Re: Proposal: BSD Authentication support

On Fri, Mar 18, 2016 at 2:58 AM, Marisa Emerson <mje(at)insec(dot)sh> wrote:
>
>>Our usual wording is "the PostgreSQL user account". Perhaps we should
>>be more explicit about the fact that membership of this Unix group is
>>needed on *OpenBSD*, since other current or future BSD forks could
>>vary. I see that the specific reason this is needed on this OpenBSD
>>5.8 box is so that it can fork/exec the setuid login_XXX binaries that
>>live under /usr/libexec/auth.
>
> The BSD Authentication framework currently only exists on OpenBSD. I've added some explicit documentation that this mechanism is currently only supported on OpenBSD and I've tried to be a bit more explicit about the auth group as suggested by Peter.
>
>>auth_userokay is called with a type of "pg-auth". I noticed from
>>looking at man page and source of some other applications that the
>>convention is usually a hardcoded string like "auth-myserver",
>>"auth-sockd", "auth-ssh", "auth-doas", "auth-popa3d" etc. So perhaps
>>we should have "auth-postgresql" (or "auth-postgres" or "auth-pgsql")
>>here? And as Peter E already said, that string should probably be
>>documented: it looks a bit like it is useful for allowing the
>>available authentication styles to be restricted or defaulted
>>specifically for PostgreSQL in login.conf based on that string.
>>(Though when I tried to set that up, it seemed to ignore my
>>possibly-incorrectly-specified rule asking it to use "reject" so I may
>>have misunderstood.)
>
> This is correct, although so far I've only tested using the default login class. The attached patch includes some more explicit documentation about this string.

You used one name in the docs and another in the code:

+ BSD Authentication on PostgreSQL uses the <literal>auth-postgres</literal>
+ login type and authenticates with the <literal>postgres</literal> login

+ retval = auth_userokay(user, NULL, "auth-postgresql", passwd);

>>The style argument is hard coded as NULL, as I see is the case in some
>>other applications. From the man page: "If style is not NULL, it
>>specifies the desired style of authentication to be used. If it is
>>NULL then the default style for the user is used. In this case, name
>>may include the desired style by appending it to the user's name with
>>a single colon (‘:’) as a separator." I wonder if such
>>user-controllable styles are OK (though I guess would require username
>>mapping to strip them off if we do want that as a feature). I wonder
>>if it should be possible to provide the style argument that we pass to
>>auth_userokay explicitly in pg_hba.conf, so that the DBA could
>>explicitly say BSD auth with style=radius.
>
> I've so far only tested passwd authentication. I'd be interested to test some of the other authentication styles, I think this would be a useful feature.

Agreed.

It looks like this is still very useful with the default, and maybe
adding support for specifying the auth style in pg_hba.conf could be a
follow-up patch if anyone is interested in writing that.

Except for the string mismatch above I would personally say this is
ready for a committer to look at. Since Stas Kelvich also signed up
as a reviewer I'll give it a few days to see if he has feedback before
updating the commitfest status.

--
Thomas Munro
http://www.enterprisedb.com