From 49c86099f3bfde9f048f415a465f23ed6ac52d57 Mon Sep 17 00:00:00 2001 From: Peter Eisentraut Date: Sat, 14 Sep 2002 18:35:46 +0000 Subject: Shrink the pg_hba.conf and pg_ident.conf default files and move most of the inline documentation to the main docs. --- doc/src/sgml/client-auth.sgml | 373 ++++++++++++++++++++++++++---------------- 1 file changed, 228 insertions(+), 145 deletions(-) (limited to 'doc/src') diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml index 1cc48a65379..dc4b2649c13 100644 --- a/doc/src/sgml/client-auth.sgml +++ b/doc/src/sgml/client-auth.sgml @@ -1,5 +1,5 @@ @@ -45,10 +45,10 @@ $Header: /cvsroot/pgsql/doc/src/sgml/client-auth.sgml,v 1.36 2002/08/16 04:48:16 database user names and OS user names. - + The <filename>pg_hba.conf</filename> file - + pg_hba.conf @@ -85,9 +85,9 @@ $Header: /cvsroot/pgsql/doc/src/sgml/client-auth.sgml,v 1.36 2002/08/16 04:48:16 A record may have one of the three formats -local database user authentication-method [ authentication-option ] -host database user IP-address IP-mask authentication-method -hostssl database user IP-address IP-mask authentication-method +local database user authentication-method authentication-option +host database user IP-address IP-mask authentication-method authentication-option +hostssl database user IP-address IP-mask authentication-method authentication-option The meaning of the fields is as follows: @@ -96,8 +96,9 @@ hostssl database user local - This record applies to connection attempts using Unix domain - sockets. + This record matches connection attempts using Unix domain + sockets. Without a record of this type, Unix-domain socket + connections are disallowed @@ -106,7 +107,7 @@ hostssl database user host - This record applied to connection attempts using TCP/IP networks. + This record matches connection attempts using TCP/IP networks. Note that TCP/IP connections are disabled unless the server is started with the option or the tcpip_socket postgresql.conf @@ -119,13 +120,18 @@ hostssl database user hostssl - This record applies to connection attempts using SSL over - TCP/IP. To make use of this option the server must be - built with SSL support enabled. Furthermore, SSL must be - enabled with the + + + To be able make use of this option the server must be built + with SSL support enabled. Furthermore, SSL must be enabled by + enabling the option ssl in + postgresql.conf (see ). @@ -134,18 +140,18 @@ hostssl database user database - Specifies the database for this record. The value - all specifies that it applies to all - databases, while the value sameuser identifies the - database with the same name as the connecting user. The value - samegroup identifies a group with the same name as - the database name. Only members of this group can connect to the - database. Otherwise, this is the name of a specific - PostgreSQL database. Multiple database - names can be supplied by separating them with commas. A file - containing database names can be specified by preceding the file - name with @. The file must be in the same directory - as pg_hba.conf. + Specifies which databases this record matches. The value + all specifies that it matches all databases. + The value sameuser specifies that the record + matches if the requested database has the same name as the + requested user. The value samegroup specifies that + the requested user must a member of the group with the same + name as the requested database. Otherwise, this is the name of + a specific PostgreSQL database. + Multiple database names can be supplied by separating them with + commas. A file containing database names can be specified by + preceding the file name with @. The file must be in + the same directory as pg_hba.conf. @@ -154,41 +160,48 @@ hostssl database user user - Specifies the user for this record. The value - all specifies that it applies to all users. + Specifies which PostgreSQL users this record matches. The value + all specifies that it matches all users. Otherwise, this is the name of a specific PostgreSQL user. Multiple user names can be supplied by separating them with commas. Group names can be specified by preceding the group name with +. A - file containing user names can be specified by preceding the file - name with @. The file must be in the same directory - as pg_hba.conf. + file containing user names can be specified by preceding the + file name with @. The file must be in the same + directory as pg_hba.conf. - IP address - IP mask + IP-address + IP-mask - These two fields specify the client machine IP addresses - (host or hostssl) for this - record. (Of course IP addresses can be spoofed but this - consideration is beyond the scope of - PostgreSQL.) The precise logic is that + These two fields contain IP address/mask values in standard + dotted decimal notation. (IP addresses can only be specified + numerically, not as domain or host names.) Taken together they + specify the client machine IP addresses that this record + matches. The precise logic is that
(actual-IP-address xor IP-address-field) and IP-mask-field
- must be zero for the record to match. + must be zero for the record to match. (Of course IP addresses + can be spoofed but this consideration is beyond the scope of + PostgreSQL.) + + + + These fields only apply to host and + hostssl records. - authentication method + authentication-method Specifies the authentication method to use when connecting via @@ -204,7 +217,8 @@ hostssl database user PostgreSQL database to login as any PostgreSQL user they like, - without the need for a password. + without the need for a password. See for details. @@ -226,6 +240,7 @@ hostssl database user pg_shadow. + See for details. @@ -237,6 +252,7 @@ hostssl database user md5 method but uses older crypt encryption, which is needed for pre-7.2 clients. md5 is preferred for 7.2 and later clients. + See for details. @@ -247,6 +263,7 @@ hostssl database user Same as "md5", but the password is sent in cleartext over the network. This should not be used on untrusted networks. + See for details. @@ -256,7 +273,8 @@ hostssl database user Kerberos V4 is used to authenticate the user. This is only - available for TCP/IP connections. + available for TCP/IP connections. See for details. @@ -266,7 +284,8 @@ hostssl database user Kerberos V5 is used to authenticate the user. This is only - available for TCP/IP connections. + available for TCP/IP connections. See for details. @@ -274,39 +293,33 @@ hostssl database user ident - - For TCP/IP connections, authentication is done by contacting - the ident server on the client - host. This is only as secure as the client machine. You must - specify the map name after the 'ident' keyword. It - determines how to map remote user names to - PostgreSQL user names. If you use - "sameuser", the user names are assumed to be identical. If - not, the map name is looked up in the $PGDATA/pg_ident.conf + + Obtain the operating system user name of the client (for + TCP/IP connections by contacting the ident server on the + client, for local connections by getting it from the + operating system) and check if the user is allowed to + connect as the requested database user by consulting the map + specified after the ident key word. + + + + If you use the map sameuser, the user + names are assumed to be identical. If not, the map name is + looked up in the $PGDATA/pg_ident.conf file. The connection is accepted if that file contains an entry for this map name with the ident-supplied user name and the requested PostgreSQL user name. + - On machines that support unix-domain socket credentials - (currently Linux, FreeBSD, NetBSD, and BSD/OS), ident allows - reliable authentication of 'local' connections without ident - running on the local machine. + For local connections, this only works on machines that + support Unix-domain socket credentials (currently Linux, + FreeBSD, NetBSD, and BSD/OS). + - On systems without SO_PEERCRED requests, ident - authentication is only available for TCP/IP connections. As a - work around, it is possible to specify the localhost address 127.0.0.1 and make connections to this - address. - - - Following the ident keyword, an ident - map name should be supplied which specifies which - operating system users equate with which database users. See - below for details. + See below for details. @@ -315,27 +328,27 @@ hostssl database user pam - This authentication type operates similarly to - password except that it uses PAM - (Pluggable Authentication Modules) as the authentication - mechanism. The default PAM service name is - postgresql. You can optionally supply you - own service name after the pam keyword in the - file. For more information about PAM, please read the Linux-PAM - Page and the Solaris PAM Page. + Authenticate using the Pluggable Authentication Modules + (PAM) service provided by the operating system. See for details. - + + authentication-option + + + The meaning of this optional field depends on the chosen + authentication method and is described in the next section. + + + @@ -353,6 +366,13 @@ hostssl database user + + + Do not prevent the superuser from accessing the template1 + database. Various utility commands need access to template1. + + + SIGHUP @@ -373,55 +393,67 @@ hostssl database user An example <filename>pg_hba.conf</filename> file -# TYPE DATABASE USER IP_ADDRESS MASK AUTHTYPE - -# Allow any user on the local system to connect to any -# database under any user name, but only via an IP connection: - -host all all 127.0.0.1 255.255.255.255 trust - -# The same, over Unix-socket connections: - -local all all trust - -# Allow any user from any host with IP address 192.168.93.x to -# connect to database "template1" as the same user name that ident on that -# host identifies him as (typically his Unix user name): - -host template1 all 192.168.93.0 255.255.255.0 ident sameuser - -# Allow a user from host 192.168.12.10 to connect to database "template1" -# if the user's password is correctly supplied: - -host template1 all 192.168.12.10 255.255.255.255 md5 - -# In the absence of preceding "host" lines, these two lines will reject -# all connection attempts from 192.168.54.1 (since that entry will be -# matched first), but allow Kerberos V5-validated connections from anywhere -# else on the Internet. The zero mask means that no bits of the host IP -# address are considered, so it matches any host: - -host all all 192.168.54.1 255.255.255.255 reject -host all all 0.0.0.0 0.0.0.0 krb5 - -# Allow users from 192.168.x.x hosts to connect to any database, if they -# pass the ident check. If, for example, ident says the user is "bryanh" -# and he requests to connect as PostgreSQL user "guest1", the connection -# is allowed if there is an entry in pg_ident.conf for map "omicron" that -# says "bryanh" is allowed to connect as "guest1": - -host all all 192.168.0.0 255.255.0.0 ident omicron - -# If these are the only two lines for local connections, they will allow -# local users to connect only to their own databases (database named the -# same as the user name), except for administrators who may connect to -# all databases. The file $PGDATA/admins lists the user names who are -# permitted to connect to all databases. Passwords are required in all -# cases. (If you prefer to use ident authorization, an ident map can -# serve a parallel purpose to the password list file used here.) - -local sameuser all md5 -local all @admins md5 +# Allow any user on the local system to connect to any database under +# any user name using Unix-domain sockets (the default for local +# connections). +# +# TYPE DATABASE USER IP-ADDRESS IP-MASK METHOD +local all all trust + +# The same using local loopback TCP/IP connections. +# +# TYPE DATABASE USER IP-ADDRESS IP-MASK METHOD +host all all 127.0.0.1 255.255.255.255 trust + +# Allow any user from any host with IP address 192.168.93.x to connect +# to database "template1" as the same user name that ident reports for +# the connection (typically the Unix user name). +# +# TYPE DATABASE USER IP-ADDRESS IP-MASK METHOD +host template1 all 192.168.93.0 255.255.255.0 ident sameuser + +# Allow a user from host 192.168.12.10 to connect to database +# "template1" if the user's password is correctly supplied. +# +# TYPE DATABASE USER IP-ADDRESS IP-MASK METHOD +host template1 all 192.168.12.10 255.255.255.255 md5 + +# In the absence of preceding "host" lines, these two lines will +# reject all connection from 192.168.54.1 (since that entry will be +# matched first), but allow Kerberos V connections from anywhere else +# on the Internet. The zero mask means that no bits of the host IP +# address are considered so it matches any host. +# +# TYPE DATABASE USER IP-ADDRESS IP-MASK METHOD +host all all 192.168.54.1 255.255.255.255 reject +host all all 0.0.0.0 0.0.0.0 krb5 + +# Allow users from 192.168.x.x hosts to connect to any database, if +# they pass the ident check. If, for example, ident says the user is +# "bryanh" and he requests to connect as PostgreSQL user "guest1", the +# connection is allowed if there is an entry in pg_ident.conf for map +# "omicron" that says "bryanh" is allowed to connect as "guest1". +# +# TYPE DATABASE USER IP-ADDRESS IP-MASK METHOD +host all all 192.168.0.0 255.255.0.0 ident omicron + +# If these are the only three lines for local connections, they will +# allow local users to connect only to their own databases (databases +# with the same name as their user name) except for administrators and +# members of group "support" who may connect to all databases. The file +# $PGDATA/admins contains a list of user names. Passwords are required in +# all cases. +# +# TYPE DATABASE USER IP-ADDRESS IP-MASK METHOD +local sameuser all md5 +local all @admins md5 +local all +support md5 + +# The last two lines above can be combined into a single line: +local all @admins,+support md5 + +# The database column can also use lists and file names, but not groups: +local db1,db2,@demodbs all md5 @@ -542,10 +574,10 @@ local all @admins md5 Kerberos system is far beyond the scope of this document; in all generality it can be quite complex (yet powerful). The Kerb - eros FAQ or MIT Project Athena can be a - good starting point for exploration. Several sources for + url="http://www.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html">Kerberos + FAQ or MIT Project Athena can be + a good starting point for exploration. Several sources for Kerberos distributions exist. @@ -620,13 +652,25 @@ local all @admins md5 - + Ident-based authentication ident + + The ident authentication method works by inspecting the client's + operating system user name and determining the allowed database + user names by using a map file that lists the permitted + corresponding user name pairs. The determination of the client's + user name is the security-critical point, and it works differently + depending on the connection type. + + + + Ident Authentication over TCP/IP + The Identification Protocol is described in RFC 1413. Virtually every Unix-like @@ -660,15 +704,35 @@ local all @admins md5 + + + + Ident Authentication over Local Sockets On systems supporting SO_PEERCRED requests for - Unix-domain sockets, ident authentication can also be applied to - local connections. In this case, no security risk is added by using - ident authentication; indeed it is a preferable choice for local - connections on such systems. + Unix-domain sockets (currently Linux, FreeBSD, + NetBSD, and BSD/OS, ident authentication can also be applied + to local connections. In this case, no security risk is added by + using ident authentication; indeed it is a preferable choice for + local connections on such systems. + + On systems without SO_PEERCRED requests, ident + authentication is only available for TCP/IP connections. As a + work around, it is possible to specify the localhost address 127.0.0.1 and make connections to this + address. + + + + + Ident Maps + When using ident-based authentication, after having determined the name of the operating system user that initiated the connection, @@ -731,16 +795,35 @@ local all @admins md5 An example <filename>pg_ident.conf</> file -#MAP IDENT-NAME POSTGRESQL-NAME +# MAPNAME IDENT-USERNAME PG-USERNAME -omicron bryanh bryanh -omicron ann ann +omicron bryanh bryanh +omicron ann ann # bob has user name robert on these machines -omicron robert bob +omicron robert bob # bryanh can also connect as guest1 -omicron bryanh guest1 +omicron bryanh guest1 + + + + + PAM Authentication + + + This authentication type operates similarly to + password except that it uses PAM (Pluggable + Authentication Modules) as the authentication mechanism. The + default PAM service name is postgresql. You can + optionally supply you own service name after the pam + keyword in the file. For more information about PAM, please read + the Linux-PAM + Page and the Solaris PAM Page. + -- cgit v1.2.3