint bit case $host_cpu in ppc*|powerpc*) diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml index 9fc583ce57..14870401fb 100644 --- a/doc/src/sgml/client-auth.sgml +++ b/doc/src/sgml/client-auth.sgml @@ -450,17 +450,6 @@ hostnossl database user - - krb5 - - - Use Kerberos V5 to authenticate the user. This is only - available for TCP/IP connections. See for details. - - - - ident @@ -650,13 +639,13 @@ host all all .example.com md5 # In the absence of preceding "host" lines, these two lines will # reject all connections from 192.168.54.1 (since that entry will be -# matched first), but allow Kerberos 5 connections from anywhere else +# matched first), but allow GSSAPI connections from anywhere else # on the Internet. The zero mask causes no bits of the host IP # address to be considered, so it matches any host. # # TYPE DATABASE USER ADDRESS METHOD host all all 192.168.54.1/32 reject -host all all 0.0.0.0/0 krb5 +host all all 0.0.0.0/0 gss # Allow users from 192.168.x.x hosts to connect to any database, if # they pass the ident check. If, for example, ident says the user is @@ -925,16 +914,74 @@ omicron bryanh guest1 - When GSSAPI uses - Kerberos, it uses a standard principal - in the format - servicename/hostname@realm. For information about the parts of the principal, and - how to set up the required keys, see . + GSSAPI support has to be enabled when PostgreSQL is built; + see for more information. - GSSAPI support has to be enabled when PostgreSQL is built; - see for more information. + When GSSAPI uses + Kerberos, it uses a standard principal + in the format + servicename/hostname@realm. + servicename can be set on the server side using the + configuration parameter, and on the + client side using the krbsrvname connection parameter. (See + also .) The installation default can be + changed from the default postgres at build time using + ./configure --with-krb-srvnam=whatever. + In most environments, + this parameter never needs to be changed. However, it is necessary + when supporting multiple PostgreSQL installations + on the same host. + Some Kerberos implementations might also require a different service name, + such as Microsoft Active Directory which requires the service name + to be in upper case (POSTGRES). + + + hostname is the fully qualified host name of the + server machine. The service principal's realm is the preferred realm + of the server machine. + + + + Client principals must have their PostgreSQL database user + name as their first component, for example + pgusername@realm. Alternatively, you can use a user name + mapping to map from the first component of the principal name to the + database user name. By default, the realm of the client is + not checked by PostgreSQL. If you have cross-realm + authentication enabled and need to verify the realm, use the + krb_realm parameter, or enable include_realm + and use user name mapping to check the realm. + + + + Make sure that your server keytab file is readable (and preferably + only readable) by the PostgreSQL server + account. (See also .) The location + of the key file is specified by the configuration + parameter. The default is + /usr/local/pgsql/etc/krb5.keytab (or whatever + directory was specified as sysconfdir at build time). + + + The keytab file is generated by the Kerberos software; see the + Kerberos documentation for details. The following example is + for MIT-compatible Kerberos 5 implementations: + +kadmin% ank -randkey postgres/server.my.domain.org +kadmin% ktadd -k krb5.keytab postgres/server.my.domain.org + + + + + When connecting to the database make sure you have a ticket for a + principal matching the requested database user name. For example, for + database user name fred, principal + fred@EXAMPLE.COM would be able to connect. To also allow + principal fred/users.example.com@EXAMPLE.COM, use a user name + map, as described in . @@ -1050,178 +1097,6 @@ omicron bryanh guest1 - - Kerberos Authentication - - - Kerberos - - - - - Native Kerberos authentication has been deprecated and should be used - only for backward compatibility. New and upgraded installations are - encouraged to use the industry-standard GSSAPI - authentication method (see ) instead. - - - - - Kerberos is an industry-standard secure - authentication system suitable for distributed computing over a public - network. A description of the Kerberos system - is beyond the scope of this document; in full generality it can be - quite complex (yet powerful). The - - Kerberos FAQ or - MIT Kerberos page - can be good starting points for exploration. - Several sources for Kerberos distributions exist. - Kerberos provides secure authentication but - does not encrypt queries or data passed over the network; for that - use SSL. - - - - PostgreSQL supports Kerberos version 5. Kerberos - support has to be enabled when PostgreSQL is built; - see for more information. - - - - PostgreSQL operates like a normal Kerberos service. - The name of the service principal is - servicename/hostname@realm. - - - - servicename can be set on the server side using the - configuration parameter, and on the - client side using the krbsrvname connection parameter. (See - also .) The installation default can be - changed from the default postgres at build time using - ./configure --with-krb-srvnam=whatever. - In most environments, - this parameter never needs to be changed. However, it is necessary - when supporting multiple PostgreSQL installations - on the same host. - Some Kerberos implementations might also require a different service name, - such as Microsoft Active Directory which requires the service name - to be in upper case (POSTGRES). - - - - hostname is the fully qualified host name of the - server machine. The service principal's realm is the preferred realm - of the server machine. - - - - Client principals must have their PostgreSQL database user - name as their first component, for example - pgusername@realm. Alternatively, you can use a user name - mapping to map from the first component of the principal name to the - database user name. By default, the realm of the client is - not checked by PostgreSQL. If you have cross-realm - authentication enabled and need to verify the realm, use the - krb_realm parameter, or enable include_realm - and use user name mapping to check the realm. - - - - Make sure that your server keytab file is readable (and preferably - only readable) by the PostgreSQL server - account. (See also .) The location - of the key file is specified by the configuration - parameter. The default is - /usr/local/pgsql/etc/krb5.keytab (or whatever - directory was specified as sysconfdir at build time). - - - - The keytab file is generated by the Kerberos software; see the - Kerberos documentation for details. The following example is - for MIT-compatible Kerberos 5 implementations: - -kadmin% ank -randkey postgres/server.my.domain.org -kadmin% ktadd -k krb5.keytab postgres/server.my.domain.org - - - - - When connecting to the database make sure you have a ticket for a - principal matching the requested database user name. For example, for - database user name fred, principal - fred@EXAMPLE.COM would be able to connect. To also allow - principal fred/users.example.com@EXAMPLE.COM, use a user name - map, as described in . - - - - If you use - mod_auth_kerb - and mod_perl on your - Apache web server, you can use - AuthType KerberosV5SaveCredentials with a - mod_perl script. This gives secure - database access over the web, with no additional passwords required. - - - - The following configuration options are supported for - Kerberos: - - - map - - - Allows for mapping between system and database user names. See - for details. - - - - - - include_realm - - - If set to 1, the realm name from the authenticated user - principal is included in the system user name that's passed through - user name mapping (). This is - useful for handling users from multiple realms. - - - - - - krb_realm - - - Sets the realm to match user principal names against. If this parameter - is set, only users of that realm will be accepted. If it is not set, - users of any realm can connect, subject to whatever user name mapping - is done. - - - - - - krb_server_hostname - - - Sets the host name part of the service principal. - This, combined with krb_srvname, is used to generate - the complete service principal, that is - krb_srvname/krb_server_hostname@REALM. - If not set, the default is the server host name. - - - - - - - Ident Authentication diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml index 0f2f2bf925..3c4bb9beca 100644 --- a/doc/src/sgml/config.sgml +++ b/doc/src/sgml/config.sgml @@ -964,7 +964,7 @@ include 'filename' Sets the location of the Kerberos server key file. See - or + for details. This parameter can only be set in the postgresql.conf file or on the server command line. @@ -978,7 +978,7 @@ include 'filename' - Sets the Kerberos service name. See + Sets the Kerberos service name. See for details. This parameter can only be set in the postgresql.conf file or on the server command line. @@ -992,7 +992,7 @@ include 'filename' - Sets whether Kerberos and GSSAPI user names should be treated + Sets whether GSSAPI user names should be treated case-insensitively. The default is off (case sensitive). This parameter can only be set in the postgresql.conf file or on the server command line. diff --git a/doc/src/sgml/install-windows.sgml b/doc/src/sgml/install-windows.sgml index 4c9ce5b145..f3b1a12b05 100644 --- a/doc/src/sgml/install-windows.sgml +++ b/doc/src/sgml/install-windows.sgml @@ -269,7 +269,7 @@ $ENV{PATH}=$ENV{PATH} . ';c:\some\where\bison\bin'; MIT Kerberos - Required for Kerberos authentication support. MIT Kerberos can be + Required for GSSAPI authentication support. MIT Kerberos can be downloaded from . diff --git a/doc/src/sgml/installation.sgml b/doc/src/sgml/installation.sgml index fc6559d708..a4cdf5f104 100644 --- a/doc/src/sgml/installation.sgml +++ b/doc/src/sgml/installation.sgml @@ -771,28 +771,12 @@ su - postgres - - - - - Build with support for Kerberos 5 authentication. On many - systems, the Kerberos system is not installed in a location - that is searched by default (e.g., /usr/include, - /usr/lib), so you must use the options - - - - - The default name of the Kerberos service principal (also used - by GSSAPI). + The default name of the Kerberos service principal used + by GSSAPI. postgres is the default. There's usually no reason to change this unless you have a Windows environment, in which case it must be set to upper case diff --git a/doc/src/sgml/libpq.sgml b/doc/src/sgml/libpq.sgml index 15bc42cd61..3ab06a1a1b 100644 --- a/doc/src/sgml/libpq.sgml +++ b/doc/src/sgml/libpq.sgml @@ -896,7 +896,7 @@ postgresql://%2Fvar%2Flib%2Fpostgresql/dbname Using hostaddr instead of host allows the application to avoid a host name look-up, which might be important in applications with time constraints. However, a host name is - required for Kerberos, GSSAPI, or SSPI authentication + required for GSSAPI or SSPI authentication methods, as well as for verify-full SSL certificate verification. The following rules are used: @@ -1331,11 +1331,10 @@ postgresql://%2Fvar%2Flib%2Fpostgresql/dbname krbsrvname - Kerberos service name to use when authenticating with Kerberos 5 - or GSSAPI. + Kerberos service name to use when authenticating with GSSAPI. This must match the service name specified in the server configuration for Kerberos authentication to succeed. (See also - and .) + .) @@ -6652,7 +6651,7 @@ myEventProc(PGEventId evtId, void *evtInfo, void *passThrough) libpq applications will attempt authentication with servers for this realm and use separate ticket files to avoid conflicts with local ticket files. This - environment variable is only used if Kerberos authentication is + environment variable is only used if GSSAPI authentication is selected by the server. diff --git a/doc/src/sgml/passwordcheck.sgml b/doc/src/sgml/passwordcheck.sgml index 415749d542..6e6e4ef435 100644 --- a/doc/src/sgml/passwordcheck.sgml +++ b/doc/src/sgml/passwordcheck.sgml @@ -48,7 +48,7 @@ module, because in that case it can only try to guess the password. For this reason, passwordcheck is not recommended if your security requirements are high. - It is more secure to use an external authentication method such as Kerberos + It is more secure to use an external authentication method such as GSSAPI (see ) than to rely on passwords within the database. diff --git a/doc/src/sgml/protocol.sgml b/doc/src/sgml/protocol.sgml index 0b2e60eeb1..7d99976a49 100644 --- a/doc/src/sgml/protocol.sgml +++ b/doc/src/sgml/protocol.sgml @@ -271,7 +271,8 @@ authentication dialog (not described here, part of the Kerberos specification) with the server. If this is successful, the server responds with an AuthenticationOk, - otherwise it responds with an ErrorResponse. + otherwise it responds with an ErrorResponse. This is no + longer supported. This is not supported any more. diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c index 8589915984..882dc8faf1 100644 --- a/src/backend/libpq/auth.c +++ b/src/backend/libpq/auth.c @@ -133,29 +133,6 @@ char *pg_krb_srvnam; bool pg_krb_caseins_users; -/*---------------------------------------------------------------- - * MIT Kerberos authentication system - protocol version 5 - *---------------------------------------------------------------- - */ -#ifdef KRB5 -static int pg_krb5_recvauth(Port *port); - -#include -/* Some old versions of Kerberos do not include in */ -#if !defined(__COM_ERR_H) && !defined(__COM_ERR_H__) -#include -#endif -/* - * Various krb5 state which is not connection specific, and a flag to - * indicate whether we have initialised it yet. - */ -static int pg_krb5_initialised; -static krb5_context pg_krb5_context; -static krb5_keytab pg_krb5_keytab; -static krb5_principal pg_krb5_server; -#endif /* KRB5 */ - - /*---------------------------------------------------------------- * GSSAPI Authentication *---------------------------------------------------------------- @@ -257,9 +234,6 @@ auth_failed(Port *port, int status) case uaImplicitReject: errstr = gettext_noop("authentication failed for user \"%s\": host rejected"); break; - case uaKrb5: - errstr = gettext_noop("Kerberos 5 authentication failed for user \"%s\""); - break; case uaTrust: errstr = gettext_noop("\"trust\" authentication failed for user \"%s\""); break; @@ -497,15 +471,6 @@ ClientAuthentication(Port *port) break; } - case uaKrb5: -#ifdef KRB5 - sendAuthRequest(port, AUTH_REQ_KRB5); - status = pg_krb5_recvauth(port); -#else - Assert(false); -#endif - break; - case uaGSS: #ifdef ENABLE_GSS sendAuthRequest(port, AUTH_REQ_GSS); @@ -735,188 +700,6 @@ recv_and_check_password_packet(Port *port) } -/*---------------------------------------------------------------- - * MIT Kerberos authentication system - protocol version 5 - *---------------------------------------------------------------- - */ -#ifdef KRB5 - -static int -pg_krb5_init(Port *port) -{ - krb5_error_code retval; - char *khostname; - - if (pg_krb5_initialised) - return STATUS_OK; - - retval = krb5_init_context(&pg_krb5_context); - if (retval) - { - ereport(LOG, - (errmsg("Kerberos initialization returned error %d", - retval))); - com_err("postgres", retval, "while initializing krb5"); - return STATUS_ERROR; - } - - retval = krb5_kt_resolve(pg_krb5_context, pg_krb_server_keyfile, &pg_krb5_keytab); - if (retval) - { - ereport(LOG, - (errmsg("Kerberos keytab resolving returned error %d", - retval))); - com_err("postgres", retval, "while resolving keytab file \"%s\"", - pg_krb_server_keyfile); - krb5_free_context(pg_krb5_context); - return STATUS_ERROR; - } - - /* - * If no hostname was specified, pg_krb_server_hostname is already NULL. - * If it's set to blank, force it to NULL. - */ - khostname = port->hba->krb_server_hostname; - if (khostname && khostname[0] == '\0') - khostname = NULL; - - retval = krb5_sname_to_principal(pg_krb5_context, - khostname, - pg_krb_srvnam, - KRB5_NT_SRV_HST, - &pg_krb5_server); - if (retval) - { - ereport(LOG, - (errmsg("Kerberos sname_to_principal(\"%s\", \"%s\") returned error %d", - khostname ? khostname : "server hostname", pg_krb_srvnam, retval))); - com_err("postgres", retval, - "while getting server principal for server \"%s\" for service \"%s\"", - khostname ? khostname : "server hostname", pg_krb_srvnam); - krb5_kt_close(pg_krb5_context, pg_krb5_keytab); - krb5_free_context(pg_krb5_context); - return STATUS_ERROR; - } - - pg_krb5_initialised = 1; - return STATUS_OK; -} - - -/* - * pg_krb5_recvauth -- server routine to receive authentication information - * from the client - * - * We still need to compare the username obtained from the client's setup - * packet to the authenticated name. - * - * We have our own keytab file because postgres is unlikely to run as root, - * and so cannot read the default keytab. - */ -static int -pg_krb5_recvauth(Port *port) -{ - krb5_error_code retval; - int ret; - krb5_auth_context auth_context = NULL; - krb5_ticket *ticket; - char *kusername; - char *cp; - - ret = pg_krb5_init(port); - if (ret != STATUS_OK) - return ret; - - retval = krb5_recvauth(pg_krb5_context, &auth_context, - (krb5_pointer) & port->sock, pg_krb_srvnam, - pg_krb5_server, 0, pg_krb5_keytab, &ticket); - if (retval) - { - ereport(LOG, - (errmsg("Kerberos recvauth returned error %d", - retval))); - com_err("postgres", retval, "from krb5_recvauth"); - return STATUS_ERROR; - } - - /* - * The "client" structure comes out of the ticket and is therefore - * authenticated. Use it to check the username obtained from the - * postmaster startup packet. - */ -#if defined(HAVE_KRB5_TICKET_ENC_PART2) - retval = krb5_unparse_name(pg_krb5_context, - ticket->enc_part2->client, &kusername); -#elif defined(HAVE_KRB5_TICKET_CLIENT) - retval = krb5_unparse_name(pg_krb5_context, - ticket->client, &kusername); -#else -#error "bogus configuration" -#endif - if (retval) - { - ereport(LOG, - (errmsg("Kerberos unparse_name returned error %d", - retval))); - com_err("postgres", retval, "while unparsing client name"); - krb5_free_ticket(pg_krb5_context, ticket); - krb5_auth_con_free(pg_krb5_context, auth_context); - return STATUS_ERROR; - } - - cp = strchr(kusername, '@'); - if (cp) - { - /* - * If we are not going to include the realm in the username that is - * passed to the ident map, destructively modify it here to remove the - * realm. Then advance past the separator to check the realm. - */ - if (!port->hba->include_realm) - *cp = '\0'; - cp++; - - if (port->hba->krb_realm != NULL && strlen(port->hba->krb_realm)) - { - /* Match realm against configured */ - if (pg_krb_caseins_users) - ret = pg_strcasecmp(port->hba->krb_realm, cp); - else - ret = strcmp(port->hba->krb_realm, cp); - - if (ret) - { - elog(DEBUG2, - "krb5 realm (%s) and configured realm (%s) don't match", - cp, port->hba->krb_realm); - - krb5_free_ticket(pg_krb5_context, ticket); - krb5_auth_con_free(pg_krb5_context, auth_context); - return STATUS_ERROR; - } - } - } - else if (port->hba->krb_realm && strlen(port->hba->krb_realm)) - { - elog(DEBUG2, - "krb5 did not return realm but realm matching was requested"); - - krb5_free_ticket(pg_krb5_context, ticket); - krb5_auth_con_free(pg_krb5_context, auth_context); - return STATUS_ERROR; - } - - ret = check_usermap(port->hba->usermap, port->user_name, kusername, - pg_krb_caseins_users); - - krb5_free_ticket(pg_krb5_context, ticket); - krb5_auth_con_free(pg_krb5_context, auth_context); - free(kusername); - - return ret; -} -#endif /* KRB5 */ - /*---------------------------------------------------------------- * GSSAPI authentication system diff --git a/src/backend/libpq/hba.c b/src/backend/libpq/hba.c index ae25cf873f..77434f410a 100644 --- a/src/backend/libpq/hba.c +++ b/src/backend/libpq/hba.c @@ -1177,12 +1177,6 @@ parse_hba_line(List *line, int line_num, char *raw_line) parsedline->auth_method = uaPeer; else if (strcmp(token->string, "password") == 0) parsedline->auth_method = uaPassword; - else if (strcmp(token->string, "krb5") == 0) -#ifdef KRB5 - parsedline->auth_method = uaKrb5; -#else - unsupauth = "krb5"; -#endif else if (strcmp(token->string, "gss") == 0) #ifdef ENABLE_GSS parsedline->auth_method = uaGSS; @@ -1261,17 +1255,6 @@ parse_hba_line(List *line, int line_num, char *raw_line) parsedline->auth_method = uaPeer; /* Invalid authentication combinations */ - if (parsedline->conntype == ctLocal && - parsedline->auth_method == uaKrb5) - { - ereport(LOG, - (errcode(ERRCODE_CONFIG_FILE_ERROR), - errmsg("krb5 authentication is not supported on local sockets"), - errcontext("line %d of configuration file \"%s\"", - line_num, HbaFileName))); - return NULL; - } - if (parsedline->conntype == ctLocal && parsedline->auth_method == uaGSS) { @@ -1417,11 +1400,10 @@ parse_hba_auth_opt(char *name, char *val, HbaLine *hbaline, int line_num) { if (hbaline->auth_method != uaIdent && hbaline->auth_method != uaPeer && - hbaline->auth_method != uaKrb5 && hbaline->auth_method != uaGSS && hbaline->auth_method != uaSSPI && hbaline->auth_method != uaCert) - INVALID_AUTH_OPTION("map", gettext_noop("ident, peer, krb5, gssapi, sspi, and cert")); + INVALID_AUTH_OPTION("map", gettext_noop("ident, peer, gssapi, sspi, and cert")); hbaline->usermap = pstrdup(val); } else if (strcmp(name, "clientcert") == 0) @@ -1578,25 +1560,18 @@ parse_hba_auth_opt(char *name, char *val, HbaLine *hbaline, int line_num) REQUIRE_AUTH_OPTION(uaLDAP, "ldapsuffix", "ldap"); hbaline->ldapsuffix = pstrdup(val); } - else if (strcmp(name, "krb_server_hostname") == 0) - { - REQUIRE_AUTH_OPTION(uaKrb5, "krb_server_hostname", "krb5"); - hbaline->krb_server_hostname = pstrdup(val); - } else if (strcmp(name, "krb_realm") == 0) { - if (hbaline->auth_method != uaKrb5 && - hbaline->auth_method != uaGSS && + if (hbaline->auth_method != uaGSS && hbaline->auth_method != uaSSPI) - INVALID_AUTH_OPTION("krb_realm", gettext_noop("krb5, gssapi, and sspi")); + INVALID_AUTH_OPTION("krb_realm", gettext_noop("gssapi and sspi")); hbaline->krb_realm = pstrdup(val); } else if (strcmp(name, "include_realm") == 0) { - if (hbaline->auth_method != uaKrb5 && - hbaline->auth_method != uaGSS && + if (hbaline->auth_method != uaGSS && hbaline->auth_method != uaSSPI) - INVALID_AUTH_OPTION("include_realm", gettext_noop("krb5, gssapi, and sspi")); + INVALID_AUTH_OPTION("include_realm", gettext_noop("gssapi and sspi")); if (strcmp(val, "1") == 0) hbaline->include_realm = true; else diff --git a/src/backend/libpq/pg_hba.conf.sample b/src/backend/libpq/pg_hba.conf.sample index a12ba26ad5..86a89edf9a 100644 --- a/src/backend/libpq/pg_hba.conf.sample +++ b/src/backend/libpq/pg_hba.conf.sample @@ -43,7 +43,7 @@ # directly connected to. # # METHOD can be "trust", "reject", "md5", "password", "gss", "sspi", -# "krb5", "ident", "peer", "pam", "ldap", "radius" or "cert". Note that +# "ident", "peer", "pam", "ldap", "radius" or "cert". Note that # "password" sends passwords in clear text; "md5" is preferred since # it sends encrypted passwords. # diff --git a/src/bin/initdb/initdb.c b/src/bin/initdb/initdb.c index a9aa7a487f..7e934b75ab 100644 --- a/src/bin/initdb/initdb.c +++ b/src/bin/initdb/initdb.c @@ -76,9 +76,6 @@ static const char *auth_methods_host[] = {"trust", "reject", "md5", "password", #ifdef ENABLE_SSPI "sspi", #endif -#ifdef KRB5 - "krb5", -#endif #ifdef USE_PAM "pam", "pam ", #endif diff --git a/src/include/libpq/hba.h b/src/include/libpq/hba.h index 73ae5105eb..5a103aed19 100644 --- a/src/include/libpq/hba.h +++ b/src/include/libpq/hba.h @@ -20,7 +20,6 @@ typedef enum UserAuth { uaReject, uaImplicitReject, - uaKrb5, uaTrust, uaIdent, uaPassword, diff --git a/src/include/libpq/pqcomm.h b/src/include/libpq/pqcomm.h index 0be839c23c..969fe5e105 100644 --- a/src/include/libpq/pqcomm.h +++ b/src/include/libpq/pqcomm.h @@ -164,7 +164,7 @@ extern bool Db_user_namespace; #define AUTH_REQ_OK 0 /* User is authenticated */ #define AUTH_REQ_KRB4 1 /* Kerberos V4. Not supported any more. */ -#define AUTH_REQ_KRB5 2 /* Kerberos V5 */ +#define AUTH_REQ_KRB5 2 /* Kerberos V5. Not supported any more. */ #define AUTH_REQ_PASSWORD 3 /* Password */ #define AUTH_REQ_CRYPT 4 /* crypt password. Not supported any more. */ #define AUTH_REQ_MD5 5 /* md5 password */ diff --git a/src/include/pg_config.h.in b/src/include/pg_config.h.in index 64717dfcd4..0bade28b97 100644 --- a/src/include/pg_config.h.in +++ b/src/include/pg_config.h.in @@ -260,21 +260,6 @@ /* Define to 1 if you have isinf(). */ #undef HAVE_ISINF -/* Define to 1 if `e_data' is a member of `krb5_error'. */ -#undef HAVE_KRB5_ERROR_E_DATA - -/* Define to 1 if `text.data' is a member of `krb5_error'. */ -#undef HAVE_KRB5_ERROR_TEXT_DATA - -/* Define to 1 if you have krb5_free_unparsed_name. */ -#undef HAVE_KRB5_FREE_UNPARSED_NAME - -/* Define to 1 if `client' is a member of `krb5_ticket'. */ -#undef HAVE_KRB5_TICKET_CLIENT - -/* Define to 1 if `enc_part2' is a member of `krb5_ticket'. */ -#undef HAVE_KRB5_TICKET_ENC_PART2 - /* Define to 1 if you have the header file. */ #undef HAVE_LANGINFO_H @@ -656,9 +641,6 @@ /* Define to the appropriate snprintf format for 64-bit ints. */ #undef INT64_FORMAT -/* Define to build with Kerberos 5 support. (--with-krb5) */ -#undef KRB5 - /* Define to 1 if `locale_t' requires . */ #undef LOCALE_T_IN_XLOCALE diff --git a/src/include/pg_config.h.win32 b/src/include/pg_config.h.win32 index b69414fd48..19ef4c1a9f 100644 --- a/src/include/pg_config.h.win32 +++ b/src/include/pg_config.h.win32 @@ -193,18 +193,6 @@ /* Define to 1 if you have isinf(). */ #define HAVE_ISINF 1 -/* Define to 1 if `e_data' is member of `krb5_error'. */ -/* #undef HAVE_KRB5_ERROR_E_DATA */ - -/* Define to 1 if `text.data' is member of `krb5_error'. */ -/* #undef HAVE_KRB5_ERROR_TEXT_DATA */ - -/* Define to 1 if `client' is member of `krb5_ticket'. */ -/* #undef HAVE_KRB5_TICKET_CLIENT */ - -/* Define to 1 if `enc_part2' is member of `krb5_ticket'. */ -/* #undef HAVE_KRB5_TICKET_ENC_PART2 */ - /* Define to 1 if you have the header file. */ /* #undef HAVE_LANGINFO_H */ @@ -541,9 +529,6 @@ /* Define to the appropriate snprintf format for 64-bit ints, if any. */ #define INT64_FORMAT "%lld" -/* Define to build with Kerberos 5 support. (--with-krb5) */ -/* #undef KRB5 */ - /* Define to 1 if `locale_t' requires . */ /* #undef LOCALE_T_IN_XLOCALE */ diff --git a/src/interfaces/libpq/fe-auth.c b/src/interfaces/libpq/fe-auth.c index 91f7c501c7..e10c970910 100644 --- a/src/interfaces/libpq/fe-auth.c +++ b/src/interfaces/libpq/fe-auth.c @@ -43,258 +43,6 @@ #include "libpq/md5.h" -#ifdef KRB5 -/* - * MIT Kerberos authentication system - protocol version 5 - */ - -#include -/* Some old versions of Kerberos do not include in */ -#if !defined(__COM_ERR_H) && !defined(__COM_ERR_H__) -#include -#endif - -/* - * Heimdal doesn't have a free function for unparsed names. Just pass it to - * standard free() which should work in these cases. - */ -#ifndef HAVE_KRB5_FREE_UNPARSED_NAME -static void -krb5_free_unparsed_name(krb5_context context, char *val) -{ - free(val); -} -#endif - -/* - * pg_an_to_ln -- return the local name corresponding to an authentication - * name - * - * XXX Assumes that the first aname component is the user name. This is NOT - * necessarily so, since an aname can actually be something out of your - * worst X.400 nightmare, like - * ORGANIZATION=U. C. Berkeley/NAME=Paul M. Aoki@CS.BERKELEY.EDU - * Note that the MIT an_to_ln code does the same thing if you don't - * provide an aname mapping database...it may be a better idea to use - * krb5_an_to_ln, except that it punts if multiple components are found, - * and we can't afford to punt. - * - * For WIN32, convert username to lowercase because the Win32 kerberos library - * generates tickets with the username as the user entered it instead of as - * it is entered in the directory. - */ -static char * -pg_an_to_ln(char *aname) -{ - char *p; - - if ((p = strchr(aname, '/')) || (p = strchr(aname, '@'))) - *p = '\0'; -#ifdef WIN32 - for (p = aname; *p; p++) - *p = pg_tolower((unsigned char) *p); -#endif - - return aname; -} - - -/* - * Various krb5 state which is not connection specific, and a flag to - * indicate whether we have initialised it yet. - */ -/* -static int pg_krb5_initialised; -static krb5_context pg_krb5_context; -static krb5_ccache pg_krb5_ccache; -static krb5_principal pg_krb5_client; -static char *pg_krb5_name; -*/ - -struct krb5_info -{ - int pg_krb5_initialised; - krb5_context pg_krb5_context; - krb5_ccache pg_krb5_ccache; - krb5_principal pg_krb5_client; - char *pg_krb5_name; -}; - - -static int -pg_krb5_init(PQExpBuffer errorMessage, struct krb5_info * info) -{ - krb5_error_code retval; - - if (info->pg_krb5_initialised) - return STATUS_OK; - - retval = krb5_init_context(&(info->pg_krb5_context)); - if (retval) - { - printfPQExpBuffer(errorMessage, - "pg_krb5_init: krb5_init_context: %s\n", - error_message(retval)); - return STATUS_ERROR; - } - - retval = krb5_cc_default(info->pg_krb5_context, &(info->pg_krb5_ccache)); - if (retval) - { - printfPQExpBuffer(errorMessage, - "pg_krb5_init: krb5_cc_default: %s\n", - error_message(retval)); - krb5_free_context(info->pg_krb5_context); - return STATUS_ERROR; - } - - retval = krb5_cc_get_principal(info->pg_krb5_context, info->pg_krb5_ccache, - &(info->pg_krb5_client)); - if (retval) - { - printfPQExpBuffer(errorMessage, - "pg_krb5_init: krb5_cc_get_principal: %s\n", - error_message(retval)); - krb5_cc_close(info->pg_krb5_context, info->pg_krb5_ccache); - krb5_free_context(info->pg_krb5_context); - return STATUS_ERROR; - } - - retval = krb5_unparse_name(info->pg_krb5_context, info->pg_krb5_client, &(info->pg_krb5_name)); - if (retval) - { - printfPQExpBuffer(errorMessage, - "pg_krb5_init: krb5_unparse_name: %s\n", - error_message(retval)); - krb5_free_principal(info->pg_krb5_context, info->pg_krb5_client); - krb5_cc_close(info->pg_krb5_context, info->pg_krb5_ccache); - krb5_free_context(info->pg_krb5_context); - return STATUS_ERROR; - } - - info->pg_krb5_name = pg_an_to_ln(info->pg_krb5_name); - - info->pg_krb5_initialised = 1; - return STATUS_OK; -} - -static void -pg_krb5_destroy(struct krb5_info * info) -{ - krb5_free_principal(info->pg_krb5_context, info->pg_krb5_client); - krb5_cc_close(info->pg_krb5_context, info->pg_krb5_ccache); - krb5_free_unparsed_name(info->pg_krb5_context, info->pg_krb5_name); - krb5_free_context(info->pg_krb5_context); -} - - -/* - * pg_krb5_sendauth -- client routine to send authentication information to - * the server - */ -static int -pg_krb5_sendauth(PGconn *conn) -{ - krb5_error_code retval; - int ret; - krb5_principal server; - krb5_auth_context auth_context = NULL; - krb5_error *err_ret = NULL; - struct krb5_info info; - - info.pg_krb5_initialised = 0; - - if (!(conn->pghost && conn->pghost[0] != '\0')) - { - printfPQExpBuffer(&conn->errorMessage, - libpq_gettext("host name must be specified\n")); - return STATUS_ERROR; - } - - ret = pg_krb5_init(&conn->errorMessage, &info); - if (ret != STATUS_OK) - return ret; - - retval = krb5_sname_to_principal(info.pg_krb5_context, conn->pghost, - conn->krbsrvname, - KRB5_NT_SRV_HST, &server); - if (retval) - { - printfPQExpBuffer(&conn->errorMessage, - "pg_krb5_sendauth: krb5_sname_to_principal: %s\n", - error_message(retval)); - pg_krb5_destroy(&info); - return STATUS_ERROR; - } - - /* - * libpq uses a non-blocking socket. But kerberos needs a blocking socket, - * and we have to block somehow to do mutual authentication anyway. So we - * temporarily make it blocking. - */ - if (!pg_set_block(conn->sock)) - { - char sebuf[256]; - - printfPQExpBuffer(&conn->errorMessage, - libpq_gettext("could not set socket to blocking mode: %s\n"), pqStrerror(errno, sebuf, sizeof(sebuf))); - krb5_free_principal(info.pg_krb5_context, server); - pg_krb5_destroy(&info); - return STATUS_ERROR; - } - - retval = krb5_sendauth(info.pg_krb5_context, &auth_context, - (krb5_pointer) & conn->sock, (char *) conn->krbsrvname, - info.pg_krb5_client, server, - AP_OPTS_MUTUAL_REQUIRED, - NULL, 0, /* no creds, use ccache instead */ - info.pg_krb5_ccache, &err_ret, NULL, NULL); - if (retval) - { - if (retval == KRB5_SENDAUTH_REJECTED && err_ret) - { -#if defined(HAVE_KRB5_ERROR_TEXT_DATA) - printfPQExpBuffer(&conn->errorMessage, - libpq_gettext("Kerberos 5 authentication rejected: %*s\n"), - (int) err_ret->text.length, err_ret->text.data); -#elif defined(HAVE_KRB5_ERROR_E_DATA) - printfPQExpBuffer(&conn->errorMessage, - libpq_gettext("Kerberos 5 authentication rejected: %*s\n"), - (int) err_ret->e_data->length, - (const char *) err_ret->e_data->data); -#else -#error "bogus configuration" -#endif - } - else - { - printfPQExpBuffer(&conn->errorMessage, - "krb5_sendauth: %s\n", error_message(retval)); - } - - if (err_ret) - krb5_free_error(info.pg_krb5_context, err_ret); - - ret = STATUS_ERROR; - } - - krb5_free_principal(info.pg_krb5_context, server); - - if (!pg_set_noblock(conn->sock)) - { - char sebuf[256]; - - printfPQExpBuffer(&conn->errorMessage, - libpq_gettext("could not restore nonblocking mode on socket: %s\n"), - pqStrerror(errno, sebuf, sizeof(sebuf))); - ret = STATUS_ERROR; - } - pg_krb5_destroy(&info); - - return ret; -} -#endif /* KRB5 */ - #ifdef ENABLE_GSS /* * GSSAPI authentication system. @@ -816,21 +564,9 @@ pg_fe_sendauth(AuthRequest areq, PGconn *conn) return STATUS_ERROR; case AUTH_REQ_KRB5: -#ifdef KRB5 - pglock_thread(); - if (pg_krb5_sendauth(conn) != STATUS_OK) - { - /* Error message already filled in */ - pgunlock_thread(); - return STATUS_ERROR; - } - pgunlock_thread(); - break; -#else printfPQExpBuffer(&conn->errorMessage, libpq_gettext("Kerberos 5 authentication not supported\n")); return STATUS_ERROR; -#endif #if defined(ENABLE_GSS) || defined(ENABLE_SSPI) case AUTH_REQ_GSS: diff --git a/src/interfaces/libpq/fe-connect.c b/src/interfaces/libpq/fe-connect.c index 3a9ddf19d7..fa88c87494 100644 --- a/src/interfaces/libpq/fe-connect.c +++ b/src/interfaces/libpq/fe-connect.c @@ -278,7 +278,7 @@ static const internalPQconninfoOption PQconninfoOptions[] = { "Require-Peer", "", 10, offsetof(struct pg_conn, requirepeer)}, -#if defined(KRB5) || defined(ENABLE_GSS) || defined(ENABLE_SSPI) +#if defined(ENABLE_GSS) || defined(ENABLE_SSPI) /* Kerberos and GSSAPI authentication support specifying the service name */ {"krbsrvname", "PGKRBSRVNAME", PG_KRB_SRVNAM, NULL, "Kerberos-service-name", "", 20, @@ -2823,7 +2823,7 @@ freePGconn(PGconn *conn) free(conn->sslcompression); if (conn->requirepeer) free(conn->requirepeer); -#if defined(KRB5) || defined(ENABLE_GSS) || defined(ENABLE_SSPI) +#if defined(ENABLE_GSS) || defined(ENABLE_SSPI) if (conn->krbsrvname) free(conn->krbsrvname); #endif diff --git a/src/interfaces/libpq/libpq-int.h b/src/interfaces/libpq/libpq-int.h index 0fb926bbd4..22bbe4a48e 100644 --- a/src/interfaces/libpq/libpq-int.h +++ b/src/interfaces/libpq/libpq-int.h @@ -331,7 +331,7 @@ struct pg_conn char *sslcrl; /* certificate revocation list filename */ char *requirepeer; /* required peer credentials for local sockets */ -#if defined(KRB5) || defined(ENABLE_GSS) || defined(ENABLE_SSPI) +#if defined(ENABLE_GSS) || defined(ENABLE_SSPI) char *krbsrvname; /* Kerberos service name */ #endif diff --git a/src/tools/msvc/Solution.pm b/src/tools/msvc/Solution.pm index bc52086fc8..7921596a48 100644 --- a/src/tools/msvc/Solution.pm +++ b/src/tools/msvc/Solution.pm @@ -221,10 +221,6 @@ s{PG_VERSION_STR "[^"]+"}{__STRINGIFY(x) #x\n#define __STRINGIFY2(z) __STRINGIFY } if ($self->{options}->{krb5}) { - print O "#define KRB5 1\n"; - print O "#define HAVE_KRB5_ERROR_TEXT_DATA 1\n"; - print O "#define HAVE_KRB5_TICKET_ENC_PART2 1\n"; - print O "#define HAVE_KRB5_FREE_UNPARSED_NAME 1\n"; print O "#define ENABLE_GSS 1\n"; } if (my $port = $self->{options}->{"--with-pgport"}) @@ -625,7 +621,7 @@ sub GetFakeConfigure $cfg .= ' --with-ossp-uuid' if ($self->{options}->{uuid}); $cfg .= ' --with-libxml' if ($self->{options}->{xml}); $cfg .= ' --with-libxslt' if ($self->{options}->{xslt}); - $cfg .= ' --with-krb5' if ($self->{options}->{krb5}); + $cfg .= ' --with-gssapi' if ($self->{options}->{krb5}); $cfg .= ' --with-tcl' if ($self->{options}->{tcl}); $cfg .= ' --with-perl' if ($self->{options}->{perl}); $cfg .= ' --with-python' if ($self->{options}->{python}); diff --git a/src/tools/msvc/config_default.pl b/src/tools/msvc/config_default.pl index 2489d3827f..ebb47ab40e 100644 --- a/src/tools/msvc/config_default.pl +++ b/src/tools/msvc/config_default.pl @@ -15,7 +15,6 @@ our $config = { tcl => undef, # --with-tls= perl => undef, # --with-perl python => undef, # --with-python= - krb5 => undef, # --with-krb5= openssl => undef, # --with-ssl= uuid => undef, # --with-ossp-uuid xml => undef, # --with-libxml=