1 <!-- $PostgreSQL: pgsql/doc/src/sgml/client-auth.sgml,v 1.112 2008/11/20 11:48:26 mha Exp $ -->
3 <chapter id="client-authentication">
4 <title>Client Authentication</title>
6 <indexterm zone="client-authentication">
7 <primary>client authentication</primary>
11 When a client application connects to the database server, it
12 specifies which <productname>PostgreSQL</productname> database user name it
13 wants to connect as, much the same way one logs into a Unix computer
14 as a particular user. Within the SQL environment the active database
15 user name determines access privileges to database objects — see
16 <xref linkend="user-manag"> for more information. Therefore, it is
17 essential to restrict which database users can connect.
22 As explained in <xref linkend="user-manag">,
23 <productname>PostgreSQL</productname> actually does privilege
24 management in terms of <quote>roles</>. In this chapter, we
25 consistently use <firstterm>database user</> to mean <quote>role with the
26 <literal>LOGIN</> privilege</quote>.
31 <firstterm>Authentication</firstterm> is the process by which the
32 database server establishes the identity of the client, and by
33 extension determines whether the client application (or the user
34 who runs the client application) is permitted to connect with the
35 database user name that was requested.
39 <productname>PostgreSQL</productname> offers a number of different
40 client authentication methods. The method used to authenticate a
41 particular client connection can be selected on the basis of
42 (client) host address, database, and user.
46 <productname>PostgreSQL</productname> database user names are logically
47 separate from user names of the operating system in which the server
48 runs. If all the users of a particular server also have accounts on
49 the server's machine, it makes sense to assign database user names
50 that match their operating system user names. However, a server that
51 accepts remote connections might have many database users who have no local operating system
52 account, and in such cases there need be no connection between
53 database user names and OS user names.
56 <sect1 id="auth-pg-hba-conf">
57 <title>The <filename>pg_hba.conf</filename> file</title>
59 <indexterm zone="auth-pg-hba-conf">
60 <primary>pg_hba.conf</primary>
64 Client authentication is controlled by a configuration file,
65 which traditionally is named
66 <filename>pg_hba.conf</filename> and is stored in the database
67 cluster's data directory.
68 (<acronym>HBA</> stands for host-based authentication.) A default
69 <filename>pg_hba.conf</filename> file is installed when the data
70 directory is initialized by <command>initdb</command>. It is
71 possible to place the authentication configuration file elsewhere,
72 however; see the <xref linkend="guc-hba-file"> configuration parameter.
76 The general format of the <filename>pg_hba.conf</filename> file is
77 a set of records, one per line. Blank lines are ignored, as is any
78 text after the <literal>#</literal> comment character. A record is made
79 up of a number of fields which are separated by spaces and/or tabs.
80 Fields can contain white space if the field value is quoted. Records
81 cannot be continued across lines.
85 Each record specifies a connection type, a client IP address range
86 (if relevant for the connection type), a database name, a user name,
87 and the authentication method to be used for connections matching
88 these parameters. The first record with a matching connection type,
89 client address, requested database, and user name is used to perform
90 authentication. There is no <quote>fall-through</> or
91 <quote>backup</>: if one record is chosen and the authentication
92 fails, subsequent records are not considered. If no record matches,
97 A record can have one of the seven formats
99 local <replaceable>database</replaceable> <replaceable>user</replaceable> <replaceable>auth-method</replaceable> <optional><replaceable>auth-options</replaceable></optional>
100 host <replaceable>database</replaceable> <replaceable>user</replaceable> <replaceable>CIDR-address</replaceable> <replaceable>auth-method</replaceable> <optional><replaceable>auth-options</replaceable></optional>
101 hostssl <replaceable>database</replaceable> <replaceable>user</replaceable> <replaceable>CIDR-address</replaceable> <replaceable>auth-method</replaceable> <optional><replaceable>auth-options</replaceable></optional>
102 hostnossl <replaceable>database</replaceable> <replaceable>user</replaceable> <replaceable>CIDR-address</replaceable> <replaceable>auth-method</replaceable> <optional><replaceable>auth-options</replaceable></optional>
103 host <replaceable>database</replaceable> <replaceable>user</replaceable> <replaceable>IP-address</replaceable> <replaceable>IP-mask</replaceable> <replaceable>auth-method</replaceable> <optional><replaceable>auth-options</replaceable></optional>
104 hostssl <replaceable>database</replaceable> <replaceable>user</replaceable> <replaceable>IP-address</replaceable> <replaceable>IP-mask</replaceable> <replaceable>auth-method</replaceable> <optional><replaceable>auth-options</replaceable></optional>
105 hostnossl <replaceable>database</replaceable> <replaceable>user</replaceable> <replaceable>IP-address</replaceable> <replaceable>IP-mask</replaceable> <replaceable>auth-method</replaceable> <optional><replaceable>auth-options</replaceable></optional>
107 The meaning of the fields is as follows:
111 <term><literal>local</literal></term>
114 This record matches connection attempts using Unix-domain
115 sockets. Without a record of this type, Unix-domain socket
116 connections are disallowed.
122 <term><literal>host</literal></term>
125 This record matches connection attempts made using TCP/IP.
126 <literal>host</literal> records match either
127 <acronym>SSL</acronym> or non-<acronym>SSL</acronym> connection
132 Remote TCP/IP connections will not be possible unless
133 the server is started with an appropriate value for the
134 <xref linkend="guc-listen-addresses"> configuration parameter,
135 since the default behavior is to listen for TCP/IP connections
136 only on the local loopback address <literal>localhost</>.
143 <term><literal>hostssl</literal></term>
146 This record matches connection attempts made using TCP/IP,
147 but only when the connection is made with <acronym>SSL</acronym>
152 To make use of this option the server must be built with
153 <acronym>SSL</acronym> support. Furthermore,
154 <acronym>SSL</acronym> must be enabled at server start time
155 by setting the <xref linkend="guc-ssl"> configuration parameter (see
156 <xref linkend="ssl-tcp"> for more information).
162 <term><literal>hostnossl</literal></term>
165 This record type has the opposite logic to <literal>hostssl</>:
166 it only matches connection attempts made over
167 TCP/IP that do not use <acronym>SSL</acronym>.
173 <term><replaceable>database</replaceable></term>
176 Specifies which database names this record matches. The value
177 <literal>all</literal> specifies that it matches all databases.
178 The value <literal>sameuser</> specifies that the record
179 matches if the requested database has the same name as the
180 requested user. The value <literal>samerole</> specifies that
181 the requested user must be a member of the role with the same
182 name as the requested database. (<literal>samegroup</> is an
183 obsolete but still accepted spelling of <literal>samerole</>.)
184 Otherwise, this is the name of
185 a specific <productname>PostgreSQL</productname> database.
186 Multiple database names can be supplied by separating them with
187 commas. A separate file containing database names can be specified by
188 preceding the file name with <literal>@</>.
194 <term><replaceable>user</replaceable></term>
197 Specifies which database user names this record
198 matches. The value <literal>all</literal> specifies that it
199 matches all users. Otherwise, this is either the name of a specific
200 database user, or a group name preceded by <literal>+</>.
201 (Recall that there is no real distinction between users and groups
202 in <productname>PostgreSQL</>; a <literal>+</> mark really means
203 <quote>match any of the roles that are directly or indirectly members
204 of this role</>, while a name without a <literal>+</> mark matches
205 only that specific role.)
206 Multiple user names can be supplied by separating them with commas.
207 A separate file containing user names can be specified by preceding the
208 file name with <literal>@</>.
214 <term><replaceable>CIDR-address</replaceable></term>
217 Specifies the client machine IP address range that this record
218 matches. It contains an IP address in standard dotted decimal
219 notation and a CIDR mask length. (IP addresses can only be
220 specified numerically, not as domain or host names.) The mask
221 length indicates the number of high-order bits of the client
222 IP address that must match. Bits to the right of this must
223 be zero in the given IP address.
224 There must not be any white space between the IP address, the
225 <literal>/</literal>, and the CIDR mask length.
229 Typical examples of a <replaceable>CIDR-address</replaceable> are
230 <literal>172.20.143.89/32</literal> for a single host, or
231 <literal>172.20.143.0/24</literal> for a small network, or
232 <literal>10.6.0.0/16</literal> for a larger one.
233 To specify a single host, use a CIDR mask of 32 for IPv4 or
234 128 for IPv6. In a network address, do not omit trailing zeroes.
238 An IP address given in IPv4 format will match IPv6 connections that
239 have the corresponding address, for example <literal>127.0.0.1</>
240 will match the IPv6 address <literal>::ffff:127.0.0.1</>. An entry
241 given in IPv6 format will match only IPv6 connections, even if the
242 represented address is in the IPv4-in-IPv6 range. Note that entries
243 in IPv6 format will be rejected if the system's C library does not have
244 support for IPv6 addresses.
248 This field only applies to <literal>host</literal>,
249 <literal>hostssl</literal>, and <literal>hostnossl</> records.
255 <term><replaceable>IP-address</replaceable></term>
256 <term><replaceable>IP-mask</replaceable></term>
259 These fields can be used as an alternative to the
260 <replaceable>CIDR-address</replaceable> notation. Instead of
261 specifying the mask length, the actual mask is specified in a
262 separate column. For example, <literal>255.0.0.0</> represents an IPv4
263 CIDR mask length of 8, and <literal>255.255.255.255</> represents a
264 CIDR mask length of 32.
268 These fields only apply to <literal>host</literal>,
269 <literal>hostssl</literal>, and <literal>hostnossl</> records.
275 <term><replaceable>auth-method</replaceable></term>
278 Specifies the authentication method to use when connecting via
279 this record. The possible choices are summarized here; details
280 are in <xref linkend="auth-methods">.
284 <term><literal>trust</></term>
287 Allow the connection unconditionally. This method
288 allows anyone that can connect to the
289 <productname>PostgreSQL</productname> database server to login as
290 any <productname>PostgreSQL</productname> user they like,
291 without the need for a password. See <xref
292 linkend="auth-trust"> for details.
298 <term><literal>reject</></term>
301 Reject the connection unconditionally. This is useful for
302 <quote>filtering out</> certain hosts from a group.
308 <term><literal>md5</></term>
311 Require the client to supply an MD5-encrypted password for
313 See <xref linkend="auth-password"> for details.
319 <term><literal>password</></term>
322 Require the client to supply an unencrypted password for
324 Since the password is sent in clear text over the
325 network, this should not be used on untrusted networks.
326 It also does not usually work with threaded client applications.
327 See <xref linkend="auth-password"> for details.
333 <term><literal>gss</></term>
336 Use GSSAPI to authenticate the user. This is only
337 available for TCP/IP connections. See <xref
338 linkend="gssapi-auth"> for details.
344 <term><literal>sspi</></term>
347 Use SSPI to authenticate the user. This is only
348 available on Windows. See <xref
349 linkend="sspi-auth"> for details.
355 <term><literal>krb5</></term>
358 Use Kerberos V5 to authenticate the user. This is only
359 available for TCP/IP connections. See <xref
360 linkend="kerberos-auth"> for details.
366 <term><literal>ident</></term>
369 Obtain the operating system user name of the client (for
370 TCP/IP connections by contacting the ident server on the
371 client, for local connections by getting it from the
372 operating system) and check if the user is allowed to
373 connect as the requested database user by consulting the map
374 specified after the <literal>ident</literal> key word.
375 See <xref linkend="auth-ident"> for details.
381 <term><literal>ldap</></term>
384 Authenticate using LDAP to a central server. See <xref
385 linkend="auth-ldap"> for details.
391 <term><literal>cert</></term>
394 Authenticate using SSL client certificates. See
395 <xref linkend="auth-cert"> for details.
401 <term><literal>pam</></term>
404 Authenticate using the Pluggable Authentication Modules
405 (PAM) service provided by the operating system. See <xref
406 linkend="auth-pam"> for details.
417 <term><replaceable>auth-options</replaceable></term>
420 This field contains zero or more name-value pairs with
421 extra options passed to this authentication method. Details
422 about which options are available for which authentication
431 Files included by <literal>@</> constructs are read as lists of names,
432 which can be separated by either whitespace or commas. Comments are
433 introduced by <literal>#</literal>, just as in
434 <filename>pg_hba.conf</filename>, and nested <literal>@</> constructs are
435 allowed. Unless the file name following <literal>@</> is an absolute
436 path, it is taken to be relative to the directory containing the
441 Since the <filename>pg_hba.conf</filename> records are examined
442 sequentially for each connection attempt, the order of the records is
443 significant. Typically, earlier records will have tight connection
444 match parameters and weaker authentication methods, while later
445 records will have looser match parameters and stronger authentication
446 methods. For example, one might wish to use <literal>trust</>
447 authentication for local TCP/IP connections but require a password for
448 remote TCP/IP connections. In this case a record specifying
449 <literal>trust</> authentication for connections from 127.0.0.1 would
450 appear before a record specifying password authentication for a wider
451 range of allowed client IP addresses.
455 The <filename>pg_hba.conf</filename> file is read on start-up and when
456 the main server process receives a
457 <systemitem>SIGHUP</systemitem><indexterm><primary>SIGHUP</primary></indexterm>
458 signal. If you edit the file on an
459 active system, you will need to signal the server
460 (using <literal>pg_ctl reload</> or <literal>kill -HUP</>) to make it
466 To connect to a particular database, a user must not only pass the
467 <filename>pg_hba.conf</filename> checks, but must have the
468 <literal>CONNECT</> privilege for the database. If you wish to
469 restrict which users can connect to which databases, it's usually
470 easier to control this by granting/revoking <literal>CONNECT</> privilege
471 than to put the rules into <filename>pg_hba.conf</filename> entries.
476 Some examples of <filename>pg_hba.conf</filename> entries are shown in
477 <xref linkend="example-pg-hba.conf">. See the next section for details on the
478 different authentication methods.
481 <example id="example-pg-hba.conf">
482 <title>Example <filename>pg_hba.conf</filename> entries</title>
484 # Allow any user on the local system to connect to any database under
485 # any database user name using Unix-domain sockets (the default for local
488 # TYPE DATABASE USER CIDR-ADDRESS METHOD
491 # The same using local loopback TCP/IP connections.
493 # TYPE DATABASE USER CIDR-ADDRESS METHOD
494 host all all 127.0.0.1/32 trust
496 # The same as the last line but using a separate netmask column
498 # TYPE DATABASE USER IP-ADDRESS IP-MASK METHOD
499 host all all 127.0.0.1 255.255.255.255 trust
501 # Allow any user from any host with IP address 192.168.93.x to connect
502 # to database "postgres" as the same user name that ident reports for
503 # the connection (typically the Unix user name).
505 # TYPE DATABASE USER CIDR-ADDRESS METHOD
506 host postgres all 192.168.93.0/24 ident
508 # Allow a user from host 192.168.12.10 to connect to database
509 # "postgres" if the user's password is correctly supplied.
511 # TYPE DATABASE USER CIDR-ADDRESS METHOD
512 host postgres all 192.168.12.10/32 md5
514 # In the absence of preceding "host" lines, these two lines will
515 # reject all connection from 192.168.54.1 (since that entry will be
516 # matched first), but allow Kerberos 5 connections from anywhere else
517 # on the Internet. The zero mask means that no bits of the host IP
518 # address are considered so it matches any host.
520 # TYPE DATABASE USER CIDR-ADDRESS METHOD
521 host all all 192.168.54.1/32 reject
522 host all all 0.0.0.0/0 krb5
524 # Allow users from 192.168.x.x hosts to connect to any database, if
525 # they pass the ident check. If, for example, ident says the user is
526 # "bryanh" and he requests to connect as PostgreSQL user "guest1", the
527 # connection is allowed if there is an entry in pg_ident.conf for map
528 # "omicron" that says "bryanh" is allowed to connect as "guest1".
530 # TYPE DATABASE USER CIDR-ADDRESS METHOD
531 host all all 192.168.0.0/16 ident map=omicron
533 # If these are the only three lines for local connections, they will
534 # allow local users to connect only to their own databases (databases
535 # with the same name as their database user name) except for administrators
536 # and members of role "support", who can connect to all databases. The file
537 # $PGDATA/admins contains a list of names of administrators. Passwords
538 # are required in all cases.
540 # TYPE DATABASE USER CIDR-ADDRESS METHOD
541 local sameuser all md5
542 local all @admins md5
543 local all +support md5
545 # The last two lines above can be combined into a single line:
546 local all @admins,+support md5
548 # The database column can also use lists and file names:
549 local db1,db2,@demodbs all md5
554 <sect1 id="auth-username-maps">
555 <title>Username maps</title>
557 <indexterm zone="auth-username-maps">
558 <primary>Username maps</primary>
562 When using an external authentication system like Ident or GSSAPI,
563 the name of the operating system user that initiated the connection may
564 not be the same as the database user he is requesting to connect as.
565 In this case, a user name map can be applied to map the operating system
566 username to a database user, using the <filename>pg_ident.conf</filename>
567 file. In order to use username mapping, specify
568 <literal>map</literal>=<replaceable>map-name</replaceable>
569 in the options field in <filename>pg_hba.conf</filename>. This option is
570 supported for all authentication methods that receive external usernames.
571 Since the <filename>pg_ident.conf</filename> file can contain multiple maps,
572 the name of the map to be used is specified in the
573 <replaceable>map-name</replaceable> parameter in <filename>pg_hba.conf</filename>
574 to indicate which map to use for each individual connection.
578 Ident maps are defined in the ident map file, which by default is named
579 <filename>pg_ident.conf</><indexterm><primary>pg_ident.conf</primary></indexterm>
581 cluster's data directory. (It is possible to place the map file
582 elsewhere, however; see the <xref linkend="guc-ident-file">
583 configuration parameter.)
584 The ident map file contains lines of the general form:
586 <replaceable>map-name</> <replaceable>system-username</> <replaceable>database-username</>
588 Comments and whitespace are handled in the same way as in
589 <filename>pg_hba.conf</>. The
590 <replaceable>map-name</> is an arbitrary name that will be used to
591 refer to this mapping in <filename>pg_hba.conf</filename>. The other
592 two fields specify which operating system user is allowed to connect
593 as which database user. The same <replaceable>map-name</> can be
594 used repeatedly to specify more user-mappings within a single map.
595 There is no restriction regarding how many database users a given
596 operating system user can correspond to, nor vice versa.
600 The <filename>pg_ident.conf</filename> file is read on start-up and
601 when the main server process receives a
602 <systemitem>SIGHUP</systemitem><indexterm><primary>SIGHUP</primary></indexterm>
603 signal. If you edit the file on an
604 active system, you will need to signal the server
605 (using <literal>pg_ctl reload</> or <literal>kill -HUP</>) to make it
610 A <filename>pg_ident.conf</filename> file that could be used in
611 conjunction with the <filename>pg_hba.conf</> file in <xref
612 linkend="example-pg-hba.conf"> is shown in <xref
613 linkend="example-pg-ident.conf">. In this example setup, anyone
614 logged in to a machine on the 192.168 network that does not have the
615 Unix user name <literal>bryanh</>, <literal>ann</>, or
616 <literal>robert</> would not be granted access. Unix user
617 <literal>robert</> would only be allowed access when he tries to
618 connect as <productname>PostgreSQL</> user <literal>bob</>, not
619 as <literal>robert</> or anyone else. <literal>ann</> would
620 only be allowed to connect as <literal>ann</>. User
621 <literal>bryanh</> would be allowed to connect as either
622 <literal>bryanh</> himself or as <literal>guest1</>.
625 <example id="example-pg-ident.conf">
626 <title>An example <filename>pg_ident.conf</> file</title>
628 # MAPNAME IDENT-USERNAME PG-USERNAME
630 omicron bryanh bryanh
632 # bob has user name robert on these machines
634 # bryanh can also connect as guest1
635 omicron bryanh guest1
640 <sect1 id="auth-methods">
641 <title>Authentication methods</title>
643 The following subsections describe the authentication methods in more detail.
646 <sect2 id="auth-trust">
647 <title>Trust authentication</title>
650 When <literal>trust</> authentication is specified,
651 <productname>PostgreSQL</productname> assumes that anyone who can
652 connect to the server is authorized to access the database with
653 whatever database user name they specify (including superusers).
654 Of course, restrictions made in the <literal>database</> and
655 <literal>user</> columns still apply.
656 This method should only be used when there is adequate
657 operating-system-level protection on connections to the server.
661 <literal>trust</> authentication is appropriate and very
662 convenient for local connections on a single-user workstation. It
663 is usually <emphasis>not</> appropriate by itself on a multiuser
664 machine. However, you might be able to use <literal>trust</> even
665 on a multiuser machine, if you restrict access to the server's
666 Unix-domain socket file using file-system permissions. To do this, set the
667 <varname>unix_socket_permissions</varname> (and possibly
668 <varname>unix_socket_group</varname>) configuration parameters as
669 described in <xref linkend="runtime-config-connection">. Or you
670 could set the <varname>unix_socket_directory</varname>
671 configuration parameter to place the socket file in a suitably
672 restricted directory.
676 Setting file-system permissions only helps for Unix-socket connections.
677 Local TCP/IP connections are not restricted by it; therefore, if you want
678 to use file-system permissions for local security, remove the <literal>host ...
679 127.0.0.1 ...</> line from <filename>pg_hba.conf</>, or change it to a
680 non-<literal>trust</> authentication method.
684 <literal>trust</> authentication is only suitable for TCP/IP connections
685 if you trust every user on every machine that is allowed to connect
686 to the server by the <filename>pg_hba.conf</> lines that specify
687 <literal>trust</>. It is seldom reasonable to use <literal>trust</>
688 for any TCP/IP connections other than those from <systemitem>localhost</> (127.0.0.1).
693 <sect2 id="auth-password">
694 <title>Password authentication</title>
700 <primary>password</primary>
701 <secondary>authentication</secondary>
705 The password-based authentication methods are <literal>md5</>,
706 and <literal>password</>. These methods operate
707 similarly except for the way that the password is sent across the
708 connection: respectively, MD5-hashed and clear-text.
712 If you are at all concerned about password
713 <quote>sniffing</> attacks then <literal>md5</> is preferred.
714 Plain <literal>password</> should always be avoided if possible.
718 <productname>PostgreSQL</productname> database passwords are
719 separate from operating system user passwords. The password for
720 each database user is stored in the <literal>pg_authid</> system
721 catalog. Passwords can be managed with the SQL commands
722 <xref linkend="sql-createuser" endterm="sql-createuser-title"> and
723 <xref linkend="sql-alteruser" endterm="sql-alteruser-title">,
724 e.g., <userinput>CREATE USER foo WITH PASSWORD 'secret';</userinput>.
725 By default, that is, if no password has been set up, the stored password
726 is null and password authentication will always fail for that user.
731 <sect2 id="gssapi-auth">
732 <title>GSSAPI authentication</title>
734 <indexterm zone="gssapi-auth">
735 <primary>GSSAPI</primary>
739 <productname>GSSAPI</productname> is an industry-standard protocol
740 for secure authentication defined in RFC 2743.
741 <productname>PostgreSQL</productname> supports
742 <productname>GSSAPI</productname> with <productname>Kerberos</productname>
743 authentication according to RFC 1964. <productname>GSSAPI</productname>
744 provides automatic authentication (single sign-on) for systems
745 that support it. The authentication itself is secure, but the
746 data sent over the connection will be in clear unless
747 <acronym>SSL</acronym> is used.
751 When <productname>GSSAPI</productname> uses
752 <productname>Kerberos</productname>, it uses a standard principal
754 <literal><replaceable>servicename</>/<replaceable>hostname</>@<replaceable>realm</></literal>. For information about the parts of the principal, and
755 how to set up the required keys, see <xref linkend="kerberos-auth">.
756 GSSAPI support has to be enabled when <productname>PostgreSQL</> is built;
757 see <xref linkend="installation"> for more information.
761 The following configuration options are supported for <productname>GSSAPI</productname>:
767 Allows for mapping between system and database usernames. See
768 <xref linkend="auth-username-maps"> for details.
776 <sect2 id="sspi-auth">
777 <title>SSPI authentication</title>
779 <indexterm zone="sspi-auth">
780 <primary>SSPI</primary>
784 <productname>SSPI</productname> is a <productname>Windows</productname>
785 technology for secure authentication with single sign-on.
786 <productname>PostgreSQL</productname> will use SSPI in
787 <literal>negotiate</literal> mode, which will use
788 <productname>Kerberos</productname> when possible and automatically
789 fall back to <productname>NTLM</productname> in other cases.
790 <productname>SSPI</productname> authentication only works when both
791 server and client are running <productname>Windows</productname>.
795 When using <productname>Kerberos</productname> authentication,
796 <productname>SSPI</productname> works the same way
797 <productname>GSSAPI</productname> does. See <xref linkend="gssapi-auth">
802 The following configuration options are supported for <productname>SSPI</productname>:
808 Allows for mapping between system and database usernames. See
809 <xref linkend="auth-username-maps"> for details.
817 <sect2 id="kerberos-auth">
818 <title>Kerberos authentication</title>
820 <indexterm zone="kerberos-auth">
821 <primary>Kerberos</primary>
826 Native Kerberos authentication has been deprecated and should be used
827 only for backward compatibility. New and upgraded installations are
828 encouraged to use the industry-standard <productname>GSSAPI</productname>
829 authentication (see <xref linkend="gssapi-auth">) instead.
834 <productname>Kerberos</productname> is an industry-standard secure
835 authentication system suitable for distributed computing over a public
836 network. A description of the <productname>Kerberos</productname> system
837 is far beyond the scope of this document; in full generality it can be
838 quite complex (yet powerful). The
839 <ulink url="http://www.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html">
840 Kerberos <acronym>FAQ</></ulink> or
841 <ulink url="http://web.mit.edu/kerberos/www/">MIT Kerberos page</ulink>
842 can be good starting points for exploration.
843 Several sources for <productname>Kerberos</> distributions exist.
844 <productname>Kerberos</productname> provides secure authentication but
845 does not encrypt queries or data passed over the network; for that
846 use <acronym>SSL</acronym>.
850 <productname>PostgreSQL</> supports Kerberos version 5. Kerberos
851 support has to be enabled when <productname>PostgreSQL</> is built;
852 see <xref linkend="installation"> for more information.
856 <productname>PostgreSQL</> operates like a normal Kerberos service.
857 The name of the service principal is
858 <literal><replaceable>servicename</>/<replaceable>hostname</>@<replaceable>realm</></literal>.
862 <replaceable>servicename</> can be set on the server side using the
863 <xref linkend="guc-krb-srvname"> configuration parameter, and on the
864 client side using the <literal>krbsrvname</> connection parameter. (See
865 also <xref linkend="libpq-connect">.) The installation default can be
866 changed from the default <literal>postgres</literal> at build time using
867 <literal>./configure --with-krb-srvnam=whatever</>. In most environments,
868 this parameter never needs to be changed. However, to support multiple
869 <productname>PostgreSQL</> installations on the same host it is necessary.
870 Some Kerberos implementations might also require a different service name,
871 such as Microsoft Active Directory which requires the service name
872 to be in uppercase (<literal>POSTGRES</literal>).
876 <replaceable>hostname</> is the fully qualified host name of the
877 server machine. The service principal's realm is the preferred realm
878 of the server machine.
882 Client principals must have their <productname>PostgreSQL</> database user
883 name as their first component, for example
884 <literal>pgusername@realm</>. By default, the realm of the client is
885 not checked by <productname>PostgreSQL</>. If you have cross-realm
886 authentication enabled and need to verify the realm, use the
887 <xref linkend="guc-krb-realm"> parameter.
891 Make sure that your server keytab file is readable (and preferably
892 only readable) by the <productname>PostgreSQL</productname> server
893 account. (See also <xref linkend="postgres-user">.) The location
894 of the key file is specified by the <xref
895 linkend="guc-krb-server-keyfile"> configuration
896 parameter. The default is
897 <filename>/usr/local/pgsql/etc/krb5.keytab</> (or whichever
898 directory was specified as <varname>sysconfdir</> at build time).
902 The keytab file is generated by the Kerberos software; see the
903 Kerberos documentation for details. The following example is
904 for MIT-compatible Kerberos 5 implementations:
906 <prompt>kadmin% </><userinput>ank -randkey postgres/server.my.domain.org</>
907 <prompt>kadmin% </><userinput>ktadd -k krb5.keytab postgres/server.my.domain.org</>
912 When connecting to the database make sure you have a ticket for a
913 principal matching the requested database user name. For example, for
914 database user name <literal>fred</>, both principal
915 <literal>fred@EXAMPLE.COM</> and
916 <literal>fred/users.example.com@EXAMPLE.COM</> could be used to
917 authenticate to the database server.
921 If you use <ulink url="http://modauthkerb.sf.net">
922 <application>mod_auth_kerb</application></ulink>
923 and <application>mod_perl</application> on your
924 <productname>Apache</productname> web server, you can use
925 <literal>AuthType KerberosV5SaveCredentials</literal> with a
926 <application>mod_perl</application> script. This gives secure
927 database access over the web, no extra passwords required.
932 <sect2 id="auth-ident">
933 <title>Ident-based authentication</title>
936 <primary>ident</primary>
940 The ident authentication method works by obtaining the client's
941 operating system user name, then optionally determining the allowed
942 database user names using a map file that lists the permitted
943 corresponding pairs of names. The determination of the client's
944 user name is the security-critical point, and it works differently
945 depending on the connection type.
949 The following configuration options are supported for <productname>GSSAPI</productname>:
955 Allows for mapping between system and database usernames. See
956 <xref linkend="auth-username-maps"> for details.
964 <title>Ident Authentication over TCP/IP</title>
967 The <quote>Identification Protocol</quote> is described in
968 RFC 1413. Virtually every Unix-like
969 operating system ships with an ident server that listens on TCP
970 port 113 by default. The basic functionality of an ident server
971 is to answer questions like <quote>What user initiated the
972 connection that goes out of your port <replaceable>X</replaceable>
973 and connects to my port <replaceable>Y</replaceable>?</quote>.
974 Since <productname>PostgreSQL</> knows both <replaceable>X</> and
975 <replaceable>Y</> when a physical connection is established, it
976 can interrogate the ident server on the host of the connecting
977 client and could theoretically determine the operating system user
978 for any given connection this way.
982 The drawback of this procedure is that it depends on the integrity
983 of the client: if the client machine is untrusted or compromised
984 an attacker could run just about any program on port 113 and
985 return any user name he chooses. This authentication method is
986 therefore only appropriate for closed networks where each client
987 machine is under tight control and where the database and system
988 administrators operate in close contact. In other words, you must
989 trust the machine running the ident server.
992 <attribution>RFC 1413</attribution>
994 The Identification Protocol is not intended as an authorization
995 or access control protocol.
1001 Some ident servers have a nonstandard option that causes the returned
1002 user name to be encrypted, using a key that only the originating
1003 machine's administrator knows. This option <emphasis>must not</> be
1004 used when using the ident server with <productname>PostgreSQL</>,
1005 since <productname>PostgreSQL</> does not have any way to decrypt the
1006 returned string to determine the actual user name.
1011 <title>Ident Authentication over Local Sockets</title>
1014 On systems supporting <symbol>SO_PEERCRED</symbol> requests for
1015 Unix-domain sockets (currently <systemitem
1016 class="osname">Linux</>, <systemitem class="osname">FreeBSD</>,
1017 <systemitem class="osname">NetBSD</>, <systemitem class="osname">OpenBSD</>,
1018 <systemitem class="osname">BSD/OS</>, and <systemitem class="osname">Solaris</systemitem>), ident authentication can also
1019 be applied to local connections. In this case, no security risk is added by
1020 using ident authentication; indeed it is a preferable choice for
1021 local connections on such systems.
1025 On systems without <symbol>SO_PEERCRED</> requests, ident
1026 authentication is only available for TCP/IP connections. As a
1027 work-around, it is possible to specify the <systemitem
1028 class="systemname">localhost</> address <systemitem
1029 class="systemname">127.0.0.1</> and make connections to this
1030 address. This method is trustworthy to the extent that you trust
1031 the local ident server.
1037 <sect2 id="auth-ldap">
1038 <title>LDAP authentication</title>
1040 <indexterm zone="auth-ldap">
1041 <primary>LDAP</primary>
1045 This authentication method operates similarly to
1046 <literal>password</literal> except that it uses LDAP
1047 as the password verification method. LDAP is used only to validate
1048 the user name/password pairs. Therefore the user must already
1049 exist in the database before LDAP can be used for
1054 The server will bind to the distinguished name constructed as
1055 <replaceable>prefix</> <replaceable>username</> <replaceable>suffix</>.
1056 before the bind. Typically, the prefix parameter is used to specify
1057 <replaceable>cn=</>, or <replaceable>DOMAIN\</> in an Active
1058 Directory environment, and suffix is used to specify the remaining part
1059 of the DN in a non-Active Directory environment.
1063 The following configuration options are supported for LDAP:
1066 <term>ldapserver</term>
1069 Name or IP of LDAP server to connect to.
1074 <term>ldapprefix</term>
1077 String to prepend to the username when building the base DN to
1083 <term>ldapsuffix</term>
1086 String to append to the username when building the base DN to
1092 <term>ldapport</term>
1095 Port number on LDAP server to connect to. If no port is specified,
1096 the default port in the LDAP library will be used.
1101 <term>ldaptls</term>
1104 Set to 1 to make the connection between PostgreSQL and the
1105 LDAP server use TLS encryption. Note that this only encrypts
1106 the traffic to the LDAP server - the connection to the client
1107 may still be unencrypted unless TLS is used there as well.
1116 Since LDAP often uses commas and spaces to separate the different
1117 parts of a DN, it is advised to always use double-quoted parameter
1118 values when configuring LDAP options, such as:
1122 ldapserver=ldap.example.net prefix="cn=" suffix="dc=example, dc=net"
1127 <sect2 id="auth-cert">
1128 <title>Certificate authentication</title>
1130 <indexterm zone="auth-cert">
1131 <primary>Certificate</primary>
1135 This authentication method uses SSL client certificates to perform
1136 authentication. It is therefore only available for SSL connections.
1137 When using this authentication method, the server will require that
1138 the client provide a certificate. No password prompt will be sent
1139 to the client. The <literal>cn</literal> attribute of the certificate
1140 will be matched with the username the user is trying to log in as,
1141 and if they match the login will be allowed. Username mapping can be
1142 used if the usernames don't match.
1146 <sect2 id="auth-pam">
1147 <title>PAM authentication</title>
1149 <indexterm zone="auth-pam">
1150 <primary>PAM</primary>
1154 This authentication method operates similarly to
1155 <literal>password</literal> except that it uses PAM (Pluggable
1156 Authentication Modules) as the authentication mechanism. The
1157 default PAM service name is <literal>postgresql</literal>.
1158 PAM is used only to validate user name/password pairs.
1159 Therefore the user must already exist in the database before PAM
1160 can be used for authentication. For more information about
1161 PAM, please read the <ulink url="http://www.kernel.org/pub/linux/libs/pam/">
1162 <productname>Linux-PAM</> Page</ulink>
1163 and the <ulink url="http://www.sun.com/software/solaris/pam/">
1164 <systemitem class="osname">Solaris</> PAM Page</ulink>.
1168 The following configuration options are supported for PAM:
1171 <term>pamservice</term>
1183 If PAM is set up to read <filename>/etc/shadow</>, authentication
1184 will fail because the PostgreSQL server is started by a non-root
1185 user. However, this is not an issue with LDAP or other authentication
1192 <sect1 id="client-authentication-problems">
1193 <title>Authentication problems</title>
1196 Genuine authentication failures and related problems generally
1197 manifest themselves through error messages like the following.
1202 FATAL: no pg_hba.conf entry for host "123.123.123.123", user "andym", database "testdb"
1204 This is what you are most likely to get if you succeed in contacting
1205 the server, but it does not want to talk to you. As the message
1206 suggests, the server refused the connection request because it found
1207 no matching entry in its <filename>pg_hba.conf</filename>
1213 FATAL: Password authentication failed for user "andym"
1215 Messages like this indicate that you contacted the server, and it is
1216 willing to talk to you, but not until you pass the authorization
1217 method specified in the <filename>pg_hba.conf</filename> file. Check
1218 the password you are providing, or check your Kerberos or ident
1219 software if the complaint mentions one of those authentication
1225 FATAL: user "andym" does not exist
1227 The indicated user name was not found.
1232 FATAL: database "testdb" does not exist
1234 The database you are trying to connect to does not exist. Note that
1235 if you do not specify a database name, it defaults to the database
1236 user name, which might or might not be the right thing.
1241 The server log might contain more information about an
1242 authentication failure than is reported to the client. If you are
1243 confused about the reason for a failure, check the log.