Baoding-FenShuaJiang
/
Green_GoodERP18_FSJ_Standard
Suivre 1
Ajouter aux favoris 0
Wiki 捐赠
gooderp18绿色标准版
Vous ne pouvez pas sélectionner plus de 25 sujets Les noms de sujets doivent commencer par une lettre ou un nombre, peuvent contenir des tirets ('-') et peuvent comporter jusqu'à 35 caractères.
Aborescence: 0f75e31513
Branches Tags
${ item.name }
Créer la branche ${ searchTerm }
de '0f75e31513'
${ noResults }
Green_GoodERP18_FSJ_Standard/PostgreSQL/doc/postgresql/html/auth-password.html

80 lignes
7.8KB
Brut Annotations Historique 

  1. <?xml version="1.0" encoding="UTF-8" standalone="no"?>

  2. <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>20.5. Password Authentication</title><link rel="stylesheet" type="text/css" href="stylesheet.css" /><link rev="made" href="pgsql-docs@lists.postgresql.org" /><meta name="generator" content="DocBook XSL Stylesheets V1.79.1" /><link rel="prev" href="auth-trust.html" title="20.4. Trust Authentication" /><link rel="next" href="gssapi-auth.html" title="20.6. GSSAPI Authentication" /></head><body><div xmlns="http://www.w3.org/TR/xhtml1/transitional" class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="5" align="center">20.5. Password Authentication</th></tr><tr><td width="10%" align="left"><a accesskey="p" href="auth-trust.html" title="20.4. Trust Authentication">Prev</a> </td><td width="10%" align="left"><a accesskey="u" href="client-authentication.html" title="Chapter 20. Client Authentication">Up</a></td><th width="60%" align="center">Chapter 20. Client Authentication</th><td width="10%" align="right"><a accesskey="h" href="index.html" title="PostgreSQL 12.4 Documentation">Home</a></td><td width="10%" align="right"> <a accesskey="n" href="gssapi-auth.html" title="20.6. GSSAPI Authentication">Next</a></td></tr></table><hr></hr></div><div class="sect1" id="AUTH-PASSWORD"><div class="titlepage"><div><div><h2 class="title" style="clear: both">20.5. Password Authentication</h2></div></div></div><a id="id-1.6.7.12.2" class="indexterm"></a><a id="id-1.6.7.12.3" class="indexterm"></a><a id="id-1.6.7.12.4" class="indexterm"></a><p>

  3.     There are several password-based authentication methods.  These methods

  4.     operate similarly but differ in how the users' passwords are stored on the

  5.     server and how the password provided by a client is sent across the

  6.     connection.

  7.    </p><div class="variablelist"><dl class="variablelist"><dt><span class="term"><code class="literal">scram-sha-256</code></span></dt><dd><p>

  8.        The method <code class="literal">scram-sha-256</code> performs SCRAM-SHA-256

  9.        authentication, as described in

  10.        <a class="ulink" href="https://tools.ietf.org/html/rfc7677" target="_top">RFC 7677</a>.  It

  11.        is a challenge-response scheme that prevents password sniffing on

  12.        untrusted connections and supports storing passwords on the server in a

  13.        cryptographically hashed form that is thought to be secure.

  14.       </p><p>

  15.        This is the most secure of the currently provided methods, but it is

  16.        not supported by older client libraries.

  17.       </p></dd><dt><span class="term"><code class="literal">md5</code></span></dt><dd><p>

  18.        The method <code class="literal">md5</code> uses a custom less secure challenge-response

  19.        mechanism.  It prevents password sniffing and avoids storing passwords

  20.        on the server in plain text but provides no protection if an attacker

  21.        manages to steal the password hash from the server.  Also, the MD5 hash

  22.        algorithm is nowadays no longer considered secure against determined

  23.        attacks.

  24.       </p><p>

  25.        The <code class="literal">md5</code> method cannot be used with

  26.        the <a class="xref" href="runtime-config-connection.html#GUC-DB-USER-NAMESPACE">db_user_namespace</a> feature.

  27.       </p><p>

  28.        To ease transition from the <code class="literal">md5</code> method to the newer

  29.        SCRAM method, if <code class="literal">md5</code> is specified as a method

  30.        in <code class="filename">pg_hba.conf</code> but the user's password on the

  31.        server is encrypted for SCRAM (see below), then SCRAM-based

  32.        authentication will automatically be chosen instead.

  33.       </p></dd><dt><span class="term"><code class="literal">password</code></span></dt><dd><p>

  34.        The method <code class="literal">password</code> sends the password in clear-text and is

  35.        therefore vulnerable to password <span class="quote">“<span class="quote">sniffing</span>”</span> attacks. It should

  36.        always be avoided if possible. If the connection is protected by SSL

  37.        encryption then <code class="literal">password</code> can be used safely, though.

  38.        (Though SSL certificate authentication might be a better choice if one

  39.        is depending on using SSL).

  40.       </p></dd></dl></div><p>

  41.     <span class="productname">PostgreSQL</span> database passwords are

  42.     separate from operating system user passwords. The password for

  43.     each database user is stored in the <code class="literal">pg_authid</code> system

  44.     catalog. Passwords can be managed with the SQL commands

  45.     <a class="xref" href="sql-createrole.html" title="CREATE ROLE"><span class="refentrytitle">CREATE ROLE</span></a> and

  46.     <a class="xref" href="sql-alterrole.html" title="ALTER ROLE"><span class="refentrytitle">ALTER ROLE</span></a>,

  47.     e.g., <strong class="userinput"><code>CREATE ROLE foo WITH LOGIN PASSWORD 'secret'</code></strong>,

  48.     or the <span class="application">psql</span>

  49.     command <code class="literal">\password</code>.

  50.     If no password has been set up for a user, the stored password

  51.     is null and password authentication will always fail for that user.

  52.    </p><p>

  53.     The availability of the different password-based authentication methods

  54.     depends on how a user's password on the server is encrypted (or hashed,

  55.     more accurately).  This is controlled by the configuration

  56.     parameter <a class="xref" href="runtime-config-connection.html#GUC-PASSWORD-ENCRYPTION">password_encryption</a> at the time the

  57.     password is set.  If a password was encrypted using

  58.     the <code class="literal">scram-sha-256</code> setting, then it can be used for the

  59.     authentication methods <code class="literal">scram-sha-256</code>

  60.     and <code class="literal">password</code> (but password transmission will be in

  61.     plain text in the latter case).  The authentication method

  62.     specification <code class="literal">md5</code> will automatically switch to using

  63.     the <code class="literal">scram-sha-256</code> method in this case, as explained

  64.     above, so it will also work.  If a password was encrypted using

  65.     the <code class="literal">md5</code> setting, then it can be used only for

  66.     the <code class="literal">md5</code> and <code class="literal">password</code> authentication

  67.     method specifications (again, with the password transmitted in plain text

  68.     in the latter case).  (Previous PostgreSQL releases supported storing the

  69.     password on the server in plain text.  This is no longer possible.)  To

  70.     check the currently stored password hashes, see the system

  71.     catalog <code class="literal">pg_authid</code>.

  72.    </p><p>

  73.     To upgrade an existing installation from <code class="literal">md5</code>

  74.     to <code class="literal">scram-sha-256</code>, after having ensured that all client

  75.     libraries in use are new enough to support SCRAM,

  76.     set <code class="literal">password_encryption = 'scram-sha-256'</code>

  77.     in <code class="filename">postgresql.conf</code>, make all users set new passwords,

  78.     and change the authentication method specifications

  79.     in <code class="filename">pg_hba.conf</code> to <code class="literal">scram-sha-256</code>.

  80.    </p></div><div class="navfooter"><hr /><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="auth-trust.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="client-authentication.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="gssapi-auth.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">20.4. Trust Authentication </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> 20.6. GSSAPI Authentication</td></tr></table></div></body></html>
上海开阖软件有限公司 沪ICP备12045867号-1