From: LinuxSir.Org
Abstract: In order to ensure the safety of the PostgreSQL database, we need to access the database user authentication, this article introduces the basic knowledge about user authentication PostgreSQL database;
+++++++++++++++++++++++++++ ++++++++++++++++
text
+++++++++++++++++++++++++++++++++ ++++++++++
When a client application and the database server connection, it states that it will connect as PostgreSQL user name which, as we log in to a Unix computer. In the SQL environment the active database user name to access the database objects of various decisions. So, in fact we want to limit the user can join the database; authentication is the database server establishes the identity of the client application, and then through some means to determine whether to allow (or the user runs the client application) this client application which it the process requires a user name to connect; the PostgreSQL offers a variety of client authentication methods. A host address authentication method used by a particular client can be coupled-based (client), database and user choice manner; certain authentication method also allows you to restrict a user name; the PostgreSQL user name is logically and user name server operating system to run independent of each other. If all users on a server in the server machine that also has an account, then assign database user and the operating system user name is meaningful. However, to receive a remote access server is likely to have many users do not have local accounts, so in this case there need be no connection between the user and the operating system, database user name;
1. the pg_hba.conf file;
Client authentication is controlled by the file pg_hba.conf in the data directory, such as: /etc/postgresql/8.2/main/pg_hba.conf (hba mean host-based authentication:. Host-based authentication) initialization data initdb when the directory, it will install a default file; pg_hba.conf file format commonly used is a set of records, one per line. Blank lines are ignored, the pound sign ( "#") at the beginning of the comment is ignored. A record is made with a number of spaces and / or tab-delimited fields composition. If the field is surrounded by quotation marks, then it may contain blanks. Records can not boast row exists; Each record specifies a connection type, a client IP address range (if the connection type and, if relevant), a database name, a user name, and authentication method to match these connection parameters used. First record matching connection type, connection attempts and client address database name and user name request for performing authentication. This process is no "cross" or "backup": if one record is chosen and the authentication fails, subsequent records are not considered. If there is no matching record, then access will be denied. Each record may be one of three formats: local authentication-User Database Method [authentication-Option]
Host Database User-mask the IP address the IP-authentication-Method [authentication-Option]
hostssl, the IP-User Database-mask the IP address authentication- method [authentication-option]
meaning of each field of 1.1;
This record matches performed by coupling attempt Unix domain socket. No record of this type, does not allow the Unix domain socket coupling.
This record matches coupling performed by TCP / IP network attempts. Please note that unless the server is started with the -i option or to open the postgresql.conf inside tcpip_socket configuration parameter set to start, or TCP / IP connections is prohibited out.
This record matches by SSL connection attempt made on TCP / IP. host can match the recording and non-SSL SSL connection attempts, but it requires the recording hostssl SSL connection.
To use this option, making the server must be built with SSL support. And when the server is started, it must open ssl option in postgresql.conf.
This record matches the database. Indicates that the value of all the matching records of all databases, sameuser value indicates the same user name and if requested database request, the match. samegroup user request must be represented by a group with the same name in the database of the members. In other cases where this is the name of a specific PostgreSQL. We can declare multiple databases by separating them with commas. A file containing the database name may be declared by the file @ prefix. The documents required and in the same directory as pg_hba.conf;
This is a record matches the PostgreSQL user. The value all specifies that it matches all users. Otherwise, it is the name of a specific PostgreSQL user. A plurality of user names may be prepared by methods declared separated by commas. Group names can be prefixed to the statement made by the group name with +. File containing user names can be obtained by preceding the file name with @. The documents required and in the same directory as pg_hba.conf;
These two fields contain the standard dotted decimal notation of the IP address / mask value. (IP addresses can only be used digitally statement, rather than using the domain name or host name.) They put the two together, we declare that this record matches the IP address of the client. Accurate logic (actual-IP-address xor IP -address-field) and IP-mask-field required to match the recording zero. (Of course, IP addresses can be spoofed, but this is considered outside the scope of PostgreSQL.) These fields only apply to host and recording hostssl;
1.2 Method-authentication (authentication method);
The connection is allowed unconditionally. This method allows any user can connect to the PostgreSQL database to them any PostgreSQL database user identities connection, without the need for a password.
Coupling rejected unconditionally. From a group commonly used to "filter out" certain hosts.
It requires the client to provide a MD5 encrypted password for authentication. This method is the only method allows encrypted passwords stored in pg_shadow inside.
Similarly md5 method, just use the old crypt encryption and authentication for client-7.2. For 7.2 and later clients, we recommend the use of md5.
And "md5" the same, but the password is sent in clear text over the network. We should not use this approach in an insecure network;
Kerberos V4 is used to authenticate the user. Only during TCP / IP connections when they could use;
Use Kerberos V5 to authenticate the user. Only during TCP / IP connections when they could use;
Obtain the customer's operating system name (for TCP / IP connections, the user's identity is through ident server connection and runs on the client's judgment, for local connections, it is obtained from the operating system.) Then check to see see the user whether to allow database users to perform the required connection, by reference to the statement in the ident key word mapping; if you use sameuser map, then assuming that the user names are equal. If this is not specified keyword, identify the map name in pg_ident.conf pg_hba.conf file in the same directory. If the file contains a record identifying the mapped user name and provide the requested ident PostgreSQL user name, then the connection is accepted; for local connections, and only in the case of systems support Unix domain socket trust certificate to use (currently Linux, FreeBSD, NetBSD, OpenBSD, and BSD / OS);
Using the operating system service pluggable authentication module (Pluggable Authentication Modules) (PAM) to authenticate;
1.3 exemplary;
because the authentication system pg_hba.conf, and examined sequentially recorded for each connection, the order of the records It is very critical. Typically, earlier records will have tight connection match parameters and weaker authentication method, after recording but have looser match parameters and stronger authentication method. For example, one might wish to use trust authentication for local TCP connection, while the remote TCP connection requires a password. In this case we will trust authentication for connections from 127.0.0.1, and this record will appear before use to allow a wider range of client IP address password authentication records; Note: Do not forbid template1 database superuser access . Tools command requires access template1; and when you start postmaster receives a SIGHUP signal, the system will reload the pg_hba.conf file. If you edit the file on an active system, you will need to use kill to send a postmaster SIGHUP signal, it is good to re-read the document; Here is an example of pg_hba.conf:
2. The authentication method;
2.1 trust certification;
If you declare trust (trust) authentication mode, PostgreSQL will assume that any one can connect to the server can be any database user to his statement (including the database superuser) This method should be used in connection to the server port that has adequate environmental protection level in the system; trust authentication for local connections single-user workstations are very suitable and convenient. Usually it does not apply to the machine itself is a multi-user environment. However, even on a multiuser machine, you can use the trust, as long as you use file system permissions to restrict access to the socket file for the postmaster. Do these restrictions, you can set parameters in postgresql.conf unix_socket_permissions (and possibly unix_socket_group). Or you can set unix_socket_directory, the socket file in a directory through the appropriate limit; set the file system permissions can only help Unix socket connection. It does not restrict local TCP connection; therefore, if you want to use permissions to control local security, then delete pg_hba.conf in the host ... 127.0.0.1 ... line, or change it to a non-trust authentication method of ; trust authentication mode only when you trust all users of the machine above all on those lines declared trust in pg_hba.conf years, allowing the connection to the server is appropriate. Little reason to use as any other trust from localhost (127.0.0.1) other than the TCP connection authentication mode;
2.2 password authentication;
In password-based authentication methods include md5, crypt, and password. Operation is very similar to these methods, but by a different method of coupling a password transmitted. If you are worried about password eavesdropping ( "sniffing"), then md5 is appropriate, if you must support older pre-7.2 clients, you can choose crypt. If we use on the open Internet, you should avoid using the password (unless you use SSL, SSH, or other communications secure connections is encapsulated in the coupling as far as possible;. PostgreSQL database password is independent of any operating system user's password for each user database the password is stored in the system tables pg_shadow inside. password can command CREATE USER and ALTER USER using query language, such as management, that is, CREATE USER foo wITH pASSWORD 'secret ' when ;. default, if not explicitly set a password, storage the password is empty and the user's password authentication will always fail; to restrict the set of users allowed to access a database, the user is listed in a separate file, separated by commas user that the file should contain the user name separated by commas. each row or the user name, and and the pg_hba.conf. written in the user column in the same row (present) the file name (no path), and a prefix @ database column names and similarly for receiving a value or a file name. you can also pass in front of the name of the group to declare a prefix + Name;
. 2.3 the Kerberos authentication;
Kerberos is a suitable for distributed computing industry-standard secure authentication system on the public network. Description of the Kerberos system is far beyond the scope of this document; Generally speaking it is quite complex (also quite powerful) systems. Kerberos FAQ or MIT Project Athena is a good place to start exploring. Released several existing Kerberos source code; you want to use Kerberos, support for it must be open at build time. Kerberos 4 and 5 are supported, but we can only support a once-production version; like a normal Kerberos service running PostgreSQL. Service principal name servicename / hostname @ realm, servicename here is postgres (unless when configuring choose a different hostname with ./configure --with-krb-srvnam = whatever. Hostname is the full name of the domain name server and its word the domain server is the server machine's priority fields; customer master must use their own self-sufficiency PostgreSQL user name as the first component, such as pgusername / otherstuff @ realm currently PostgreSQL does not check the customer's domain; so if you open up cross-domain certification, then the Lord will be with you any communications are accepted in any domain; make sure your key file server that can be read by the PostgreSQL server account (the best is read-only) key file (keytab). position is declared with the configuration parameters krb_server_keyfile runtime; to generate the key file (keytab), the following example can be used (with version 5) kadmin% ank -randkey postgres / server.my.domain.org
kadmin% ktadd -k krb5.keytab postgres / server.my.domain.org read the Kerberos documentation for details; and when the database connection, make sure you have a database user name matches the requested for each primary tickets. Example: For database users fred, fred/[email protected] main [email protected] and can be used with the database server authentication; if you use mod_auth_krb and mod_perl on your Apache web server, you AuthType KerberosV5SaveCredentials can be carried out with a mod_perl script. This will have a web-accessible database of safety, no additional passwords;
2.4 Ident-based authentication;.
Transport modes do identity (ident) authentication method is to use a mapping file lists the user and the corresponding user's license pairing, and then by checking the client operating system user name and a method of determining a user name database to authenticate license. Determine the client's user name is a very critical security points, depending on the connection type, and its implementation is slightly different;
2.4.1 identity through TCP / IP certification.
"Identification Protocol (protocol identification)" which is described in RFC 1413. Virtually every Unix-like operating systems with a default when the identity of the server listener port 113. The basic function of the identity of the server is to answer questions like: "What user initiated out of your port X Y port is coupled to the I come up?." Because the physical connection established, PostgreSQL knows both X knows Y, it can ask the host attempts to run coupled client, and this method can theoretically determine the operating system of a user-initiated connection; disadvantage of this is that it depends to the integrity of the client: If the client can not be trusted or is compromised the attacker, and they can run any program on port 113 and return any user they choose, then it can not be certified. Therefore, this authentication method is only applicable to a closed network, such as the network of each client and are in the database and operating system administrators can easily compare contacted under tight control. In other words, you must trust the machine running identity (ident) services. Here is a warning:
2.4.2 authentication through local socket;.
On systems that support Unix domain sockets for SO_PEERCRED request (currently Linux, FreeBSD, NetBSD, and BSD / OS), authentication can also be used topical coupling. This time, the use of authentication will not increase security risks; in fact, this is the preferred method when using local connections on such systems; systems without SO_PEERCRED on request, obtain authentication can only be connected via TCP / IP. If you need to get around this limitation, we can declare localhost address 127.0.0.1, and then let the connection point to this address;
. 2.4.3 Ident mapping;
When used in identity-based authentication, in the judgment of the operating system name of the user initiating the connection of, PostgreSQL determine whether he can join in as the database user he requested. This judgment is made behind the ident keyword in the pg_hba.conf file with the identity mapping control. There is a predefined identity mapping is sameuser, represents any operating system users to connect as the database user of the same name (if the latter exists). Other maps must be created manually; as a non-sameuser map data stored in the file's directory. Format of each line is usually: map-name ident-username database -username and general comments and blank case with handle. map-name is the name used to refer to any of this mapping in pg_hba.conf years. The other two fields declared an operating system user is allowed to join the identity of the user to which database. The same map-name can be reused for more users declare a map in the mapping. A user of the operating system can be mapped to a database user does not restrict the number and vice versa; receive a SIGHUP signal at system startup and when the postmaster reads pg_ident.conf file; if you edit on a dynamic system that file, then you need to signal the postmaster (with pg_ctl reload or kill -HUP) allowed to re-read the document;
2.5 pg_ident.conf an example file;
2.6 PAM authentication;
this type operates similarly to the authentication password, except that it uses PAM (Pluggable Authentication Modules) as the authentication mechanism. The default PAM service name is postgresql. You can provide your own optional service name after the pam keyword.
3. The certification issue;
the real authentication failure and related problems are usually declare themselves by the error message similar to the following;
The maximum possible this message is that you have a connection server, but she does not want to talk to you. Like own information suggests, the server refused the connection request because she did not find her certification record pg_hba.conf configuration file;
Such information that you join a server, and she is willing to talk to you, but you must be certified method pg_hba.conf file declarations. Check the password you submitted your software or check if the error message mentioned in these Kerberos or IDENT authentication type;
This method is another representation of the user does not exist;
You try to join the database does not exist. Please note that if you do not specify a database name, the default is the database user name, which may be right or may be incorrect; please note server logs may include information reported to the client than the more concerning authentication failure. If the cause of your failure is confused, then please check the log.
4. With regard to this paper;
paper most of the data are referring to Chinese documents, the purpose is to let the brothers find convenient, detailed documentation has something in Chinese, thank you for pointing brothers :)
5. Update log;
6. Reference Documents;
"PostgreSQL 8.1 Chinese documents"
7. Related documents;
"PostgreSQL to install and simple to use,"
"Postgresql backup and restore ------ SQL dump chapter"
"PostgreSQL configuration file and user permissions"
"PostgreSQL database routine maintenance work "
Abstract: In order to ensure the safety of the PostgreSQL database, we need to access the database user authentication, this article introduces the basic knowledge about user authentication PostgreSQL database;
table of Contents1. pg_hba.conf file; the meaning of each field of 1.1; 1.2-Method authentication (authentication method); 1.3 Example; 2 authentication method; . Trusted certification 2.1; 2.2 password authentication; . The Kerberos authentication 2.3; 2.4 on the Ident authentication; 2.4.1 via TCP / IP authentication;. 2.4.2 authentication through local socket;. . Ident mapping 2.4.3; 2.5 example of a file pg_ident.conf; 2.6 the PAM authentication; 3. certification issues; 4. About herein; 5. update log; 6. documented; 7. related documents;
+++++++++++++++++++++++++++ ++++++++++++++++
text
+++++++++++++++++++++++++++++++++ ++++++++++
When a client application and the database server connection, it states that it will connect as PostgreSQL user name which, as we log in to a Unix computer. In the SQL environment the active database user name to access the database objects of various decisions. So, in fact we want to limit the user can join the database; authentication is the database server establishes the identity of the client application, and then through some means to determine whether to allow (or the user runs the client application) this client application which it the process requires a user name to connect; the PostgreSQL offers a variety of client authentication methods. A host address authentication method used by a particular client can be coupled-based (client), database and user choice manner; certain authentication method also allows you to restrict a user name; the PostgreSQL user name is logically and user name server operating system to run independent of each other. If all users on a server in the server machine that also has an account, then assign database user and the operating system user name is meaningful. However, to receive a remote access server is likely to have many users do not have local accounts, so in this case there need be no connection between the user and the operating system, database user name;
1. the pg_hba.conf file;
Client authentication is controlled by the file pg_hba.conf in the data directory, such as: /etc/postgresql/8.2/main/pg_hba.conf (hba mean host-based authentication:. Host-based authentication) initialization data initdb when the directory, it will install a default file; pg_hba.conf file format commonly used is a set of records, one per line. Blank lines are ignored, the pound sign ( "#") at the beginning of the comment is ignored. A record is made with a number of spaces and / or tab-delimited fields composition. If the field is surrounded by quotation marks, then it may contain blanks. Records can not boast row exists; Each record specifies a connection type, a client IP address range (if the connection type and, if relevant), a database name, a user name, and authentication method to match these connection parameters used. First record matching connection type, connection attempts and client address database name and user name request for performing authentication. This process is no "cross" or "backup": if one record is chosen and the authentication fails, subsequent records are not considered. If there is no matching record, then access will be denied. Each record may be one of three formats: local authentication-User Database Method [authentication-Option]
Host Database User-mask the IP address the IP-authentication-Method [authentication-Option]
hostssl, the IP-User Database-mask the IP address authentication- method [authentication-option]
meaning of each field of 1.1;
local
This record matches performed by coupling attempt Unix domain socket. No record of this type, does not allow the Unix domain socket coupling.
host
This record matches coupling performed by TCP / IP network attempts. Please note that unless the server is started with the -i option or to open the postgresql.conf inside tcpip_socket configuration parameter set to start, or TCP / IP connections is prohibited out.
hostssl
This record matches by SSL connection attempt made on TCP / IP. host can match the recording and non-SSL SSL connection attempts, but it requires the recording hostssl SSL connection.
To use this option, making the server must be built with SSL support. And when the server is started, it must open ssl option in postgresql.conf.
database
This record matches the database. Indicates that the value of all the matching records of all databases, sameuser value indicates the same user name and if requested database request, the match. samegroup user request must be represented by a group with the same name in the database of the members. In other cases where this is the name of a specific PostgreSQL. We can declare multiple databases by separating them with commas. A file containing the database name may be declared by the file @ prefix. The documents required and in the same directory as pg_hba.conf;
user
This is a record matches the PostgreSQL user. The value all specifies that it matches all users. Otherwise, it is the name of a specific PostgreSQL user. A plurality of user names may be prepared by methods declared separated by commas. Group names can be prefixed to the statement made by the group name with +. File containing user names can be obtained by preceding the file name with @. The documents required and in the same directory as pg_hba.conf;
IP-address
IP-mask
These two fields contain the standard dotted decimal notation of the IP address / mask value. (IP addresses can only be used digitally statement, rather than using the domain name or host name.) They put the two together, we declare that this record matches the IP address of the client. Accurate logic (actual-IP-address xor IP -address-field) and IP-mask-field required to match the recording zero. (Of course, IP addresses can be spoofed, but this is considered outside the scope of PostgreSQL.) These fields only apply to host and recording hostssl;
1.2 Method-authentication (authentication method);
trust
The connection is allowed unconditionally. This method allows any user can connect to the PostgreSQL database to them any PostgreSQL database user identities connection, without the need for a password.
reject
Coupling rejected unconditionally. From a group commonly used to "filter out" certain hosts.
md5
It requires the client to provide a MD5 encrypted password for authentication. This method is the only method allows encrypted passwords stored in pg_shadow inside.
crypt
Similarly md5 method, just use the old crypt encryption and authentication for client-7.2. For 7.2 and later clients, we recommend the use of md5.
password
And "md5" the same, but the password is sent in clear text over the network. We should not use this approach in an insecure network;
krb4
Kerberos V4 is used to authenticate the user. Only during TCP / IP connections when they could use;
krb5
Use Kerberos V5 to authenticate the user. Only during TCP / IP connections when they could use;
ident
Obtain the customer's operating system name (for TCP / IP connections, the user's identity is through ident server connection and runs on the client's judgment, for local connections, it is obtained from the operating system.) Then check to see see the user whether to allow database users to perform the required connection, by reference to the statement in the ident key word mapping; if you use sameuser map, then assuming that the user names are equal. If this is not specified keyword, identify the map name in pg_ident.conf pg_hba.conf file in the same directory. If the file contains a record identifying the mapped user name and provide the requested ident PostgreSQL user name, then the connection is accepted; for local connections, and only in the case of systems support Unix domain socket trust certificate to use (currently Linux, FreeBSD, NetBSD, OpenBSD, and BSD / OS);
pam
Using the operating system service pluggable authentication module (Pluggable Authentication Modules) (PAM) to authenticate;
1.3 exemplary;
because the authentication system pg_hba.conf, and examined sequentially recorded for each connection, the order of the records It is very critical. Typically, earlier records will have tight connection match parameters and weaker authentication method, after recording but have looser match parameters and stronger authentication method. For example, one might wish to use trust authentication for local TCP connection, while the remote TCP connection requires a password. In this case we will trust authentication for connections from 127.0.0.1, and this record will appear before use to allow a wider range of client IP address password authentication records; Note: Do not forbid template1 database superuser access . Tools command requires access template1; and when you start postmaster receives a SIGHUP signal, the system will reload the pg_hba.conf file. If you edit the file on an active system, you will need to use kill to send a postmaster SIGHUP signal, it is good to re-read the document; Here is an example of pg_hba.conf:
# 允许在本机上的任何用户使用 Unix 域套接字(本地连接的缺省)
# 以任何身份联接任何数据库
#
#
# TYPE DATABASE USER IP-ADDRESS IP-MASK METHOD
local all all trust
# 和上面相同,但是使用的是自环的(loopback)TCP/IP 连接
#
# TYPE DATABASE USER IP-ADDRESS IP-MASK METHOD
host all all 127.0.0.1 255.255.255.255 trust
# 同样,但用的是 Unix-套接字联接
local all all trust
# 允许 IP 地址为 192.168.93.x 的任何主机与数据库
# "template1" 相连,用与他们在自己的主机上相同 ident 的用户名标识他自己
# (通常是他的 Unix 用户名)
# TYPE DATABASE USER IP-ADDRESS IP-MASK METHOD
host template1 all 192.168.93.0 255.255.255.0 ident sameuser
# 允许来自主机 192.168.12.10 的用户与 "template1" 数据库联接,
# 只要该用户提供了在正确的口令.
# TYPE DATABASE USER IP-ADDRESS IP-MASK METHOD
host template1 all 192.168.12.10 255.255.255.255 md5
# 如果前面没有其它 "host" 行,那么下面两行将拒绝所有来自
# 192.168.54.1 的联接请求 (因为前面的记录先匹配
# 但是允许来自互联网上其它任何地方的有效的 Kerberos V5 认证的联接
# 零掩码表示不考虑主机 IP 的任何位.因此它匹配任何主机:
# TYPE DATABASE USER IP-ADDRESS IP-MASK METHOD
host all all 192.168.54.1 255.255.255.255 reject
host all all 0.0.0.0 0.0.0.0 krb5
# 允许来自 192.168.x.x 的任何用户与任意数据库联接,只要他们通过 ident 检查
# 但如果 ident 说该用户是 "bryanh" 而他要求以 PostgreSQL 用户 "guest1" 联接,
# 那么只有在 `pg_ident.conf' 里有 "omicron" 的映射,说 "bryanh" 允许以
# "guest1" 进行联接时才真正可以进行联接.
#
# TYPE DATABASE USER IP-ADDRESS IP-MASK METHOD
host all all 192.168.0.0 255.255.0.0 ident omicron
# 如果下面是用于本地联接的仅有的三行,那么它们将允许本地用户
# 只和它们自己的数据库联接(数据库名和用户名同名),
# 只有管理员和组"support"里的成员例外,他们可以联接到任何数据库。
# 文件 $PGDATA/admins 列出了那些允许与所有数据库联接的用户名.
# 在所有情况下都需要口令。
# TYPE DATABASE USER IP-ADDRESS IP-MASK METHOD
local sameuser all md5
local all @admins md5
local all +support md5
# 上面最后两行可以合起来写成一行
local all @admins,+support md5
# 数据库字段也可以使用列表和文件名,但组不行:
local db1,db2,@demodbs all md5
2. The authentication method;
2.1 trust certification;
If you declare trust (trust) authentication mode, PostgreSQL will assume that any one can connect to the server can be any database user to his statement (including the database superuser) This method should be used in connection to the server port that has adequate environmental protection level in the system; trust authentication for local connections single-user workstations are very suitable and convenient. Usually it does not apply to the machine itself is a multi-user environment. However, even on a multiuser machine, you can use the trust, as long as you use file system permissions to restrict access to the socket file for the postmaster. Do these restrictions, you can set parameters in postgresql.conf unix_socket_permissions (and possibly unix_socket_group). Or you can set unix_socket_directory, the socket file in a directory through the appropriate limit; set the file system permissions can only help Unix socket connection. It does not restrict local TCP connection; therefore, if you want to use permissions to control local security, then delete pg_hba.conf in the host ... 127.0.0.1 ... line, or change it to a non-trust authentication method of ; trust authentication mode only when you trust all users of the machine above all on those lines declared trust in pg_hba.conf years, allowing the connection to the server is appropriate. Little reason to use as any other trust from localhost (127.0.0.1) other than the TCP connection authentication mode;
2.2 password authentication;
In password-based authentication methods include md5, crypt, and password. Operation is very similar to these methods, but by a different method of coupling a password transmitted. If you are worried about password eavesdropping ( "sniffing"), then md5 is appropriate, if you must support older pre-7.2 clients, you can choose crypt. If we use on the open Internet, you should avoid using the password (unless you use SSL, SSH, or other communications secure connections is encapsulated in the coupling as far as possible;. PostgreSQL database password is independent of any operating system user's password for each user database the password is stored in the system tables pg_shadow inside. password can command CREATE USER and ALTER USER using query language, such as management, that is, CREATE USER foo wITH pASSWORD 'secret ' when ;. default, if not explicitly set a password, storage the password is empty and the user's password authentication will always fail; to restrict the set of users allowed to access a database, the user is listed in a separate file, separated by commas user that the file should contain the user name separated by commas. each row or the user name, and and the pg_hba.conf. written in the user column in the same row (present) the file name (no path), and a prefix @ database column names and similarly for receiving a value or a file name. you can also pass in front of the name of the group to declare a prefix + Name;
. 2.3 the Kerberos authentication;
Kerberos is a suitable for distributed computing industry-standard secure authentication system on the public network. Description of the Kerberos system is far beyond the scope of this document; Generally speaking it is quite complex (also quite powerful) systems. Kerberos FAQ or MIT Project Athena is a good place to start exploring. Released several existing Kerberos source code; you want to use Kerberos, support for it must be open at build time. Kerberos 4 and 5 are supported, but we can only support a once-production version; like a normal Kerberos service running PostgreSQL. Service principal name servicename / hostname @ realm, servicename here is postgres (unless when configuring choose a different hostname with ./configure --with-krb-srvnam = whatever. Hostname is the full name of the domain name server and its word the domain server is the server machine's priority fields; customer master must use their own self-sufficiency PostgreSQL user name as the first component, such as pgusername / otherstuff @ realm currently PostgreSQL does not check the customer's domain; so if you open up cross-domain certification, then the Lord will be with you any communications are accepted in any domain; make sure your key file server that can be read by the PostgreSQL server account (the best is read-only) key file (keytab). position is declared with the configuration parameters krb_server_keyfile runtime; to generate the key file (keytab), the following example can be used (with version 5) kadmin% ank -randkey postgres / server.my.domain.org
kadmin% ktadd -k krb5.keytab postgres / server.my.domain.org read the Kerberos documentation for details; and when the database connection, make sure you have a database user name matches the requested for each primary tickets. Example: For database users fred, fred/[email protected] main [email protected] and can be used with the database server authentication; if you use mod_auth_krb and mod_perl on your Apache web server, you AuthType KerberosV5SaveCredentials can be carried out with a mod_perl script. This will have a web-accessible database of safety, no additional passwords;
2.4 Ident-based authentication;.
Transport modes do identity (ident) authentication method is to use a mapping file lists the user and the corresponding user's license pairing, and then by checking the client operating system user name and a method of determining a user name database to authenticate license. Determine the client's user name is a very critical security points, depending on the connection type, and its implementation is slightly different;
2.4.1 identity through TCP / IP certification.
"Identification Protocol (protocol identification)" which is described in RFC 1413. Virtually every Unix-like operating systems with a default when the identity of the server listener port 113. The basic function of the identity of the server is to answer questions like: "What user initiated out of your port X Y port is coupled to the I come up?." Because the physical connection established, PostgreSQL knows both X knows Y, it can ask the host attempts to run coupled client, and this method can theoretically determine the operating system of a user-initiated connection; disadvantage of this is that it depends to the integrity of the client: If the client can not be trusted or is compromised the attacker, and they can run any program on port 113 and return any user they choose, then it can not be certified. Therefore, this authentication method is only applicable to a closed network, such as the network of each client and are in the database and operating system administrators can easily compare contacted under tight control. In other words, you must trust the machine running identity (ident) services. Here is a warning:
身份标识协议并不适用于认证或者访问控制协议.
--RFC 1413
2.4.2 authentication through local socket;.
On systems that support Unix domain sockets for SO_PEERCRED request (currently Linux, FreeBSD, NetBSD, and BSD / OS), authentication can also be used topical coupling. This time, the use of authentication will not increase security risks; in fact, this is the preferred method when using local connections on such systems; systems without SO_PEERCRED on request, obtain authentication can only be connected via TCP / IP. If you need to get around this limitation, we can declare localhost address 127.0.0.1, and then let the connection point to this address;
. 2.4.3 Ident mapping;
When used in identity-based authentication, in the judgment of the operating system name of the user initiating the connection of, PostgreSQL determine whether he can join in as the database user he requested. This judgment is made behind the ident keyword in the pg_hba.conf file with the identity mapping control. There is a predefined identity mapping is sameuser, represents any operating system users to connect as the database user of the same name (if the latter exists). Other maps must be created manually; as a non-sameuser map data stored in the file's directory. Format of each line is usually: map-name ident-username database -username and general comments and blank case with handle. map-name is the name used to refer to any of this mapping in pg_hba.conf years. The other two fields declared an operating system user is allowed to join the identity of the user to which database. The same map-name can be reused for more users declare a map in the mapping. A user of the operating system can be mapped to a database user does not restrict the number and vice versa; receive a SIGHUP signal at system startup and when the postmaster reads pg_ident.conf file; if you edit on a dynamic system that file, then you need to signal the postmaster (with pg_ctl reload or kill -HUP) allowed to re-read the document;
2.5 pg_ident.conf an example file;
# MAPNAME IDENT-USERNAME PG-USERNAME
omicron bryanh bryanh
omicron ann ann
# bob 在这台机器上的用户名是 robert
omicron robert bob
# bryanh 也可以以 guest1 身份连接
omicron bryanh guest1
2.6 PAM authentication;
this type operates similarly to the authentication password, except that it uses PAM (Pluggable Authentication Modules) as the authentication mechanism. The default PAM service name is postgresql. You can provide your own optional service name after the pam keyword.
3. The certification issue;
the real authentication failure and related problems are usually declare themselves by the error message similar to the following;
No pg_hba.conf entry for host 123.123.123.123, user andym, database testdb
The maximum possible this message is that you have a connection server, but she does not want to talk to you. Like own information suggests, the server refused the connection request because she did not find her certification record pg_hba.conf configuration file;
Password authentication failed for user 'andym'
Such information that you join a server, and she is willing to talk to you, but you must be certified method pg_hba.conf file declarations. Check the password you submitted your software or check if the error message mentioned in these Kerberos or IDENT authentication type;
FATAL 1: user "andym" does not exist
This method is another representation of the user does not exist;
FATAL 1: Database "testdb" does not exist in the system catalog.
You try to join the database does not exist. Please note that if you do not specify a database name, the default is the database user name, which may be right or may be incorrect; please note server logs may include information reported to the client than the more concerning authentication failure. If the cause of your failure is confused, then please check the log.
4. With regard to this paper;
paper most of the data are referring to Chinese documents, the purpose is to let the brothers find convenient, detailed documentation has something in Chinese, thank you for pointing brothers :)
5. Update log;
6. Reference Documents;
"PostgreSQL 8.1 Chinese documents"
7. Related documents;
"PostgreSQL to install and simple to use,"
"Postgresql backup and restore ------ SQL dump chapter"
"PostgreSQL configuration file and user permissions"
"PostgreSQL database routine maintenance work "
Reproduced in: https: //www.cnblogs.com/licheng/archive/2008/01/23/1050115.html