Baoding-FenShuaJiang
/
Green_GoodERP18_FSJ_Standard
Watch 1
Star 0
Wiki 捐赠
gooderp18绿色标准版
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Tree: 0f75e31513
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '0f75e31513'
${ noResults }
Green_GoodERP18_FSJ_Standard/PostgreSQL/doc/postgresql/html/gssapi-auth.html

111 lines
10KB
Raw Blame History 

  1. <?xml version="1.0" encoding="UTF-8" standalone="no"?>

  2. <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>20.6. GSSAPI Authentication</title><link rel="stylesheet" type="text/css" href="stylesheet.css" /><link rev="made" href="pgsql-docs@lists.postgresql.org" /><meta name="generator" content="DocBook XSL Stylesheets V1.79.1" /><link rel="prev" href="auth-password.html" title="20.5. Password Authentication" /><link rel="next" href="sspi-auth.html" title="20.7. SSPI Authentication" /></head><body><div xmlns="http://www.w3.org/TR/xhtml1/transitional" class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="5" align="center">20.6. GSSAPI Authentication</th></tr><tr><td width="10%" align="left"><a accesskey="p" href="auth-password.html" title="20.5. Password Authentication">Prev</a> </td><td width="10%" align="left"><a accesskey="u" href="client-authentication.html" title="Chapter 20. Client Authentication">Up</a></td><th width="60%" align="center">Chapter 20. Client Authentication</th><td width="10%" align="right"><a accesskey="h" href="index.html" title="PostgreSQL 12.4 Documentation">Home</a></td><td width="10%" align="right"> <a accesskey="n" href="sspi-auth.html" title="20.7. SSPI Authentication">Next</a></td></tr></table><hr></hr></div><div class="sect1" id="GSSAPI-AUTH"><div class="titlepage"><div><div><h2 class="title" style="clear: both">20.6. GSSAPI Authentication</h2></div></div></div><a id="id-1.6.7.13.2" class="indexterm"></a><p>

  3.     <span class="productname">GSSAPI</span> is an industry-standard protocol

  4.     for secure authentication defined in RFC 2743.

  5. 

  6.     <span class="productname">PostgreSQL</span>

  7.     supports <span class="productname">GSSAPI</span> for use as either an encrypted,

  8.     authenticated layer, or for authentication only.

  9.     <span class="productname">GSSAPI</span> provides automatic authentication

  10.     (single sign-on) for systems that support it. The authentication itself is

  11.     secure.  If <span class="productname">GSSAPI</span> encryption

  12.     (see <code class="literal">hostgssenc</code>) or <acronym class="acronym">SSL</acronym> encryption are

  13.     used, the data sent along the database connection will be encrypted;

  14.     otherwise, it will not.

  15.    </p><p>

  16.     GSSAPI support has to be enabled when <span class="productname">PostgreSQL</span> is built;

  17.     see <a class="xref" href="installation.html" title="Chapter 16. Installation from Source Code">Chapter 16</a> for more information.

  18.    </p><p>

  19.     When <span class="productname">GSSAPI</span> uses

  20.     <span class="productname">Kerberos</span>, it uses a standard principal

  21.     in the format

  22.     <code class="literal"><em class="replaceable"><code>servicename</code></em>/<em class="replaceable"><code>hostname</code></em>@<em class="replaceable"><code>realm</code></em></code>.

  23.     The PostgreSQL server will accept any principal that is included in the keytab used by

  24.     the server, but care needs to be taken to specify the correct principal details when

  25.     making the connection from the client using the <code class="literal">krbsrvname</code> connection parameter. (See

  26.     also <a class="xref" href="libpq-connect.html#LIBPQ-PARAMKEYWORDS" title="33.1.2. Parameter Key Words">Section 33.1.2</a>.) The installation default can be

  27.     changed from the default <code class="literal">postgres</code> at build time using

  28.     <code class="literal">./configure --with-krb-srvnam=</code><em class="replaceable"><code>whatever</code></em>.

  29.     In most environments,

  30.     this parameter never needs to be changed.

  31.     Some Kerberos implementations might require a different service name,

  32.     such as Microsoft Active Directory which requires the service name

  33.     to be in upper case (<code class="literal">POSTGRES</code>).

  34.    </p><p>

  35.     <em class="replaceable"><code>hostname</code></em> is the fully qualified host name of the

  36.     server machine. The service principal's realm is the preferred realm

  37.     of the server machine.

  38.    </p><p>

  39.     Client principals can be mapped to different <span class="productname">PostgreSQL</span>

  40.     database user names with <code class="filename">pg_ident.conf</code>.  For example,

  41.     <code class="literal">pgusername@realm</code> could be mapped to just <code class="literal">pgusername</code>.

  42.     Alternatively, you can use the full <code class="literal">username@realm</code> principal as

  43.     the role name in <span class="productname">PostgreSQL</span> without any mapping.

  44.    </p><p>

  45.     <span class="productname">PostgreSQL</span> also supports a parameter to strip the realm from

  46.     the principal.  This method is supported for backwards compatibility and is

  47.     strongly discouraged as it is then impossible to distinguish different users

  48.     with the same user name but coming from different realms.  To enable this,

  49.     set <code class="literal">include_realm</code> to 0.  For simple single-realm

  50.     installations, doing that combined with setting the

  51.     <code class="literal">krb_realm</code> parameter (which checks that the principal's realm

  52.     matches exactly what is in the <code class="literal">krb_realm</code> parameter)

  53.     is still secure; but this is a

  54.     less capable approach compared to specifying an explicit mapping in

  55.     <code class="filename">pg_ident.conf</code>.

  56.    </p><p>

  57.     Make sure that your server keytab file is readable (and preferably

  58.     only readable, not writable) by the <span class="productname">PostgreSQL</span>

  59.     server account.  (See also <a class="xref" href="postgres-user.html" title="18.1. The PostgreSQL User Account">Section 18.1</a>.) The location

  60.     of the key file is specified by the <a class="xref" href="runtime-config-connection.html#GUC-KRB-SERVER-KEYFILE">krb_server_keyfile</a> configuration

  61.     parameter. The default is

  62.     <code class="filename">/usr/local/pgsql/etc/krb5.keytab</code> (or whatever

  63.     directory was specified as <code class="varname">sysconfdir</code> at build time).

  64.     For security reasons, it is recommended to use a separate keytab

  65.     just for the <span class="productname">PostgreSQL</span> server rather

  66.     than opening up permissions on the system keytab file.

  67.    </p><p>

  68.     The keytab file is generated by the Kerberos software; see the

  69.     Kerberos documentation for details. The following example is

  70.    for MIT-compatible Kerberos 5 implementations:

  71. </p><pre class="screen">

  72. <code class="prompt">kadmin% </code><strong class="userinput"><code>ank -randkey postgres/server.my.domain.org</code></strong>

  73. <code class="prompt">kadmin% </code><strong class="userinput"><code>ktadd -k krb5.keytab postgres/server.my.domain.org</code></strong>

  74. </pre><p>

  75.    </p><p>

  76.     When connecting to the database make sure you have a ticket for a

  77.     principal matching the requested database user name. For example, for

  78.     database user name <code class="literal">fred</code>, principal

  79.     <code class="literal">fred@EXAMPLE.COM</code> would be able to connect. To also allow

  80.     principal <code class="literal">fred/users.example.com@EXAMPLE.COM</code>, use a user name

  81.     map, as described in <a class="xref" href="auth-username-maps.html" title="20.2. User Name Maps">Section 20.2</a>.

  82.    </p><p>

  83.     The following configuration options are supported for <span class="productname">GSSAPI</span>:

  84.     </p><div class="variablelist"><dl class="variablelist"><dt><span class="term"><code class="literal">include_realm</code></span></dt><dd><p>

  85.         If set to 0, the realm name from the authenticated user principal is

  86.         stripped off before being passed through the user name mapping

  87.         (<a class="xref" href="auth-username-maps.html" title="20.2. User Name Maps">Section 20.2</a>). This is discouraged and is

  88.         primarily available for backwards compatibility, as it is not secure

  89.         in multi-realm environments unless <code class="literal">krb_realm</code> is

  90.         also used.  It is recommended to

  91.         leave <code class="literal">include_realm</code> set to the default (1) and to

  92.         provide an explicit mapping in <code class="filename">pg_ident.conf</code> to convert

  93.         principal names to <span class="productname">PostgreSQL</span> user names.

  94.        </p></dd><dt><span class="term"><code class="literal">map</code></span></dt><dd><p>

  95.         Allows for mapping between system and database user names. See

  96.         <a class="xref" href="auth-username-maps.html" title="20.2. User Name Maps">Section 20.2</a> for details.  For a GSSAPI/Kerberos

  97.         principal, such as <code class="literal">username@EXAMPLE.COM</code> (or, less

  98.         commonly, <code class="literal">username/hostbased@EXAMPLE.COM</code>), the

  99.         user name used for mapping is

  100.         <code class="literal">username@EXAMPLE.COM</code> (or

  101.         <code class="literal">username/hostbased@EXAMPLE.COM</code>, respectively),

  102.         unless <code class="literal">include_realm</code> has been set to 0, in which case

  103.         <code class="literal">username</code> (or <code class="literal">username/hostbased</code>)

  104.         is what is seen as the system user name when mapping.

  105.        </p></dd><dt><span class="term"><code class="literal">krb_realm</code></span></dt><dd><p>

  106.         Sets the realm to match user principal names against. If this parameter

  107.         is set, only users of that realm will be accepted.  If it is not set,

  108.         users of any realm can connect, subject to whatever user name mapping

  109.         is done.

  110.        </p></dd></dl></div><p>

  111.    </p></div><div class="navfooter"><hr /><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="auth-password.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="client-authentication.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="sspi-auth.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">20.5. Password Authentication </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> 20.7. SSPI Authentication</td></tr></table></div></body></html>
上海开阖软件有限公司 沪ICP备12045867号-1