From: Phil Thompson <phil@river-bank.demon.co.uk>

Cleanup patches for previous protocol changes patch
1998-01-27 03:25:14 +00:00 · 1998-01-27 03:25:14 +00:00 · c4213aede1
parent 7c3dc8f772
commit c4213aede1
7 changed files with 128 additions and 22 deletions
--- a/src/Makefile.global.in
+++ b/src/Makefile.global.in
@ -7,7 +7,7 @@
 #
 #
 # IDENTIFICATION
-#    $Header: /cvsroot/pgsql/src/Makefile.global.in,v 1.32 1998/01/15 19:41:35 pgsql Exp $
+#    $Header: /cvsroot/pgsql/src/Makefile.global.in,v 1.33 1998/01/27 03:24:51 scrappy Exp $
 #
 # NOTES
 #    Essentially all Postgres make files include this file and use the 
@ -157,10 +157,10 @@ USE_TCL= @USE_TCL@
 #
 TCL_INCDIR= /usr/local/include
 TCL_LIBDIR= /usr/local/lib
-TCL_LIB= -ltcl80
+TCL_LIB= -ltcl8.0
 TK_INCDIR= /usr/local/include
 TK_LIBDIR= /usr/local/lib
-TK_LIB= -ltk80
+TK_LIB= -ltk8.0

 USE_PERL= @USE_PERL@

--- a/src/backend/libpq/auth.c
+++ b/src/backend/libpq/auth.c
@ -7,7 +7,7 @@
 *
 *
 * IDENTIFICATION
- *	  $Header: /cvsroot/pgsql/src/backend/libpq/auth.c,v 1.22 1998/01/27 03:11:41 momjian Exp $
+ *	  $Header: /cvsroot/pgsql/src/backend/libpq/auth.c,v 1.23 1998/01/27 03:24:54 scrappy Exp $
 *
 *-------------------------------------------------------------------------
 */
@ -401,7 +401,7 @@ void be_recvauth(Port *port)
 	if (hba_getauthmethod(&port->raddr, port->database, port->auth_arg,
 				&port->auth_method) != STATUS_OK)
 	{
-		PacketSendError(&port->pktInfo, "Error getting authentication method");
+		PacketSendError(&port->pktInfo, "Missing or mis-configured pg_hba.conf file");
 		return;
 	}

--- a/src/backend/libpq/hba.c
+++ b/src/backend/libpq/hba.c
@ -7,7 +7,7 @@
 *
 *
 * IDENTIFICATION
- *	  $Header: /cvsroot/pgsql/src/backend/libpq/hba.c,v 1.26 1998/01/26 01:41:08 scrappy Exp $
+ *	  $Header: /cvsroot/pgsql/src/backend/libpq/hba.c,v 1.27 1998/01/27 03:24:56 scrappy Exp $
 *
 *-------------------------------------------------------------------------
 */
@ -337,8 +337,15 @@ process_open_config_file(FILE *file, SockAddr *raddr, const char database[],
 		}
 	}

-	if (found_entry && !error)
+	if (!error)
+	{
+		/* If no entry was found then force a rejection. */
+
+		if (!found_entry)
+			*userauth_p = uaReject;
+
 		*host_ok_p = true;
+	}
 }


--- a/src/backend/libpq/pg_hba.conf.sample
+++ b/src/backend/libpq/pg_hba.conf.sample
@ -122,3 +122,8 @@
 # connect as Postgres user "guest1", the connection is only allowed if
 # there is an entry for map "omicron" in pg_ident.conf that says "bryanh" is 
 # allowed to connect as "guest1".
+
+# By default, allow anything over UNIX domain sockets and localhost.
+
+local        all                                         trust
+host         all         127.0.0.1     255.255.255.255   trust     
--- a/src/backend/libpq/pqcomm.c
+++ b/src/backend/libpq/pqcomm.c
@ -7,7 +7,7 @@
 *
 *
 * IDENTIFICATION
- *	  $Header: /cvsroot/pgsql/src/backend/libpq/pqcomm.c,v 1.35 1998/01/26 01:41:11 scrappy Exp $
+ *	  $Header: /cvsroot/pgsql/src/backend/libpq/pqcomm.c,v 1.36 1998/01/27 03:25:01 scrappy Exp $
 *
 *-------------------------------------------------------------------------
 */
@ -619,7 +619,7 @@ StreamServerPort(char *hostName, short portName, int *fdP)
 		  errno);
 	  pqdebug("%s", PQerrormsg);
 	  strcat(PQerrormsg, "\tIs another postmaster already running on that port?\n");
-	  if (family == AF_UNIX)
+	  if (family == AF_UNIX) 
 	    strcat(PQerrormsg, "\tIf not, remove socket node (/tmp/.s.PGSQL.<portnr>)and retry.\n");
 	  else
 	    strcat(PQerrormsg, "\tIf not, wait a few seconds and retry.\n");
--- a/src/backend/parser/scan.c
+++ b/src/backend/parser/scan.c
@ -1,7 +1,7 @@
 /* A lexical scanner generated by flex */

 /* Scanner skeleton version:
- * $Header: /cvsroot/pgsql/src/backend/parser/Attic/scan.c,v 1.9 1998/01/24 19:40:56 scrappy Exp $
+ * $Header: /cvsroot/pgsql/src/backend/parser/Attic/scan.c,v 1.10 1998/01/27 03:25:07 scrappy Exp $
 */

 #define FLEX_SCANNER
@ -539,7 +539,7 @@ char *yytext;
 *
 *
 * IDENTIFICATION
- *	  $Header: /cvsroot/pgsql/src/backend/parser/Attic/scan.c,v 1.9 1998/01/24 19:40:56 scrappy Exp $
+ *	  $Header: /cvsroot/pgsql/src/backend/parser/Attic/scan.c,v 1.10 1998/01/27 03:25:07 scrappy Exp $
 *
 *-------------------------------------------------------------------------
 */
--- a/src/man/pg_hba.conf.5
+++ b/src/man/pg_hba.conf.5
@ -1,20 +1,114 @@
 .\" This is -*-nroff-*-
-.\" $Header: /cvsroot/pgsql/src/man/Attic/pg_hba.conf.5,v 1.3 1997/08/26 17:30:03 momjian Exp $
-.TH pg_hba.conf 5 11/04/96 Postgres Postgres
+.\" $Header: /cvsroot/pgsql/src/man/Attic/pg_hba.conf.5,v 1.4 1998/01/27 03:25:14 scrappy Exp $
+.TH pg_hba.conf 5 1/26/98 PostgreSQL PostgreSQL
 .SH NAME
 $PGDATA/pg_hba.conf
 .SH DESCRIPTION
-"Host-based access control" is the name for the basic controls Postgres
-exercises on what clients are allowed to access a database system.
-It is called that because one of the factors that can control access is
-from what host the client is connecting.
+"Host-based access control" is the name for the basic controls PostgreSQL
+exercises on what clients are allowed to access a database and how
+the users on those clients must authenticate themselves.
 .PP
-Each database system contains a file named "pg_hba.conf", in its PGDATA
-directory, that controls who can connect to that database system.
+Each database system contains a file named "pg_hba.conf", in its $PGDATA
+directory, that controls who can connect to each database.
 .PP
-The exact format of the pg_hba.conf file is described in the comments at
-the top of the sample file pg_hba.conf.sample, which resides in the 
-the PostgreSQL "lib" sub-directory of the main postgres directory.
+Every client that wants to access to a database
+.IR must
+be covered by one of
+the entries in pg_hba.conf.  Otherwise all attempted connections from that
+client will be rejected with a "User authentication failed" error message.
+.PP
+The general format of the pg_hba.conf file is of a set of records, one per
+line.  Blank lines and lines beginning with '#' are ignored.  A record is
+made up of a number of fields which are separated by spaces and/or tabs.
+.PP
+Connections from clients can be made using UNIX domain sockets or Internet
+domain sockets (ie. TCP/IP).  Connections made using UNIX domain sockets
+are controlled using records of the following format.
+.PP
+local <database> <authentication method>
+.PP
+<database> specifies the database that this record applies to.  The value
+.IR all
+specifies that it applies to all databases.  <authentication method>
+specifies the method a user must use to authenticate themselves when
+connecting to that database using UNIX domain sockets.  The different methods
+are described below.
+.PP
+Connections made using Internet domain sockets are controlled using records
+of the following format.
+.PP
+host <database> <TCP/IP address> <TCP/IP mask> <authentication method>
+.PP
+The <TCP/IP mask> is logically anded to both the specified <TCP/IP address>
+and the TCP/IP address
+of the connecting client.  If the two values that result are equal then the
+record is used for this connection.  If a connection matches more than one
+record then the earliest one in the file is used.  Both the <TCP/IP address>
+and the <TCP/IP mask> are specified in dotted decimal notation.
+.PP
+If a connection fails to match any record then the
+.IR reject
+authentication method is applied (see below).
+.SH "AUTHENTICATION METHODS"
+The following authentication methods are supported for both UNIX and TCP/IP
+domain sockets.
+.PP
+.IR trust
+- the connection is allowed unconditionally.
+.PP
+.IR reject
+- the connection is rejected unconditionally.
+.PP
+.IR crypt
+- the client is asked for a password for the user.  This is sent encrypted
+(using crypt(3)) and compared against the password held in the pg_user table.
+If the passwords match, the connection is allowed.
+.PP
+.IR password
+- the client is asked for a password for the user.  This is sent in clear
+and compared against the password held in the pg_user table.
+If the passwords match, the connection is allowed.  An optional password file
+may be specified after the
+.IR password
+keyword which is used to match the supplied password rather than the pg_user
+table.  See pg_passwd(1).  
+.PP
+The following authentication methods are supported for TCP/IP
+domain sockets only.
+.PP
+.IR krb4
+- Kerberos V4 is used to authenticate the user.
+.PP
+.IR krb5
+- Kerberos V5 is used to authenticate the user.
+.PP
+.IR ident
+- the ident server on the client is used to authenticate the user (RFC 1413).
+An optional map name may be specified after the
+.IR ident
+keyword which allows ident user names to be mapped onto PostgreSQL user names.
+Maps are held in the file $PGDATA/pg_ident.conf.
+.SH EXAMPLES
+
+# Trust any connection via UNIX domain sockets.
+
+local	trust
+
+# Trust any connection via TCP/IP from this machine.
+
+host	all	127.0.0.1	255.255.255.255		trust
+
+# We don't like this machine.
+
+host	all	192.168.0.10	255.255.255.0		reject
+
+# This machine can't encrypt so we ask for passwords in clear.
+
+host	all	192.168.0.3	255.255.255.0		password
+
+# The rest of this group of machines should provide encrypted passwords.
+
+host	all	192.168.0.0	255.255.255.0		crypt

 .SH "SEE ALSO"
 pgintro(1).