On Wed, Dec 30, 2020 at 08:24:06PM +0100, David Fetter wrote:
> On Mon, Sep 07, 2020 at 11:57:58AM +0900, Michael Paquier wrote:
> > On Thu, Jul 02, 2020 at 04:02:21PM +0200, Daniel Gustafsson wrote:
> > > The CF Patch Tester consider this patch to be malformed and is unable to
> > > apply
> > > and test it. Can you please submit a rebased version?
> >
> > I have looked at the patch of this thread, and I doubt that it is a
> > good idea to put more burden into initdb for that. I agree that
> > being able to reject easily non-SSL connections in pg_hba.conf is a
> > bit of a hassle now, but putting more logic into initdb does not seem
> > the right course to me. Perhaps we could consider an idea like
> > Peter's to have a sslmode=require on the server side and ease the
> > generation of HBA rules..
> >
> > The patch has stalled for two months now without a rebase provided, so
> > I am marking it as returned with feedback.
>
> Please find attached the rebased patch.
>
> Peter's suggestion seems a little more subtle to me than requiring TLS
> on the server side in that what people generally want to do is
> disallow clear text connections entirely. In those scenarios, people
> would also want to set (and be able to change at runtime) some kind of
> cryptographic policy, as SSH and TLS do. While I see this as a worthy
> goal, it's a much bigger lift than an optional argument or two to
> initdb, and requires a lot more discussion than it's had to date.
*sigh*
This time with patch actually attached.
Best,
David.
--
David Fetter <david(at)fetter(dot)org> http://fetter.org/
Phone: +1 415 235 3778
Remember to vote!
Consider donating to Postgres: http://www.postgresql.org/about/donate
>From 537e58136890d17d33699e9965d0518d4c8a1822 Mon Sep 17 00:00:00 2001
From: David Fetter <david.fet...@onelogin.com>
Date: Wed, 11 Dec 2019 18:55:03 -0800
Subject: [PATCH v5] Enable setting pg_hba.conf permissions from initdb
To: hackers
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="------------2.29.2"
This is a multi-part message in MIME format.
--------------2.29.2
Content-Type: text/plain; charset=UTF-8; format=fixed
Content-Transfer-Encoding: 8bit
The new optional arguments are --auth-hostssl, --auth-hostnossl,
--auth-hostgssenc, and --auth-hostnogssenc.
diff --git doc/src/sgml/ref/initdb.sgml doc/src/sgml/ref/initdb.sgml
index 385ac25150..c63e2c316e 100644
--- doc/src/sgml/ref/initdb.sgml
+++ doc/src/sgml/ref/initdb.sgml
@@ -152,6 +152,50 @@ PostgreSQL documentation
</listitem>
</varlistentry>
+ <varlistentry>
+ <term><option>--auth-hostssl=<replaceable class="parameter">authmethod</replaceable></option></term>
+ <listitem>
+ <para>
+ This option specifies the authentication method for users via
+ TLS remote connections used in <filename>pg_hba.conf</filename>
+ (<literal>hostssl</literal> lines).
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>--auth-hostnossl=<replaceable class="parameter">authmethod</replaceable></option></term>
+ <listitem>
+ <para>
+ This option specifies the authentication method for users via
+ non-TLS remote connections used in <filename>pg_hba.conf</filename>
+ (<literal>hostnossl</literal> lines).
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>--auth-hostgssenc=<replaceable class="parameter">authmethod</replaceable></option></term>
+ <listitem>
+ <para>
+ This option specifies the authentication method for users via
+ encrypted GSSAPI remote connections used in <filename>pg_hba.conf</filename>
+ (<literal>hostgssenc</literal> lines).
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>--auth-hostnogssenc=<replaceable class="parameter">authmethod</replaceable></option></term>
+ <listitem>
+ <para>
+ This option specifies the authentication method for users via
+ remote connections not using encrypted GSSAPI in <filename>pg_hba.conf</filename>
+ (<literal>hostnogssenc</literal> lines).
+ </para>
+ </listitem>
+ </varlistentry>
+
<varlistentry>
<term><option>--auth-local=<replaceable class="parameter">authmethod</replaceable></option></term>
<listitem>
diff --git src/backend/libpq/pg_hba.conf.sample src/backend/libpq/pg_hba.conf.sample
index b6de12b298..e132cf4db3 100644
--- src/backend/libpq/pg_hba.conf.sample
+++ src/backend/libpq/pg_hba.conf.sample
@@ -91,3 +91,15 @@ host all all ::1/128 @authmethodhost@
@remove-line-for-nolocal@local replication all @authmethodlocal@
host replication all 127.0.0.1/32 @authmethodhost@
host replication all ::1/128 @authmethodhost@
+
+# hostnossl all all 0.0.0.0/0 @authmethodhostnossl@
+# hostnossl all all ::/0 @authmethodhostnossl@
+
+# hostssl all all 0.0.0.0/0 @authmethodhostssl@
+# hostssl all all ::/0 @authmethodhostssl@
+
+# hostnogssenc all all 0.0.0.0/0 @authmethodhostnogssenc@
+# hostnogssenc all all ::/0 @authmethodhostnogssenc@
+
+# hostgssenc all all 0.0.0.0/0 @authmethodhostgssenc@
+# hostgssenc all all ::/0 @authmethodhostgssenc@
diff --git src/bin/initdb/initdb.c src/bin/initdb/initdb.c
index 0865f73ee0..ddb5cc5c9c 100644
--- src/bin/initdb/initdb.c
+++ src/bin/initdb/initdb.c
@@ -137,6 +137,10 @@ static char *pwfilename = NULL;
static char *superuser_password = NULL;
static const char *authmethodhost = NULL;
static const char *authmethodlocal = NULL;
+static const char *authmethodhostssl = NULL;
+static const char *authmethodhostnossl = NULL;
+static const char *authmethodhostgssenc = NULL;
+static const char *authmethodhostnogssenc = NULL;
static bool debug = false;
static bool noclean = false;
static bool do_sync = true;
@@ -180,10 +184,12 @@ static const char *default_timezone = NULL;
* Warning messages for authentication methods
*/
#define AUTHTRUST_WARNING \
-"# CAUTION: Configuring the system for local \"trust\" authentication\n" \
-"# allows any local user to connect as any PostgreSQL user, including\n" \
-"# the database superuser. If you do not trust all your local users,\n" \
-"# use another authentication method.\n"
+"# CAUTION: Configuring the system for \"trust\" authentication\n" \
+"# allows any user who can reach the database on the route specified\n" \
+"# to connect as any PostgreSQL user, including the database\n" \
+"# superuser. If you do not trust all the users who could\n" \
+"# reach the database on the route specified, use a more restrictive\n" \
+"# authentication method.\n"
static bool authwarning = false;
/*
@@ -232,9 +238,7 @@ static char backend_exec[MAXPGPATH];
static char **replace_token(char **lines,
const char *token, const char *replacement);
-#ifndef HAVE_UNIX_SOCKETS
static char **filter_lines_with_token(char **lines, const char *token);
-#endif
static char **readfile(const char *path);
static void writefile(char *path, char **lines);
static FILE *popen_check(const char *command, const char *mode);
@@ -417,7 +421,6 @@ replace_token(char **lines, const char *token, const char *replacement)
*
* a sort of poor man's grep -v
*/
-#ifndef HAVE_UNIX_SOCKETS
static char **
filter_lines_with_token(char **lines, const char *token)
{
@@ -440,7 +443,6 @@ filter_lines_with_token(char **lines, const char *token)
return result;
}
-#endif
/*
* get the lines from a text file
@@ -1299,9 +1301,97 @@ setup_config(void)
"@authmethodlocal@",
authmethodlocal);
+ authwarning = (
+ strcmp(authmethodlocal, "trust") == 0 ||
+ strcmp(authmethodhost, "trust") == 0 ||
+ (authmethodhostssl != NULL &&
+ strcmp(authmethodhostssl, "trust") == 0) ||
+ (authmethodhostnossl != NULL &&
+ strcmp(authmethodhostnossl, "trust") == 0) ||
+ (authmethodhostgssenc != NULL &&
+ strcmp(authmethodhostgssenc, "trust") == 0) ||
+ (authmethodhostnogssenc != NULL &&
+ strcmp(authmethodhostnogssenc, "trust")) == 0);
+
conflines = replace_token(conflines,
"@authcomment@",
- (strcmp(authmethodlocal, "trust") == 0 || strcmp(authmethodhost, "trust") == 0) ? AUTHTRUST_WARNING : "");
+ authwarning ? AUTHTRUST_WARNING : "");
+
+ if (authmethodhostssl != NULL)
+ {
+ conflines = replace_token(conflines,
+ "# hostssl all all 0.0.0.0/0 @authmethodhostssl@",
+ "hostssl all all 0.0.0.0/0 @authmethodhostssl@");
+#ifdef HAVE_IPV6
+ conflines = replace_token(conflines,
+ "# hostssl all all ::/0 @authmethodhostssl@",
+ "hostssl all all ::/0 @authmethodhostssl@");
+#endif
+ conflines = replace_token(conflines,
+ "@authmethodhostssl@",
+ authmethodhostssl);
+ }
+ else
+ {
+ conflines = filter_lines_with_token(conflines, "@authmethodhostssl@");
+ }
+
+ if (authmethodhostnossl != NULL)
+ {
+ conflines = replace_token(conflines,
+ "# hostnossl all all 0.0.0.0/0 @authmethodhostnossl@",
+ "hostnossl all all 0.0.0.0/0 @authmethodhostnossl@");
+#ifdef HAVE_IPV6
+ conflines = replace_token(conflines,
+ "# hostnossl all all ::/0 @authmethodhostnossl@",
+ "hostnossl all all ::/0 @authmethodhostnossl@");
+#endif
+ conflines = replace_token(conflines,
+ "@authmethodhostnossl@",
+ authmethodhostnossl);
+ }
+ else
+ {
+ conflines = filter_lines_with_token(conflines, "@authmethodhostnossl@");
+ }
+
+ if (authmethodhostgssenc != NULL)
+ {
+ conflines = replace_token(conflines,
+ "# hostgssenc all all 0.0.0.0/0 @authmethodhostgssenc@",
+ "hostgssenc all all 0.0.0.0/0 @authmethodhostgssenc@");
+#ifdef HAVE_IPV6
+ conflines = replace_token(conflines,
+ "# hostgssenc all all ::/0 @authmethodhostgssenc@",
+ "hostgssenc all all ::/0 @authmethodhostgssenc@");
+#endif
+ conflines = replace_token(conflines,
+ "@authmethodhostgssenc@",
+ authmethodhostgssenc);
+ }
+ else
+ {
+ conflines = filter_lines_with_token(conflines, "@authmethodhostgssenc@");
+ }
+
+ if (authmethodhostnogssenc != NULL)
+ {
+ conflines = replace_token(conflines,
+ "# hostnogssenc all all 0.0.0.0/0 @authmethodhostnogssenc@",
+ "hostnogssenc all all 0.0.0.0/0 @authmethodhostnogssenc@");
+#ifdef HAVE_IPV6
+ conflines = replace_token(conflines,
+ "# hostnogssenc all all ::/0 @authmethodhostnogssenc@",
+ "hostnogssenc all all ::/0 @authmethodhostnogssenc@");
+#endif
+ conflines = replace_token(conflines,
+ "@authmethodhostnogssenc@",
+ authmethodhostnogssenc);
+ }
+ else
+ {
+ conflines = filter_lines_with_token(conflines, "@authmethodhostnogssenc@");
+ }
snprintf(path, sizeof(path), "%s/pg_hba.conf", pg_data);
@@ -2269,36 +2359,40 @@ usage(const char *progname)
printf(_("Usage:\n"));
printf(_(" %s [OPTION]... [DATADIR]\n"), progname);
printf(_("\nOptions:\n"));
- printf(_(" -A, --auth=METHOD default authentication method for local connections\n"));
- printf(_(" --auth-host=METHOD default authentication method for local TCP/IP connections\n"));
- printf(_(" --auth-local=METHOD default authentication method for local-socket connections\n"));
- printf(_(" [-D, --pgdata=]DATADIR location for this database cluster\n"));
- printf(_(" -E, --encoding=ENCODING set default encoding for new databases\n"));
- printf(_(" -g, --allow-group-access allow group read/execute on data directory\n"));
- printf(_(" --locale=LOCALE set default locale for new databases\n"));
+ printf(_(" -A, --auth=METHOD default authentication method for local connections\n"));
+ printf(_(" --auth-host=METHOD default authentication method for local TCP/IP connections\n"));
+ printf(_(" --auth-local=METHOD default authentication method for local-socket connections\n"));
+ printf(_(" --auth-hostssl=METHOD default authentication method for TLS connections\n"));
+ printf(_(" --auth-hostnossl=METHOD default authentication method for non-TLS connections\n"));
+ printf(_(" --auth-hostgssenc=METHOD default authentication method for encrypted GSSAPI connections\n"));
+ printf(_(" --auth-hostnogssenc=METHOD default authentication method for connections not using encrypted GSSAPI\n"));
+ printf(_(" [-D, --pgdata=]DATADIR location for this database cluster\n"));
+ printf(_(" -E, --encoding=ENCODING set default encoding for new databases\n"));
+ printf(_(" -g, --allow-group-access allow group read/execute on data directory\n"));
+ printf(_(" --locale=LOCALE set default locale for new databases\n"));
printf(_(" --lc-collate=, --lc-ctype=, --lc-messages=LOCALE\n"
" --lc-monetary=, --lc-numeric=, --lc-time=LOCALE\n"
- " set default locale in the respective category for\n"
- " new databases (default taken from environment)\n"));
- printf(_(" --no-locale equivalent to --locale=C\n"));
- printf(_(" --pwfile=FILE read password for the new superuser from file\n"));
+ " set default locale in the respective category for\n"
+ " new databases (default taken from environment)\n"));
+ printf(_(" --no-locale equivalent to --locale=C\n"));
+ printf(_(" --pwfile=FILE read password for the new superuser from file\n"));
printf(_(" -T, --text-search-config=CFG\n"
- " default text search configuration\n"));
- printf(_(" -U, --username=NAME database superuser name\n"));
- printf(_(" -W, --pwprompt prompt for a password for the new superuser\n"));
- printf(_(" -X, --waldir=WALDIR location for the write-ahead log directory\n"));
- printf(_(" --wal-segsize=SIZE size of WAL segments, in megabytes\n"));
+ " default text search configuration\n"));
+ printf(_(" -U, --username=NAME database superuser name\n"));
+ printf(_(" -W, --pwprompt prompt for a password for the new superuser\n"));
+ printf(_(" -X, --waldir=WALDIR location for the write-ahead log directory\n"));
+ printf(_(" --wal-segsize=SIZE size of WAL segments, in megabytes\n"));
printf(_("\nLess commonly used options:\n"));
- printf(_(" -d, --debug generate lots of debugging output\n"));
- printf(_(" -k, --data-checksums use data page checksums\n"));
- printf(_(" -L DIRECTORY where to find the input files\n"));
- printf(_(" -n, --no-clean do not clean up after errors\n"));
- printf(_(" -N, --no-sync do not wait for changes to be written safely to disk\n"));
- printf(_(" -s, --show show internal settings\n"));
- printf(_(" -S, --sync-only only sync data directory\n"));
+ printf(_(" -d, --debug generate lots of debugging output\n"));
+ printf(_(" -k, --data-checksums use data page checksums\n"));
+ printf(_(" -L DIRECTORY where to find the input files\n"));
+ printf(_(" -n, --no-clean do not clean up after errors\n"));
+ printf(_(" -N, --no-sync do not wait for changes to be written safely to disk\n"));
+ printf(_(" -s, --show show internal settings\n"));
+ printf(_(" -S, --sync-only only sync data directory\n"));
printf(_("\nOther options:\n"));
- printf(_(" -V, --version output version information, then exit\n"));
- printf(_(" -?, --help show this help, then exit\n"));
+ printf(_(" -V, --version output version information, then exit\n"));
+ printf(_(" -?, --help show this help, then exit\n"));
printf(_("\nIf the data directory is not specified, the environment variable PGDATA\n"
"is used.\n"));
printf(_("\nReport bugs to <%s>.\n"), PACKAGE_BUGREPORT);
@@ -2944,6 +3038,10 @@ main(int argc, char *argv[])
{"auth", required_argument, NULL, 'A'},
{"auth-local", required_argument, NULL, 10},
{"auth-host", required_argument, NULL, 11},
+ {"auth-hostssl", required_argument, NULL, 13},
+ {"auth-hostnossl", required_argument, NULL, 14},
+ {"auth-hostgssenc", required_argument, NULL, 15},
+ {"auth-hostnogssenc", required_argument, NULL, 16},
{"pwprompt", no_argument, NULL, 'W'},
{"pwfile", required_argument, NULL, 9},
{"username", required_argument, NULL, 'U'},
@@ -3024,6 +3122,18 @@ main(int argc, char *argv[])
case 11:
authmethodhost = pg_strdup(optarg);
break;
+ case 13:
+ authmethodhostssl = pg_strdup(optarg);
+ break;
+ case 14:
+ authmethodhostnossl = pg_strdup(optarg);
+ break;
+ case 15:
+ authmethodhostgssenc = pg_strdup(optarg);
+ break;
+ case 16:
+ authmethodhostnogssenc = pg_strdup(optarg);
+ break;
case 'D':
pg_data = pg_strdup(optarg);
break;
@@ -3158,6 +3268,14 @@ main(int argc, char *argv[])
check_authmethod_valid(authmethodlocal, auth_methods_local, "local");
check_authmethod_valid(authmethodhost, auth_methods_host, "host");
+ if (authmethodhostssl != NULL)
+ check_authmethod_valid(authmethodhostssl, auth_methods_host, "hostssl");
+ if (authmethodhostnossl != NULL)
+ check_authmethod_valid(authmethodhostnossl, auth_methods_host, "hostnossl");
+ if (authmethodhostgssenc != NULL)
+ check_authmethod_valid(authmethodhostgssenc, auth_methods_host, "hostgssenc");
+ if (authmethodhostnogssenc != NULL)
+ check_authmethod_valid(authmethodhostnogssenc, auth_methods_host, "hostnogssenc");
check_need_password(authmethodlocal, authmethodhost);
@@ -3240,9 +3358,9 @@ main(int argc, char *argv[])
if (authwarning)
{
printf("\n");
- pg_log_warning("enabling \"trust\" authentication for local connections");
+ pg_log_warning("enabling \"trust\" authentication");
fprintf(stderr, _("You can change this by editing pg_hba.conf or using the option -A, or\n"
- "--auth-local and --auth-host, the next time you run initdb.\n"));
+ "the various options that start with --auth, the next time you run initdb.\n"));
}
/*
--------------2.29.2--
