* Portions Copyright (c) 1996-2000, PostgreSQL, Inc

to all files copyright Regents of Berkeley.  Man, that's a lot of files.

pg_dump and interfaces/odbc still need some work.)

When drawing up a very simple "text-drawing" of how the negotiation is done,
I realised I had done this last part (fallback) in a very stupid way. Patch
#4 fixes this, and does it in a much better way.

Included is also the simple text-drawing of how the negotiation is done.

//Magnus

authentifica
tion
working with postgresql-6.4.2 and  KTH-KRB Ebones
(http://www.pdc.kth.se/kth-kr
b) on a dec alpha running DU 4.0D using the native compiler. The
following
patch does the trick.

The rationale behind this is as follows. The KTH-KRB code header files
defines
lots of lengths like INST_SZ,REALM_SZ and KRB_SENDAUTH_VLEN. It also has
a
habit of doing things like

        chararray[LENGTH] = '\0'

to ensure null terminated strings. In my instance this just happens to
blat
the kerberos principal instance string leading to error like

        pg_krb4_recvauth: kerberos error: Can't decode authenticator
(krb_rd_req
)

The application code that comes with KTH-KRB uses "KRB_SENDAUTH_VLEN +
1" and
sometimes uses "INST_SZ + 1" so it seems safest to put that 1 char
buffer in
the appropriate place.


Rodney McDuff

Initial attempt to clean up the code...

Switch sprintf() to snprintf()
Remove any/all #if 0 -or- #ifdef NOT_USED -or- #ifdef FALSE sections of
	code

From: Tom Lane <tgl@sss.pgh.pa.us>

Making PQrequestCancel safe to call in a signal handler turned out to be
much easier than I feared.  So here are the diffs.

Some notes:
  * I modified the postmaster's packet "iodone" callback interface to allow
    the callback routine to return a continue-or-drop-connection return
    code; this was necessary to allow the connection to be closed after
    receiving a Cancel, rather than proceeding to launch a new backend...
    Being a neatnik, I also made the iodone proc have a typechecked
    parameter list.
  * I deleted all code I could find that had to do with OOB.
  * I made some edits to ensure that all signals mentioned in the code
    are referred to symbolically not by numbers ("SIGUSR2" not "2").
    I think Bruce may have already done at least some of the same edits;
    I hope that merging these patches is not too painful.

have > 20000 users and each (potentially) needs a separate database
which is > only accessible to them. Rather than having 20000 lines
in pg_hba.conf, > I've patched Postgres so that the special token
"sameuser" in the > database field of pg_hba.conf allows access
only to the username which > is connecting.

    seems  that  my last post didn't make it through. That's good
    since  the  diff  itself  didn't  covered  the  renaming   of
    pg_user.h to pg_shadow.h and it's new content.

    Here  it's  again.  The  complete regression test passwd with
    only some  float  diffs.  createuser  and  destroyuser  work.
    pg_shadow cannot be read by ordinary user.

I haven't had final confirmation from Peter yet, but the attached patch
needs to be applied for the Beta otherwise password and crypt
authentication just won't work.

It puts back the loop in libpq and also fixes a couple of problems with
maintaining compatability with pre-6.3 drivers.

Attached is the patch to fix the warning messages from my code.  I also
fixed one which wasn't my code.  Apart from the usual warnings about the
bison/yacc generated code I only have one other warning message.  This
is in gramm.y around line 2234.  I wasn't sure of the fix.

I've also replaced all the calls to free() in gramm.y to calls to
pfree().  Without these I was getting backend crashes with GRANT.  This
might already have been fixed.

Cleanup patches for previous protocol changes patch

I've completed the patch to fix the protocol and authentication issues I
was discussing a couple of weeks ago.  The particular changes are:

- the protocol has a version number
- network byte order is used throughout
- the pg_hba.conf file is used to specify what method is used to
  authenticate a frontend (either password, ident, trust, reject, krb4
  or krb5)
- support for multiplexed backends is removed
- appropriate changes to man pages
- the -a switch to many programs to specify an authentication service
  no longer has any effect
- the libpq.so version number has changed to 1.1

The new backend still supports the old protocol so old interfaces won't
break.

	...malloc/free -> palloc/pfree
	...fopen/fclose -> AllocateFile/FreeFile

An extension to the code to allow for a pg_password authentication database
that is *seperate* from the system password file

Another PGINDENT run that changes variable indenting and case label indenting.  Also static variable indenting.

Fix pgproc names over 15 chars in output.  Add strNcpy() function.  remove some (void) casts that are unnecessary.

fix, but figure I"ll know soon enough, eh?

Patch submitted by Dan McGuirk

Subject: [HACKERS] auth.c for kerberos.

  I made pgsql with eBones(international version of Kerberos4).  The
following modification was needed.  And I added read permition for
group to srvtab instead of running postmaster as root.

Subject: [HACKERS] password authentication

This patch adds support for plaintext password authentication.  To use
it, you add a line like

host         all         0.0.0.0       0.0.0.0           password  pg_pwd.conf


to your pg_hba.conf, where 'pg_pwd.conf' is the name of a file containing
the usernames and password hashes in the format of the first two fields
of a Unix /etc/passwd file.  (Of course, you can use a specific database
name or IP instead.)

Then, to connect with a password through libpq, you use the PQconnectdb()
function, specifying the "password=" tag in the connect string and also
adding the tag "authtype=password".

I also added a command-line switch '-u' to psql that tells it to prompt
for a username and password and use password authentication.

add #include "postgres.h"

If I have introduced any syntax errors with this, I will patch them in
the morning, and Marc will have a good laugh.