Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
Greenplum
Gpdb
提交
26139bb4
G
Gpdb
项目概览
Greenplum
/
Gpdb
通知
7
Star
1
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
DevOps
流水线
流水线任务
计划
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
G
Gpdb
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
DevOps
DevOps
流水线
流水线任务
计划
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
流水线任务
提交
Issue看板
体验新版 GitCode,发现更多精彩内容 >>
提交
26139bb4
编写于
4月 16, 1999
作者:
T
Tom Lane
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
Improve error messages when a connection is rejected.
上级
1d1cf38c
变更
2
隐藏空白更改
内联
并排
Showing
2 changed file
with
102 addition
and
55 deletion
+102
-55
src/backend/libpq/auth.c
src/backend/libpq/auth.c
+75
-13
src/backend/libpq/hba.c
src/backend/libpq/hba.c
+27
-42
未找到文件。
src/backend/libpq/auth.c
浏览文件 @
26139bb4
...
...
@@ -7,7 +7,7 @@
*
*
* IDENTIFICATION
* $Header: /cvsroot/pgsql/src/backend/libpq/auth.c,v 1.3
4 1999/03/14 16:06:42 momjian
Exp $
* $Header: /cvsroot/pgsql/src/backend/libpq/auth.c,v 1.3
5 1999/04/16 04:59:03 tgl
Exp $
*
*-------------------------------------------------------------------------
*/
...
...
@@ -390,13 +390,53 @@ pg_passwordv0_recvauth(void *arg, PacketLen len, void *pkt)
/*
* Tell the user the authentication failed, but not why.
* Tell the user the authentication failed, but not (much about) why.
*
* There is a tradeoff here between security concerns and making life
* unnecessarily difficult for legitimate users. We would not, for example,
* want to report the password we were expecting to receive...
* But it seems useful to report the username and authorization method
* in use, and these are items that must be presumed known to an attacker
* anyway.
* Note that many sorts of failure report additional information in the
* postmaster log, which we hope is only readable by good guys.
*/
void
auth_failed
(
Port
*
port
)
{
PacketSendError
(
&
port
->
pktInfo
,
"User authentication failed"
);
char
buffer
[
512
];
const
char
*
authmethod
=
"Unknown auth method:"
;
switch
(
port
->
auth_method
)
{
case
uaReject
:
authmethod
=
"Rejected host:"
;
break
;
case
uaKrb4
:
authmethod
=
"Kerberos4"
;
break
;
case
uaKrb5
:
authmethod
=
"Kerberos5"
;
break
;
case
uaTrust
:
authmethod
=
"Trusted"
;
break
;
case
uaIdent
:
authmethod
=
"IDENT"
;
break
;
case
uaPassword
:
authmethod
=
"Password"
;
break
;
case
uaCrypt
:
authmethod
=
"Password"
;
break
;
}
sprintf
(
buffer
,
"%s authentication failed for user '%s'"
,
authmethod
,
port
->
user
);
PacketSendError
(
&
port
->
pktInfo
,
buffer
);
}
...
...
@@ -409,12 +449,15 @@ be_recvauth(Port *port)
/*
* Get the authentication method to use for this frontend/database
* combination.
* combination. Note: a failure return indicates a problem with
* the hba config file, not with the request. hba.c should have
* dropped an error message into the postmaster logfile if it failed.
*/
if
(
hba_getauthmethod
(
&
port
->
raddr
,
port
->
user
,
port
->
database
,
port
->
auth_arg
,
&
port
->
auth_method
)
!=
STATUS_OK
)
PacketSendError
(
&
port
->
pktInfo
,
"Missing or mis-configured pg_hba.conf file"
);
PacketSendError
(
&
port
->
pktInfo
,
"Missing or erroneous pg_hba.conf file, see postmaster log for details"
);
else
if
(
PG_PROTOCOL_MAJOR
(
port
->
proto
)
==
0
)
{
...
...
@@ -425,20 +468,39 @@ be_recvauth(Port *port)
}
else
{
AuthRequest
areq
;
PacketDoneProc
auth_handler
;
/* Keep the compiler quiet. */
areq
=
AUTH_REQ_OK
;
/* Handle new style authentication. */
auth_handler
=
NULL
;
AuthRequest
areq
=
AUTH_REQ_OK
;
PacketDoneProc
auth_handler
=
NULL
;
switch
(
port
->
auth_method
)
{
case
uaReject
:
/*
* This could have come from an explicit "reject" entry
* in pg_hba.conf, but more likely it means there was no
* matching entry. Take pity on the poor user and issue
* a helpful error message. NOTE: this is not a security
* breach, because all the info reported here is known
* at the frontend and must be assumed known to bad guys.
* We're merely helping out the less clueful good guys.
* NOTE 2: libpq-be.h defines the maximum error message
* length as 99 characters. It probably wouldn't hurt
* anything to increase it, but there might be some
* client out there that will fail. So, be terse.
*/
{
char
buffer
[
512
];
const
char
*
hostinfo
=
"localhost"
;
if
(
port
->
raddr
.
sa
.
sa_family
==
AF_INET
)
hostinfo
=
inet_ntoa
(
port
->
raddr
.
in
.
sin_addr
);
sprintf
(
buffer
,
"No pg_hba.conf entry for host %s, user %s, database %s"
,
hostinfo
,
port
->
user
,
port
->
database
);
PacketSendError
(
&
port
->
pktInfo
,
buffer
);
return
;
}
break
;
case
uaKrb4
:
...
...
src/backend/libpq/hba.c
浏览文件 @
26139bb4
...
...
@@ -5,7 +5,7 @@
* wherein you authenticate a user by seeing what IP address the system
* says he comes from and possibly using ident).
*
* $Id: hba.c,v 1.
39 1999/02/13 23:15:43 momjian
Exp $
* $Id: hba.c,v 1.
40 1999/04/16 04:59:03 tgl
Exp $
*
*-------------------------------------------------------------------------
*/
...
...
@@ -298,55 +298,42 @@ syntax:
static
void
process_open_config_file
(
FILE
*
file
,
SockAddr
*
raddr
,
const
char
*
user
,
const
char
*
database
,
bool
*
h
ost
_ok_p
,
const
char
*
database
,
bool
*
h
ba
_ok_p
,
UserAuth
*
userauth_p
,
char
*
auth_arg
)
{
/*---------------------------------------------------------------------------
This function does the same thing as find_hba_entry, only with
the config file already open on stream descriptor "file".
----------------------------------------------------------------------------*/
bool
found_entry
;
bool
found_entry
=
false
;
/* found an applicable entry? */
bool
error
=
false
;
/* found an erroneous entry? */
bool
eof
=
false
;
/* end of hba file */
/* We've processed a record that applies to our connection */
bool
error
;
/* Said record has invalid syntax. */
bool
eof
;
/* We've reached the end of the file we're
* reading */
found_entry
=
false
;
/* initial value */
error
=
false
;
/* initial value */
eof
=
false
;
/* initial value */
while
(
!
eof
&&
!
found_entry
&&
!
error
)
{
/* Process a line from the config file */
int
c
;
/* a character read from the file */
c
=
getc
(
file
);
ungetc
(
c
,
file
);
int
c
=
getc
(
file
);
if
(
c
==
EOF
)
eof
=
true
;
else
{
ungetc
(
c
,
file
);
if
(
c
==
'#'
)
read_through_eol
(
file
);
else
{
process_hba_record
(
file
,
raddr
,
user
,
database
,
&
found_entry
,
&
error
,
userauth_p
,
auth_arg
);
}
}
}
if
(
!
error
)
{
/* If no
entry was found then force a rejection
. */
/* If no
matching entry was found, synthesize 'reject' entry
. */
if
(
!
found_entry
)
*
userauth_p
=
uaReject
;
*
h
ost
_ok_p
=
true
;
*
h
ba
_ok_p
=
true
;
}
}
...
...
@@ -354,25 +341,23 @@ process_open_config_file(FILE *file, SockAddr *raddr, const char *user,
static
void
find_hba_entry
(
SockAddr
*
raddr
,
const
char
*
user
,
const
char
*
database
,
bool
*
h
ost
_ok_p
,
UserAuth
*
userauth_p
,
char
*
auth_arg
)
bool
*
h
ba
_ok_p
,
UserAuth
*
userauth_p
,
char
*
auth_arg
)
{
/*
* Read the config file and find an entry that allows connection from
* host "*raddr" to database "database". If found, return *host_ok_p == true
* and *userauth_p and *auth_arg representing the contents of that entry.
*
* When a record has invalid syntax, we either ignore it or reject the
* connection (depending on where it's invalid). No message or anything.
* We need to fix that some day.
* host "raddr", user "user", to database "database". If found,
* return *hba_ok_p = true and *userauth_p and *auth_arg representing
* the contents of that entry. If there is no matching entry, we
* set *hba_ok_p = true, *userauth_p = uaReject.
*
* If we don't find or can't access the config file, we issue an error
* message and deny the connection.
* If the config file is unreadable or contains invalid syntax, we
* issue a diagnostic message to stderr (ie, the postmaster log file)
* and return without changing *hba_ok_p.
*
* If we find a file by the old name of the config file (pg_hba), we issue
* an error message because it probably needs to be converted. He didn't
* follow directions and just installed his old hba file in the new database
* system.
*
*/
int
fd
,
...
...
@@ -431,14 +416,13 @@ find_hba_entry(SockAddr *raddr, const char *user, const char *database,
}
else
{
process_open_config_file
(
file
,
raddr
,
user
,
database
,
h
ost
_ok_p
,
process_open_config_file
(
file
,
raddr
,
user
,
database
,
h
ba
_ok_p
,
userauth_p
,
auth_arg
);
FreeFile
(
file
);
}
pfree
(
conf_file
);
}
pfree
(
old_conf_file
);
return
;
}
...
...
@@ -1079,20 +1063,21 @@ GetCharSetByHost(char *TableName, int host, const char *DataDir)
#endif
extern
int
int
hba_getauthmethod
(
SockAddr
*
raddr
,
char
*
user
,
char
*
database
,
char
*
auth_arg
,
UserAuth
*
auth_method
)
{
/*---------------------------------------------------------------------------
Determine what authentication method should be used when accessing database
"database" from frontend "raddr". Return the method, an optional argument,
and STATUS_OK.
"database" from frontend "raddr", user "user". Return the method,
an optional argument, and STATUS_OK.
Note that STATUS_ERROR indicates a problem with the hba config file.
If the file is OK but does not contain any entry matching the request,
we return STATUS_OK and method = uaReject.
----------------------------------------------------------------------------*/
bool
host_ok
;
host_ok
=
false
;
bool
hba_ok
=
false
;
find_hba_entry
(
raddr
,
user
,
database
,
&
h
ost
_ok
,
auth_method
,
auth_arg
);
find_hba_entry
(
raddr
,
user
,
database
,
&
h
ba
_ok
,
auth_method
,
auth_arg
);
return
h
ost
_ok
?
STATUS_OK
:
STATUS_ERROR
;
return
h
ba
_ok
?
STATUS_OK
:
STATUS_ERROR
;
}
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录