Baoding-FenShuaJiang
/
Green_GoodERP18_FSJ_Standard
关注 1
点赞 0
百科 捐赠
gooderp18绿色标准版
您最多选择25个主题 主题必须以字母或数字开头,可以包含连字符 (-),并且长度不得超过35个字符
目录树: 0f75e31513
分支列表 标签列表
${ item.name }
创建分支 ${ searchTerm }
从 '0f75e31513'
${ noResults }
Green_GoodERP18_FSJ_Standard/PostgreSQL/doc/postgresql/html/sasl-authentication.html

103 行
9.0KB
原始文件 Blame 文件历史 

  1. <?xml version="1.0" encoding="UTF-8" standalone="no"?>

  2. <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>52.3. SASL Authentication</title><link rel="stylesheet" type="text/css" href="stylesheet.css" /><link rev="made" href="pgsql-docs@lists.postgresql.org" /><meta name="generator" content="DocBook XSL Stylesheets V1.79.1" /><link rel="prev" href="protocol-flow.html" title="52.2. Message Flow" /><link rel="next" href="protocol-replication.html" title="52.4. Streaming Replication Protocol" /></head><body><div xmlns="http://www.w3.org/TR/xhtml1/transitional" class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="5" align="center">52.3. SASL Authentication</th></tr><tr><td width="10%" align="left"><a accesskey="p" href="protocol-flow.html" title="52.2. Message Flow">Prev</a> </td><td width="10%" align="left"><a accesskey="u" href="protocol.html" title="Chapter 52. Frontend/Backend Protocol">Up</a></td><th width="60%" align="center">Chapter 52. Frontend/Backend Protocol</th><td width="10%" align="right"><a accesskey="h" href="index.html" title="PostgreSQL 12.4 Documentation">Home</a></td><td width="10%" align="right"> <a accesskey="n" href="protocol-replication.html" title="52.4. Streaming Replication Protocol">Next</a></td></tr></table><hr></hr></div><div class="sect1" id="SASL-AUTHENTICATION"><div class="titlepage"><div><div><h2 class="title" style="clear: both">52.3. SASL Authentication</h2></div></div></div><div class="toc"><dl class="toc"><dt><span class="sect2"><a href="sasl-authentication.html#SASL-SCRAM-SHA-256">52.3.1. SCRAM-SHA-256 Authentication</a></span></dt></dl></div><p>

  3. <em class="firstterm">SASL</em> is a framework for authentication in connection-oriented

  4. protocols. At the moment, <span class="productname">PostgreSQL</span> implements two SASL

  5. authentication mechanisms, SCRAM-SHA-256 and SCRAM-SHA-256-PLUS. More

  6. might be added in the future. The below steps illustrate how SASL

  7. authentication is performed in general, while the next subsection gives

  8. more details on SCRAM-SHA-256 and SCRAM-SHA-256-PLUS.

  9. </p><div class="procedure" id="id-1.10.5.8.3"><p class="title"><strong>SASL Authentication Message Flow</strong></p><ol class="procedure" type="1"><li class="step" id="SASL-AUTH-BEGIN"><p>

  10.   To begin a SASL authentication exchange, the server sends an

  11.   AuthenticationSASL message. It includes a list of SASL authentication

  12.   mechanisms that the server can accept, in the server's preferred order.

  13. </p></li><li class="step" id="SASL-AUTH-INITIAL-RESPONSE"><p>

  14.   The client selects one of the supported mechanisms from the list, and sends

  15.   a SASLInitialResponse message to the server. The message includes the name

  16.   of the selected mechanism, and an optional Initial Client Response, if the

  17.   selected mechanism uses that.

  18. </p></li><li class="step" id="SASL-AUTH-CONTINUE"><p>

  19.   One or more server-challenge and client-response message will follow. Each

  20.   server-challenge is sent in an AuthenticationSASLContinue message, followed

  21.   by a response from client in an SASLResponse message. The particulars of

  22.   the messages are mechanism specific.

  23. </p></li><li class="step" id="SASL-AUTH-END"><p>

  24.   Finally, when the authentication exchange is completed successfully, the

  25.   server sends an AuthenticationSASLFinal message, followed

  26.   immediately by an AuthenticationOk message. The AuthenticationSASLFinal

  27.   contains additional server-to-client data, whose content is particular to the

  28.   selected authentication mechanism. If the authentication mechanism doesn't

  29.   use additional data that's sent at completion, the AuthenticationSASLFinal

  30.   message is not sent.

  31. </p></li></ol></div><p>

  32. On error, the server can abort the authentication at any stage, and send an

  33. ErrorMessage.

  34. </p><div class="sect2" id="SASL-SCRAM-SHA-256"><div class="titlepage"><div><div><h3 class="title">52.3.1. SCRAM-SHA-256 Authentication</h3></div></div></div><p>

  35.    The implemented SASL mechanisms at the moment

  36.    are <code class="literal">SCRAM-SHA-256</code> and its variant with channel

  37.    binding <code class="literal">SCRAM-SHA-256-PLUS</code>. They are described in

  38.    detail in RFC 7677 and RFC 5802.

  39.   </p><p>

  40. When SCRAM-SHA-256 is used in PostgreSQL, the server will ignore the user name

  41. that the client sends in the <code class="structname">client-first-message</code>. The user name

  42. that was already sent in the startup message is used instead.

  43. <span class="productname">PostgreSQL</span> supports multiple character encodings, while SCRAM

  44. dictates UTF-8 to be used for the user name, so it might be impossible to

  45. represent the PostgreSQL user name in UTF-8.

  46.   </p><p>

  47. The SCRAM specification dictates that the password is also in UTF-8, and is

  48. processed with the <em class="firstterm">SASLprep</em> algorithm.

  49. <span class="productname">PostgreSQL</span>, however, does not require UTF-8 to be used for

  50. the password. When a user's password is set, it is processed with SASLprep

  51. as if it was in UTF-8, regardless of the actual encoding used. However, if

  52. it is not a legal UTF-8 byte sequence, or it contains UTF-8 byte sequences

  53. that are prohibited by the SASLprep algorithm, the raw password will be used

  54. without SASLprep processing, instead of throwing an error. This allows the

  55. password to be normalized when it is in UTF-8, but still allows a non-UTF-8

  56. password to be used, and doesn't require the system to know which encoding

  57. the password is in.

  58.   </p><p>

  59. <em class="firstterm">Channel binding</em> is supported in PostgreSQL builds with

  60. SSL support. The SASL mechanism name for SCRAM with channel binding is

  61. <code class="literal">SCRAM-SHA-256-PLUS</code>.  The channel binding type used by

  62. PostgreSQL is <code class="literal">tls-server-end-point</code>.

  63.   </p><p>

  64.    In <acronym class="acronym">SCRAM</acronym> without channel binding, the server chooses

  65.    a random number that is transmitted to the client to be mixed with the

  66.    user-supplied password in the transmitted password hash.  While this

  67.    prevents the password hash from being successfully retransmitted in

  68.    a later session, it does not prevent a fake server between the real

  69.    server and client from passing through the server's random value

  70.    and successfully authenticating.

  71.   </p><p>

  72.    <acronym class="acronym">SCRAM</acronym> with channel binding prevents such

  73.    man-in-the-middle attacks by mixing the signature of the server's

  74.    certificate into the transmitted password hash. While a fake server can

  75.    retransmit the real server's certificate, it doesn't have access to the

  76.    private key matching that certificate, and therefore cannot prove it is

  77.    the owner, causing SSL connection failure.

  78.   </p><div class="procedure" id="id-1.10.5.8.5.8"><p class="title"><strong>Example</strong></p><ol class="procedure" type="1"><li class="step" id="SCRAM-BEGIN"><p>

  79.   The server sends an AuthenticationSASL message. It includes a list of

  80.   SASL authentication mechanisms that the server can accept.

  81.   This will be <code class="literal">SCRAM-SHA-256-PLUS</code>

  82.   and <code class="literal">SCRAM-SHA-256</code> if the server is built with SSL

  83.   support, or else just the latter.

  84. </p></li><li class="step" id="SCRAM-CLIENT-FIRST"><p>

  85.   The client responds by sending a SASLInitialResponse message, which

  86.   indicates the chosen mechanism, <code class="literal">SCRAM-SHA-256</code> or

  87.   <code class="literal">SCRAM-SHA-256-PLUS</code>. (A client is free to choose either

  88.   mechanism, but for better security it should choose the channel-binding

  89.   variant if it can support it.) In the Initial Client response field, the

  90.   message contains the SCRAM <code class="structname">client-first-message</code>.

  91.   The <code class="structname">client-first-message</code> also contains the channel

  92.   binding type chosen by the client.

  93. </p></li><li class="step" id="SCRAM-SERVER-FIRST"><p>

  94.   Server sends an AuthenticationSASLContinue message, with a SCRAM

  95.   <code class="structname">server-first-message</code> as the content.

  96. </p></li><li class="step" id="SCRAM-CLIENT-FINAL"><p>

  97.   Client sends a SASLResponse message, with SCRAM

  98.   <code class="structname">client-final-message</code> as the content.

  99. </p></li><li class="step" id="SCRAM-SERVER-FINAL"><p>

  100.   Server sends an AuthenticationSASLFinal message, with the SCRAM

  101.   <code class="structname">server-final-message</code>, followed immediately by

  102.   an AuthenticationOk message.

  103. </p></li></ol></div></div></div><div class="navfooter"><hr /><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="protocol-flow.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="protocol.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="protocol-replication.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">52.2. Message Flow </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> 52.4. Streaming Replication Protocol</td></tr></table></div></body></html>
上海开阖软件有限公司 沪ICP备12045867号-1