From eb9866fa7e8a1057466b641f7079dc87832a7a47 Mon Sep 17 00:00:00 2001 From: Diego Date: Mon, 29 Jun 2026 13:53:37 -0300 Subject: [PATCH v1] libpq: add passfileport to decouple the .pgpass lookup port libpq looks up passwords in .pgpass using the connection's host and port as part of the key. When a client connects through an SSH tunnel, or through a connection pooler that listens on a different local port, the port libpq actually connects to is not the real server's port, so the .pgpass lookup is done against the local/tunnel port and fails to match entries written for the real server. libpq already decouples the *host* used for the lookup from the network endpoint: hostaddr is the address actually connected to, while host remains the logical name used for the .pgpass lookup and for TLS verification (the pwhost logic, from the 2018 thread "Bizarre behavior in libpq's searching of ~/.pgpass"). The port had no equivalent. This adds a connection parameter, passfileport (environment variable PGPASSFILEPORT), specifying the port used as the .pgpass lookup key, independently of the port libpq connects to. When it is not set, behavior is unchanged: the lookup uses the connection port exactly as before. The value is split per-host like port, and applied at the passwordFromFile() call site analogously to pwhost (pwport). Documentation and a TAP test (008_passfileport) are included. Discussion: https://www.postgresql.org/message-id/flat/001a6f1d-4adb-42b2-8bf6-44154ed0ab97%40gmail.com --- doc/src/sgml/libpq.sgml | 43 +++++++++ src/interfaces/libpq/fe-connect.c | 58 +++++++++++- src/interfaces/libpq/libpq-int.h | 6 ++ src/test/authentication/meson.build | 1 + src/test/authentication/t/008_passfileport.pl | 94 +++++++++++++++++++ 5 files changed, 200 insertions(+), 2 deletions(-) create mode 100644 src/test/authentication/t/008_passfileport.pl diff --git a/doc/src/sgml/libpq.sgml b/doc/src/sgml/libpq.sgml index 7d3c3bb66d8..6a139432f7a 100644 --- a/doc/src/sgml/libpq.sgml +++ b/doc/src/sgml/libpq.sgml @@ -1296,6 +1296,34 @@ postgresql://%2Fvar%2Flib%2Fpostgresql/dbname + + passfileport + + + Specifies the port number to use as the lookup key in the password + file (see ), instead of the port given + by the parameter. This is useful + when the port actually connected to is not the port of the target + server, for example when connecting through an SSH tunnel or a + connection pooler that listens on a different local port: the + connection still uses port, while the password-file + lookup uses passfileport, so an entry written for + the real server port keeps matching. This mirrors the way + and + already separate the + password-file lookup key from the address actually connected to. + + + As with port, a comma-separated list of port + numbers may be given, in which case it must have either exactly one + element (applied to all hosts) or the same number of elements as the + host list. When this parameter is empty or not specified, the + connection port is used for the lookup, which is the historical + behavior. + + + + require_auth @@ -9152,6 +9180,16 @@ myEventProc(PGEventId evtId, void *evtInfo, void *passThrough) + + + + PGPASSFILEPORT + + PGPASSFILEPORT behaves the same as the connection parameter. + + + @@ -9580,6 +9618,11 @@ myEventProc(PGEventId evtId, void *evtInfo, void *passThrough) the connection is a Unix-domain socket connection and the host parameter matches libpq's default socket directory path. + The port field is matched to the port connection + parameter, or to the passfileport parameter if that is + specified; the latter is useful when the connection is made through an SSH + tunnel or a pooler on a different port, so that the entry can still be + written for the real server port. In a standby server, a database field of replication matches streaming replication connections made to the primary server. The database field is of limited usefulness otherwise, because users have diff --git a/src/interfaces/libpq/fe-connect.c b/src/interfaces/libpq/fe-connect.c index 38422becc48..a065734e415 100644 --- a/src/interfaces/libpq/fe-connect.c +++ b/src/interfaces/libpq/fe-connect.c @@ -219,6 +219,10 @@ static const internalPQconninfoOption PQconninfoOptions[] = { "Database-Password-File", "", 64, offsetof(struct pg_conn, pgpassfile)}, + {"passfileport", "PGPASSFILEPORT", NULL, NULL, + "Database-Password-File-Port", "", 6, + offsetof(struct pg_conn, passfileport)}, + {"channel_binding", "PGCHANNELBINDING", DefaultChannelBinding, NULL, "Channel-Binding", "", 8, /* sizeof("require") == 8 */ offsetof(struct pg_conn, channel_binding)}, @@ -1402,6 +1406,46 @@ pqConnectOptions2(PGconn *conn) } } + /* + * If a separate port for the password-file lookup was given, work out the + * value corresponding to each host name, exactly as for the connection + * port above. When not given, connhost[i].passfileport stays NULL and the + * lookup falls back to the connection port. + */ + if (conn->passfileport != NULL && conn->passfileport[0] != '\0') + { + char *s = conn->passfileport; + bool more = true; + + for (i = 0; i < conn->nconnhost && more; i++) + { + conn->connhost[i].passfileport = parse_comma_separated_list(&s, &more); + if (conn->connhost[i].passfileport == NULL) + goto oom_error; + } + + /* + * If exactly one port was given, use it for every host. Otherwise, + * there must be exactly as many ports as there were hosts. + */ + if (i == 1 && !more) + { + for (i = 1; i < conn->nconnhost; i++) + { + conn->connhost[i].passfileport = strdup(conn->connhost[0].passfileport); + if (conn->connhost[i].passfileport == NULL) + goto oom_error; + } + } + else if (more || i != conn->nconnhost) + { + conn->status = CONNECTION_BAD; + libpq_append_conn_error(conn, "could not match %d password file port numbers to %d hosts", + count_comma_separated_elems(conn->passfileport), conn->nconnhost); + return false; + } + } + /* * If user name was not given, fetch it. (Most likely, the fetch will * fail, since the only way we get here is if pg_fe_getauthname() failed @@ -1458,17 +1502,25 @@ pqConnectOptions2(PGconn *conn) /* * Try to get a password for this host from file. We use host * for the hostname search key if given, else hostaddr (at - * least one of them is guaranteed nonempty by now). + * least one of them is guaranteed nonempty by now). For the + * port search key we use passfileport if given, else the + * connection port; this lets the lookup match the real server + * port even when the connection goes through an SSH tunnel or a + * pooler listening on a different port. */ const char *pwhost = conn->connhost[i].host; + const char *pwport = conn->connhost[i].passfileport; const char *password_errmsg = NULL; if (pwhost == NULL || pwhost[0] == '\0') pwhost = conn->connhost[i].hostaddr; + if (pwport == NULL || pwport[0] == '\0') + pwport = conn->connhost[i].port; + conn->connhost[i].password = passwordFromFile(pwhost, - conn->connhost[i].port, + pwport, conn->dbName, conn->pguser, conn->pgpassfile, @@ -5122,6 +5174,7 @@ freePGconn(PGconn *conn) free(conn->pgpass); } free(conn->pgpassfile); + free(conn->passfileport); free(conn->channel_binding); free(conn->keepalives); free(conn->keepalives_idle); @@ -5196,6 +5249,7 @@ pqReleaseConnHosts(PGconn *conn) free(conn->connhost[i].host); free(conn->connhost[i].hostaddr); free(conn->connhost[i].port); + free(conn->connhost[i].passfileport); if (conn->connhost[i].password != NULL) { explicit_bzero(conn->connhost[i].password, diff --git a/src/interfaces/libpq/libpq-int.h b/src/interfaces/libpq/libpq-int.h index 461b39620c3..990d254b519 100644 --- a/src/interfaces/libpq/libpq-int.h +++ b/src/interfaces/libpq/libpq-int.h @@ -361,6 +361,9 @@ typedef struct pg_conn_host char *hostaddr; /* host numeric IP address */ char *port; /* port number (if NULL or empty, use * DEF_PGPORT[_STR]) */ + char *passfileport; /* port to use as the lookup key in the + * password file for this host; if NULL or + * empty, the connection port is used */ char *password; /* password for this host, read from the * password file; NULL if not sought or not * found in password file. */ @@ -397,6 +400,9 @@ struct pg_conn char *pguser; /* Postgres username and password, if any */ char *pgpass; char *pgpassfile; /* path to a file containing password(s) */ + char *passfileport; /* port to use as the lookup key in the + * password file, instead of the connection + * port; or a comma-separated list of same */ char *channel_binding; /* channel binding mode * (require,prefer,disable) */ char *keepalives; /* use TCP keepalives? */ diff --git a/src/test/authentication/meson.build b/src/test/authentication/meson.build index 282a5054e2c..54aecdd8abb 100644 --- a/src/test/authentication/meson.build +++ b/src/test/authentication/meson.build @@ -16,6 +16,7 @@ tests += { 't/005_sspi.pl', 't/006_login_trigger.pl', 't/007_pre_auth.pl', + 't/008_passfileport.pl', ], }, } diff --git a/src/test/authentication/t/008_passfileport.pl b/src/test/authentication/t/008_passfileport.pl new file mode 100644 index 00000000000..92d754c453e --- /dev/null +++ b/src/test/authentication/t/008_passfileport.pl @@ -0,0 +1,94 @@ + +# Copyright (c) 2024-2026, PostgreSQL Global Development Group + +# Tests for the passfileport connection parameter, which sets the port used as +# the lookup key in the password file independently of the connection port. +# This is what lets a .pgpass entry written for the real server port keep +# matching when the connection is made through an SSH tunnel or a pooler that +# listens on a different port. +# +# The connection is made on the cluster's real port, but the .pgpass entry is +# written under a different (bogus) port. Without passfileport the lookup uses +# the connection port and finds nothing; with passfileport set to the bogus +# port the lookup matches. This test can only run with Unix-domain sockets. + +use strict; +use warnings FATAL => 'all'; +use PostgreSQL::Test::Cluster; +use PostgreSQL::Test::Utils; +use Test::More; + +if (!$use_unix_sockets) +{ + plan skip_all => + "authentication tests cannot run without Unix-domain sockets"; +} + +my $node = PostgreSQL::Test::Cluster->new('main'); +$node->init; +$node->start; + +my $role = 'passfileport_user'; +my $password = 'secret_pw'; + +$node->safe_psql('postgres', "CREATE ROLE $role LOGIN PASSWORD '$password'"); + +# Require a password (SCRAM) for this role; everything else stays trust so the +# rest of the test can keep administering the cluster. +unlink($node->data_dir . '/pg_hba.conf'); +$node->append_conf('pg_hba.conf', "local postgres $role scram-sha-256"); +$node->append_conf('pg_hba.conf', "local all all trust"); +$node->reload; + +# A port that is deliberately different from the real connection port. +my $bogus_port = '1'; + +# Write the password file entry under the bogus port, with a wildcard host so +# the Unix-domain socket path does not have to be matched. +my $pgpassfile = $node->basedir . '/pgpass'; +open(my $fh, '>', $pgpassfile) or die "could not open $pgpassfile: $!"; +print $fh "*:$bogus_port:postgres:$role:$password\n"; +close($fh); +chmod(0600, $pgpassfile) or die "could not chmod $pgpassfile: $!"; + +local $ENV{PGPASSFILE} = $pgpassfile; +delete local $ENV{PGPASSWORD}; +delete local $ENV{PGPASSFILEPORT}; + +my $connstr = $node->connstr('postgres') . " user=$role"; + +# Without passfileport, the entry written under the bogus port does not match +# the real connection port, so no password is found. +$node->connect_fails( + $connstr, + 'without passfileport the .pgpass entry under another port does not match', + expected_stderr => qr/no password supplied/); + +# With passfileport pointing at the entry's port, the lookup matches and the +# connection authenticates. +$node->connect_ok( + "$connstr passfileport=$bogus_port", + 'passfileport makes the .pgpass lookup use the given port'); + +# Same behavior through the PGPASSFILEPORT environment variable. +{ + local $ENV{PGPASSFILEPORT} = $bogus_port; + $node->connect_ok($connstr, + 'PGPASSFILEPORT environment variable makes the lookup use the given port' + ); +} + +# A passfileport with no matching entry still fails. +$node->connect_fails( + "$connstr passfileport=2", + 'passfileport with no matching .pgpass entry fails', + expected_stderr => qr/no password supplied/); + +# More passfileport values than hosts is rejected when the options are parsed. +$node->connect_fails( + "$connstr passfileport=$bogus_port,2", + 'more passfileport values than hosts is rejected', + expected_stderr => + qr/could not match \d+ password file port numbers to \d+ hosts/); + +done_testing(); base-commit: 56f2b0b5334df68b16964d4f9a0cbe9dae913227 -- 2.43.0