Re: Proposal: BSD Authentication support

On Sat, Mar 12, 2016 at 5:14 AM, David Steele <david(at)pgmasters(dot)net> wrote:
> On 1/14/16 11:22 PM, Robert Haas wrote:
>> On Tue, Jan 12, 2016 at 2:27 AM, Marisa Emerson <mje(at)insec(dot)sh> wrote:
>>> I've attached the latest version of this patch. I've fixed up an issue with
>>> the configuration scripts that I missed.
>> Looks reasonable on a quick read-through. Can anyone with access to a
>> BSD system review and test?
>
> Is anyone with access to/experience with BSD able to review and test
> this patch? Seems like it would make a great addition to 9.6.

(Disclaimer: I am not a regular OpenBSD user or a security expert.)
I tried this out on OpenBSD 5.8 and it works as described, using
default "passwd" style authentication.

+ <note>
+ <para>
+ To use BSD Authentication, the postgresql user must first be added
+ to the <literal>auth</literal> group.
+ </para>
+ </note>

Our usual wording is "the PostgreSQL user account". Perhaps we should
be more explicit about the fact that membership of this Unix group is
needed on *OpenBSD*, since other current or future BSD forks could
vary. I see that the specific reason this is needed on this OpenBSD
5.8 box is so that it can fork/exec the setuid login_XXX binaries that
live under /usr/libexec/auth.

auth_userokay is called with a type of "pg-auth". I noticed from
looking at man page and source of some other applications that the
convention is usually a hardcoded string like "auth-myserver",
"auth-sockd", "auth-ssh", "auth-doas", "auth-popa3d" etc. So perhaps
we should have "auth-postgresql" (or "auth-postgres" or "auth-pgsql")
here? And as Peter E already said, that string should probably be
documented: it looks a bit like it is useful for allowing the
available authentication styles to be restricted or defaulted
specifically for PostgreSQL in login.conf based on that string.
(Though when I tried to set that up, it seemed to ignore my
possibly-incorrectly-specified rule asking it to use "reject" so I may
have misunderstood.)

The style argument is hard coded as NULL, as I see is the case in some
other applications. From the man page: "If style is not NULL, it
specifies the desired style of authentication to be used. If it is
NULL then the default style for the user is used. In this case, name
may include the desired style by appending it to the user's name with
a single colon (‘:’) as a separator." I wonder if such
user-controllable styles are OK (though I guess would require username
mapping to strip them off if we do want that as a feature). I wonder
if it should be possible to provide the style argument that we pass to
auth_userokay explicitly in pg_hba.conf, so that the DBA could
explicitly say BSD auth with style=radius.

I also tested on a system with no BSD auth support and configure
behaved sensibly with and without the new option ('error: header file
<bsd_auth.h> is required for BSD Authentication support'). I tried
configuring BSD auth in pg_hba.conf on a system built without the new
feature and it behaved sensibly ('invalid authentication method "bsd":
not supported by this build').

--
Thomas Munro
http://www.enterprisedb.com