Baoding-FenShuaJiang
/
Green_GoodERP18_FSJ_Standard
Suivre 1
Ajouter aux favoris 0
Wiki 捐赠
gooderp18绿色标准版
Vous ne pouvez pas sélectionner plus de 25 sujets Les noms de sujets doivent commencer par une lettre ou un nombre, peuvent contenir des tirets ('-') et peuvent comporter jusqu'à 35 caractères.
Aborescence: 0f75e31513
Branches Tags
${ item.name }
Créer la branche ${ searchTerm }
de '0f75e31513'
${ noResults }
Green_GoodERP18_FSJ_Standard/PostgreSQL/doc/postgresql/html/auth-ident.html

51 lignes
5.7KB
Brut Annotations Historique 

  1. <?xml version="1.0" encoding="UTF-8" standalone="no"?>

  2. <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>20.8. Ident Authentication</title><link rel="stylesheet" type="text/css" href="stylesheet.css" /><link rev="made" href="pgsql-docs@lists.postgresql.org" /><meta name="generator" content="DocBook XSL Stylesheets V1.79.1" /><link rel="prev" href="sspi-auth.html" title="20.7. SSPI Authentication" /><link rel="next" href="auth-peer.html" title="20.9. Peer Authentication" /></head><body><div xmlns="http://www.w3.org/TR/xhtml1/transitional" class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="5" align="center">20.8. Ident Authentication</th></tr><tr><td width="10%" align="left"><a accesskey="p" href="sspi-auth.html" title="20.7. SSPI Authentication">Prev</a> </td><td width="10%" align="left"><a accesskey="u" href="client-authentication.html" title="Chapter 20. Client Authentication">Up</a></td><th width="60%" align="center">Chapter 20. Client Authentication</th><td width="10%" align="right"><a accesskey="h" href="index.html" title="PostgreSQL 12.4 Documentation">Home</a></td><td width="10%" align="right"> <a accesskey="n" href="auth-peer.html" title="20.9. Peer Authentication">Next</a></td></tr></table><hr></hr></div><div class="sect1" id="AUTH-IDENT"><div class="titlepage"><div><div><h2 class="title" style="clear: both">20.8. Ident Authentication</h2></div></div></div><a id="id-1.6.7.15.2" class="indexterm"></a><p>

  3.     The ident authentication method works by obtaining the client's

  4.     operating system user name from an ident server and using it as

  5.     the allowed database user name (with an optional user name mapping).

  6.     This is only supported on TCP/IP connections.

  7.    </p><div class="note"><h3 class="title">Note</h3><p>

  8.      When ident is specified for a local (non-TCP/IP) connection,

  9.      peer authentication (see <a class="xref" href="auth-peer.html" title="20.9. Peer Authentication">Section 20.9</a>) will be

  10.      used instead.

  11.     </p></div><p>

  12.     The following configuration options are supported for <span class="productname">ident</span>:

  13.     </p><div class="variablelist"><dl class="variablelist"><dt><span class="term"><code class="literal">map</code></span></dt><dd><p>

  14.         Allows for mapping between system and database user names. See

  15.         <a class="xref" href="auth-username-maps.html" title="20.2. User Name Maps">Section 20.2</a> for details.

  16.        </p></dd></dl></div><p>

  17.    </p><p>

  18.     The <span class="quote">“<span class="quote">Identification Protocol</span>”</span> is described in

  19.     RFC 1413. Virtually every Unix-like

  20.     operating system ships with an ident server that listens on TCP

  21.     port 113 by default. The basic functionality of an ident server

  22.     is to answer questions like <span class="quote">“<span class="quote">What user initiated the

  23.     connection that goes out of your port <em class="replaceable"><code>X</code></em>

  24.     and connects to my port <em class="replaceable"><code>Y</code></em>?</span>”</span>.

  25.     Since <span class="productname">PostgreSQL</span> knows both <em class="replaceable"><code>X</code></em> and

  26.     <em class="replaceable"><code>Y</code></em> when a physical connection is established, it

  27.     can interrogate the ident server on the host of the connecting

  28.     client and can theoretically determine the operating system user

  29.     for any given connection.

  30.    </p><p>

  31.     The drawback of this procedure is that it depends on the integrity

  32.     of the client: if the client machine is untrusted or compromised,

  33.     an attacker could run just about any program on port 113 and

  34.     return any user name they choose. This authentication method is

  35.     therefore only appropriate for closed networks where each client

  36.     machine is under tight control and where the database and system

  37.     administrators operate in close contact. In other words, you must

  38.     trust the machine running the ident server.

  39.     Heed the warning:

  40.     </p><div class="blockquote"><table border="0" class="blockquote" style="width: 100%; cellspacing: 0; cellpadding: 0;" summary="Block quote"><tr><td width="10%" valign="top"> </td><td width="80%" valign="top"><p>

  41.       The Identification Protocol is not intended as an authorization

  42.       or access control protocol.

  43.      </p></td><td width="10%" valign="top"> </td></tr><tr><td width="10%" valign="top"> </td><td colspan="2" align="right" valign="top">--<span class="attribution">RFC 1413</span></td></tr></table></div><p>

  44.    </p><p>

  45.     Some ident servers have a nonstandard option that causes the returned

  46.     user name to be encrypted, using a key that only the originating

  47.     machine's administrator knows.  This option <span class="emphasis"><em>must not</em></span> be

  48.     used when using the ident server with <span class="productname">PostgreSQL</span>,

  49.     since <span class="productname">PostgreSQL</span> does not have any way to decrypt the

  50.     returned string to determine the actual user name.

  51.    </p></div><div class="navfooter"><hr /><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="sspi-auth.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="client-authentication.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="auth-peer.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">20.7. SSPI Authentication </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> 20.9. Peer Authentication</td></tr></table></div></body></html>
上海开阖软件有限公司 沪ICP备12045867号-1