From dc32d2cefae03e8dc390df94232774780e7db28d Mon Sep 17 00:00:00 2001 From: Magnus Hagander Date: Wed, 18 Jul 2007 12:00:47 +0000 Subject: [PATCH] GSSAPI documentation --- doc/src/sgml/client-auth.sgml | 44 +++++++++- doc/src/sgml/config.sgml | 9 ++- doc/src/sgml/installation.sgml | 26 +++++- doc/src/sgml/libpq.sgml | 11 +-- doc/src/sgml/protocol.sgml | 141 +++++++++++++++++++++++++++++++-- 5 files changed, 212 insertions(+), 19 deletions(-) diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml index 8b3954df74..e3fa1c8b27 100644 --- a/doc/src/sgml/client-auth.sgml +++ b/doc/src/sgml/client-auth.sgml @@ -1,4 +1,4 @@ - + Client Authentication @@ -347,6 +347,17 @@ hostnossl database user + + gss + + + Use GSSAPI to authenticate the user. This is only + available for TCP/IP connections. See for details. + + + + krb5 @@ -635,6 +646,37 @@ local db1,db2,@demodbs all md5 + + GSSAPI authentication + + + GSSAPI + + + + GSSAPI is an industry-standard protocol + for secure authentication defined in RFC2743. + PostgreSQL supports + GSSAPI with Kerberos + authentication according to RFC1964. GSSAPI + provides automatic authentication (single sign-on) for systems + that support it. The authentication itself is secure, but the + data sent over the connection will be in clear unless + SSL is used. + + + + When GSSAPI uses + Kerberos, it uses a standard principal + in format + servicename/hostname@realm. For information about the parts of the principal, and + how to set up the required keys, see . + GSSAPI support has to be enabled when PostgreSQL is built; + see for more information. + + + + Kerberos authentication diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml index 73dcd0be6b..b001e5f283 100644 --- a/doc/src/sgml/config.sgml +++ b/doc/src/sgml/config.sgml @@ -1,4 +1,4 @@ - + Server Configuration @@ -609,8 +609,8 @@ SET ENABLE_SEQSCAN TO OFF; Sets the location of the Kerberos server key file. See - for details. This parameter - can only be set at server start. + or + for details. This parameter can only be set at server start. @@ -652,7 +652,8 @@ SET ENABLE_SEQSCAN TO OFF; - Sets whether Kerberos user names should be treated case-insensitively. + Sets whether Kerberos and GSSAPI user names should be treated + case-insensitively. The default is off (case sensitive). This parameter can only be set at server start. diff --git a/doc/src/sgml/installation.sgml b/doc/src/sgml/installation.sgml index 49fdc7cef4..b1bc316666 100644 --- a/doc/src/sgml/installation.sgml +++ b/doc/src/sgml/installation.sgml @@ -1,4 +1,4 @@ - + <![%standalone-include[<productname>PostgreSQL</>]]> @@ -801,6 +801,23 @@ su - postgres </listitem> </varlistentry> + <varlistentry> + <term><option>--with-gssapi</option></term> + <listitem> + <para> + Build with support for GSSAPI authentication. On many + systems, the GSSAPI (usually a part of the Kerberos installation) + system is not installed in a location + that is searched by default (e.g., <filename>/usr/include</>, + <filename>/usr/lib</>), so you must use the options + <option>--with-includes</> and <option>--with-libraries</> in + addition to this option. <filename>configure</> will check + for the required header files and libraries to make sure that + your GSSAPI installation is sufficient before proceeding. + </para> + </listitem> + </varlistentry> + <varlistentry> <term><option>--with-krb5</option></term> <listitem> @@ -821,9 +838,12 @@ su - postgres <term><option>--with-krb-srvnam=<replaceable>NAME</></option></term> <listitem> <para> - The default name of the Kerberos service principal. + The default name of the Kerberos service principal (also used + by GSSAPI). <literal>postgres</literal> is the default. There's usually no - reason to change this. + reason to change this unless you have a Windows environment, + in which case it must be set to uppercase + <literal>POSTGRES</literal>. </para> </listitem> </varlistentry> diff --git a/doc/src/sgml/libpq.sgml b/doc/src/sgml/libpq.sgml index e788fa109b..e1ee97ce18 100644 --- a/doc/src/sgml/libpq.sgml +++ b/doc/src/sgml/libpq.sgml @@ -1,4 +1,4 @@ -<!-- $PostgreSQL: pgsql/doc/src/sgml/libpq.sgml,v 1.237 2007/07/08 18:28:55 tgl Exp $ --> +<!-- $PostgreSQL: pgsql/doc/src/sgml/libpq.sgml,v 1.238 2007/07/18 12:00:47 mha Exp $ --> <chapter id="libpq"> <title><application>libpq</application> - C Library @@ -131,7 +131,7 @@ PGconn *PQconnectdb(const char *conninfo); Using hostaddr instead of host allows the application to avoid a host name look-up, which might be important in - applications with time constraints. However, Kerberos authentication + applications with time constraints. However, Kerberos and GSSAPI authentication requires the host name. The following therefore applies: If host is specified without hostaddr, a host name lookup occurs. If hostaddr is specified without @@ -281,10 +281,11 @@ PGconn *PQconnectdb(const char *conninfo); krbsrvname - Kerberos service name to use when authenticating with Kerberos 5. + Kerberos service name to use when authenticating with Kerberos 5 + or GSSAPI. This must match the service name specified in the server configuration for Kerberos authentication to succeed. (See also - .) + and .) @@ -4214,7 +4215,7 @@ set, the secret key must be kept in a file. PGKRBSRVNAME PGKRBSRVNAME sets the Kerberos service name to use when -authenticating with Kerberos 5. +authenticating with Kerberos 5 or GSSAPI. diff --git a/doc/src/sgml/protocol.sgml b/doc/src/sgml/protocol.sgml index 9f0059f8b2..5ae7a7293f 100644 --- a/doc/src/sgml/protocol.sgml +++ b/doc/src/sgml/protocol.sgml @@ -1,4 +1,4 @@ - + Frontend/Backend Protocol @@ -230,11 +230,11 @@ The server then sends an appropriate authentication request message, to which the frontend must reply with an appropriate authentication response message (such as a password). - In principle the authentication request/response cycle could require - multiple iterations, but none of the present authentication methods - use more than one request and response. In some methods, no response + For all authentication methods except GSSAPI, there is at most + one request and one response. In some methods, no response at all is needed from the frontend, and so no authentication request - occurs. + occurs. For GSSAPI, multiple iterations of packets may be needed to + complete the authentication. @@ -332,6 +332,34 @@ + + AuthenticationGSS + + + The frontend must now initiate a GSSAPI negotiation. The frontend + will send a PasswordMessage with the first part of the GSSAPI + data stream in response to this. If further messages are needed, + the server will respond with AuthenticationGSSContinue. + + + + + + AuthenticationGSSContinue + + + This message contains the response data from the previous step + of GSSAPI negotiation (AuthenticationGSS or a previous + AuthenticationGSSContinue). If the GSSAPI data in this message + indicates more data is needed to complete the authentication, + the frontend must send this data as another PasswordMessage. If + GSSAPI authentication is completed by this message, the server + will also send AuthenticationOk to indicate successful authentication + or ErrorResponse to indicate failure. + + + + @@ -1633,6 +1661,106 @@ AuthenticationSCMCredential (B) + + +AuthenticationGSS (B) + + + + + + + + Byte1('R') + + + + Identifies the message as an authentication request. + + + + + + Int32(8) + + + + Length of message contents in bytes, including self. + + + + + + Int32(7) + + + + Specifies that GSSAPI authentication is required. + + + + + + + + + + + + +AuthenticationGSSContinue (B) + + + + + + + + Byte1('R') + + + + Identifies the message as an authentication request. + + + + + + Int32 + + + + Length of message contents in bytes, including self. + + + + + + Int32(8) + + + + Specifies that this message contains GSSAPI data. + + + + + + Byten + + + + GSSAPI authentication data. + + + + + + + + + + BackendKeyData (B) @@ -3317,7 +3445,8 @@ PasswordMessage (F) - Identifies the message as a password response. + Identifies the message as a password response. Note that + this is also used by GSSAPI response messages. -- 2.40.0