The following subsections describe the authentication methods in more detail.
When trust
authentication is specified,
PostgreSQL assumes that anyone who can
connect to the server is authorized to access the database with
whatever database user name they specify (including superusers).
Of course, restrictions made in the database
and
user
columns still apply.
This method should only be used when there is adequate
operating-system-level protection on connections to the server.
trust
authentication is appropriate and very
convenient for local connections on a single-user workstation. It
is usually not appropriate by itself on a multiuser
machine. However, you may be able to use trust
even
on a multiuser machine, if you restrict access to the server's
Unix-domain socket file using file-system permissions. To do this, set the
unix_socket_permissions
(and possibly
unix_socket_group
) configuration parameters as
described in Section 17.3, “Connections and Authentication”. Or you
could set the unix_socket_directory
configuration parameter to place the socket file in a suitably
restricted directory.
Setting file-system permissions only helps for Unix-socket connections.
Local TCP/IP connections are not restricted by it; therefore, if you want
to use file-system permissions for local security, remove the host ...
127.0.0.1 ...
line from pg_hba.conf
, or change it to a
non-trust
authentication method.
trust
authentication is only suitable for TCP/IP connections
if you trust every user on every machine that is allowed to connect
to the server by the pg_hba.conf
lines that specify
trust
. It is seldom reasonable to use trust
for any TCP/IP connections other than those from localhost (127.0.0.1).
The password-based authentication methods are md5
,
crypt
, and password
. These methods operate
similarly except for the way that the password is sent across the
connection: respectively, MD5-hashed, crypt-encrypted, and clear-text.
A limitation is that the crypt
method does not work with
passwords that have been encrypted in pg_authid
.
If you are at all concerned about password
“sniffing” attacks then md5
is preferred, with
crypt
to be used only if you must support pre-7.2
clients. Plain password
should be avoided especially for
connections over the open Internet (unless you use SSL,
SSH, or another
communications security wrapper around the connection).
PostgreSQL database passwords are
separate from operating system user passwords. The password for
each database user is stored in the pg_authid
system
catalog. Passwords can be managed with the SQL commands
CREATE USER and
ALTER USER,
e.g., CREATE USER foo WITH PASSWORD 'secret';
.
By default, that is, if no password has been set up, the stored password
is null and password authentication will always fail for that user.
Kerberos is an industry-standard secure authentication system suitable for distributed computing over a public network. A description of the Kerberos system is far beyond the scope of this document; in full generality it can be quite complex (yet powerful). The Kerberos FAQ or MIT Kerberos page can be good starting points for exploration. Several sources for Kerberos distributions exist. Kerberos provides secure authentication but does not encrypt queries or data passed over the network; for that use SSL.
PostgreSQL supports Kerberos version 5. Kerberos support has to be enabled when PostgreSQL is built; see Chapter 14, Installation Instructions for more information.
PostgreSQL operates like a normal Kerberos service.
The name of the service principal is
.
servicename
/hostname
@realm
servicename
can be set on the server side using the
krb_srvname configuration parameter, and on the
client side using the krbsrvname
connection parameter. (See
also Section 29.1, “Database Connection Control Functions”.) The installation default can be
changed from the default postgres
at build time using
./configure --with-krb-srvnam=whatever
. In most environments,
this parameter never needs to be changed. However, to support multiple
PostgreSQL installations on the same host it is necessary.
Some Kerberos implementations may also require a different service name,
such as Microsoft Active Directory which requires the service name
to be in uppercase (POSTGRES
).
hostname
is the fully qualified host name of the
server machine. The service principal's realm is the preferred realm
of the server machine.
Client principals must have their PostgreSQL database user
name as their first component, for example
pgusername/otherstuff@realm
. At present the realm of
the client is not checked by PostgreSQL; so if you
have cross-realm authentication enabled, then any principal in any
realm that can communicate with yours will be accepted.
Make sure that your server keytab file is readable (and preferably
only readable) by the PostgreSQL server
account. (See also Section 16.1, “The PostgreSQL User Account”.) The location
of the key file is specified by the krb_server_keyfile configuration
parameter. The default is
/usr/local/pgsql/etc/krb5.keytab
(or whichever
directory was specified as sysconfdir
at build time).
The keytab file is generated by the Kerberos software; see the Kerberos documentation for details. The following example is for MIT-compatible Kerberos 5 implementations:
kadmin%
ank -randkey postgres/server.my.domain.org
kadmin%
ktadd -k krb5.keytab postgres/server.my.domain.org
When connecting to the database make sure you have a ticket for a
principal matching the requested database user name. For example, for
database user name fred
, both principal
fred@EXAMPLE.COM
and
fred/users.example.com@EXAMPLE.COM
could be used to
authenticate to the database server.
If you use mod_auth_kerb
and mod_perl on your
Apache web server, you can use
AuthType KerberosV5SaveCredentials
with a
mod_perl script. This gives secure
database access over the web, no extra passwords required.
The ident authentication method works by obtaining the client's operating system user name, then determining the allowed database user names using a map file that lists the permitted corresponding pairs of names. The determination of the client's user name is the security-critical point, and it works differently depending on the connection type.
The “Identification Protocol” is described in
RFC 1413. Virtually every Unix-like
operating system ships with an ident server that listens on TCP
port 113 by default. The basic functionality of an ident server
is to answer questions like “What user initiated the
connection that goes out of your port X
and connects to my port Y
?”.
Since PostgreSQL knows both X
and
Y
when a physical connection is established, it
can interrogate the ident server on the host of the connecting
client and could theoretically determine the operating system user
for any given connection this way.
The drawback of this procedure is that it depends on the integrity of the client: if the client machine is untrusted or compromised an attacker could run just about any program on port 113 and return any user name he chooses. This authentication method is therefore only appropriate for closed networks where each client machine is under tight control and where the database and system administrators operate in close contact. In other words, you must trust the machine running the ident server. Heed the warning:
The Identification Protocol is not intended as an authorization or access control protocol. |
||
--RFC 1413 |
Some ident servers have a nonstandard option that causes the returned user name to be encrypted, using a key that only the originating machine's administrator knows. This option must not be used when using the ident server with PostgreSQL, since PostgreSQL does not have any way to decrypt the returned string to determine the actual user name.
On systems supporting SO_PEERCRED
requests for
Unix-domain sockets (currently Linux, FreeBSD,
NetBSD, OpenBSD,
and BSD/OS), ident authentication can also
be applied to local connections. In this case, no security risk is added by
using ident authentication; indeed it is a preferable choice for
local connections on such systems.
On systems without SO_PEERCRED
requests, ident
authentication is only available for TCP/IP connections. As a
work-around, it is possible to specify the localhost address 127.0.0.1 and make connections to this
address. This method is trustworthy to the extent that you trust
the local ident server.
When using ident-based authentication, after having determined the
name of the operating system user that initiated the connection,
PostgreSQL checks whether that user is
allowed to connect as the database user he is requesting to connect
as. This is controlled by the ident map argument that follows the
ident
key word in the pg_hba.conf
file. There is a predefined ident map sameuser
,
which allows any operating system user to connect as the database
user of the same name (if the latter exists). Other maps must be
created manually.
Ident maps other than sameuser
are defined in the
ident map file, which by default is named
pg_ident.conf
and is stored in the
cluster's data directory. (It is possible to place the map file
elsewhere, however; see the ident_file
configuration parameter.)
The ident map file contains lines of the general form:
map-name
ident-username
database-username
Comments and whitespace are handled in the same way as in
pg_hba.conf
. The
map-name
is an arbitrary name that will be used to
refer to this mapping in pg_hba.conf
. The other
two fields specify which operating system user is allowed to connect
as which database user. The same map-name
can be
used repeatedly to specify more user-mappings within a single map.
There is no restriction regarding how many database users a given
operating system user may correspond to, nor vice versa.
The pg_ident.conf
file is read on start-up and
when the main server process receives a
SIGHUP
signal. If you edit the file on an
active system, you will need to signal the server
(using pg_ctl reload
or kill -HUP
) to make it
re-read the file.
A pg_ident.conf
file that could be used in
conjunction with the pg_hba.conf
file in Example 20.1, “Example pg_hba.conf
entries” is shown in Example 20.2, “An example pg_ident.conf
file”. In this example setup, anyone
logged in to a machine on the 192.168 network that does not have the
Unix user name bryanh
, ann
, or
robert
would not be granted access. Unix user
robert
would only be allowed access when he tries to
connect as PostgreSQL user bob
, not
as robert
or anyone else. ann
would
only be allowed to connect as ann
. User
bryanh
would be allowed to connect as either
bryanh
himself or as guest1
.
Example 20.2. An example pg_ident.conf
file
# MAPNAME IDENT-USERNAME PG-USERNAME omicron bryanh bryanh omicron ann ann # bob has user name robert on these machines omicron robert bob # bryanh can also connect as guest1 omicron bryanh guest1
This authentication method operates similarly to
password
except that it uses LDAP
as the authentication method. LDAP is used only to validate
the user name/password pairs. Therefore the user must already
exist in the database before LDAP can be used for
authentication. The server and parameters used are specified
after the ldap
key word in the file
pg_hba.conf
. The format of this parameter is:
ldap[s
]://servername
[:port
]/base dn
[;prefix
[;suffix
]]
for example:
ldap://ldap.example.net/dc=example,dc=net;EXAMPLE\
If ldaps
is specified instead of ldap
,
TLS encryption will be enabled for the connection. Note that this
will encrypt only the connection between the PostgreSQL server
and the LDAP server. The connection between the client and the
PostgreSQL server is not affected by this setting. To make use of
TLS encryption, you may need to configure the LDAP library prior
to configuring PostgreSQL. Note that encrypted LDAP is available only
if the platform's LDAP library supports it.
If no port is specified, the default port as configured in the LDAP library will be used.
The server will bind to the distinguished name specified as
base dn
using the user name supplied by the client.
If prefix
and suffix
is
specified, it will be prepended and appended to the user name
before the bind. Typically, the prefix parameter is used to specify
cn=
, or DOMAIN\
in an Active
Directory environment.
This authentication method operates similarly to
password
except that it uses PAM (Pluggable
Authentication Modules) as the authentication mechanism. The
default PAM service name is postgresql
. You can
optionally supply your own service name after the pam
key word in the file pg_hba.conf
.
PAM is used only to validate user name/password pairs.
Therefore the user must already exist in the database before PAM
can be used for authentication. For more information about
PAM, please read the Linux-PAM Page
and the Solaris PAM Page.