From 5e45211a64149b3c659b90ff2de6fa982a5a93ed Mon Sep 17 00:00:00 2001
From: Daniel Baumann <daniel.baumann@progress-linux.org>
Date: Sat, 4 May 2024 14:17:33 +0200
Subject: Adding upstream version 15.5.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
---
 doc/src/sgml/html/auth-ident.html | 52 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 52 insertions(+)
 create mode 100644 doc/src/sgml/html/auth-ident.html

(limited to 'doc/src/sgml/html/auth-ident.html')

diff --git a/doc/src/sgml/html/auth-ident.html b/doc/src/sgml/html/auth-ident.html
new file mode 100644
index 0000000..e2999e7
--- /dev/null
+++ b/doc/src/sgml/html/auth-ident.html
@@ -0,0 +1,52 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>21.8. Ident Authentication</title><link rel="stylesheet" type="text/css" href="stylesheet.css" /><link rev="made" href="pgsql-docs@lists.postgresql.org" /><meta name="generator" content="DocBook XSL Stylesheets Vsnapshot" /><link rel="prev" href="sspi-auth.html" title="21.7. SSPI Authentication" /><link rel="next" href="auth-peer.html" title="21.9. Peer Authentication" /></head><body id="docContent" class="container-fluid col-10"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="5" align="center">21.8. Ident Authentication</th></tr><tr><td width="10%" align="left"><a accesskey="p" href="sspi-auth.html" title="21.7. SSPI Authentication">Prev</a> </td><td width="10%" align="left"><a accesskey="u" href="client-authentication.html" title="Chapter 21. Client Authentication">Up</a></td><th width="60%" align="center">Chapter 21. Client Authentication</th><td width="10%" align="right"><a accesskey="h" href="index.html" title="PostgreSQL 15.5 Documentation">Home</a></td><td width="10%" align="right"> <a accesskey="n" href="auth-peer.html" title="21.9. Peer Authentication">Next</a></td></tr></table><hr /></div><div class="sect1" id="AUTH-IDENT"><div class="titlepage"><div><div><h2 class="title" style="clear: both">21.8. Ident Authentication</h2></div></div></div><a id="id-1.6.8.15.2" class="indexterm"></a><p>
+    The ident authentication method works by obtaining the client's
+    operating system user name from an ident server and using it as
+    the allowed database user name (with an optional user name mapping).
+    This is only supported on TCP/IP connections.
+   </p><div class="note"><h3 class="title">Note</h3><p>
+     When ident is specified for a local (non-TCP/IP) connection,
+     peer authentication (see <a class="xref" href="auth-peer.html" title="21.9. Peer Authentication">Section 21.9</a>) will be
+     used instead.
+    </p></div><p>
+    The following configuration options are supported for <code class="literal">ident</code>:
+    </p><div class="variablelist"><dl class="variablelist"><dt><span class="term"><code class="literal">map</code></span></dt><dd><p>
+        Allows for mapping between system and database user names. See
+        <a class="xref" href="auth-username-maps.html" title="21.2. User Name Maps">Section 21.2</a> for details.
+       </p></dd></dl></div><p>
+   </p><p>
+    The <span class="quote">“<span class="quote">Identification Protocol</span>”</span> is described in
+    <a class="ulink" href="https://tools.ietf.org/html/rfc1413" target="_top">RFC 1413</a>.
+    Virtually every Unix-like
+    operating system ships with an ident server that listens on TCP
+    port 113 by default. The basic functionality of an ident server
+    is to answer questions like <span class="quote">“<span class="quote">What user initiated the
+    connection that goes out of your port <em class="replaceable"><code>X</code></em>
+    and connects to my port <em class="replaceable"><code>Y</code></em>?</span>”</span>.
+    Since <span class="productname">PostgreSQL</span> knows both <em class="replaceable"><code>X</code></em> and
+    <em class="replaceable"><code>Y</code></em> when a physical connection is established, it
+    can interrogate the ident server on the host of the connecting
+    client and can theoretically determine the operating system user
+    for any given connection.
+   </p><p>
+    The drawback of this procedure is that it depends on the integrity
+    of the client: if the client machine is untrusted or compromised,
+    an attacker could run just about any program on port 113 and
+    return any user name they choose. This authentication method is
+    therefore only appropriate for closed networks where each client
+    machine is under tight control and where the database and system
+    administrators operate in close contact. In other words, you must
+    trust the machine running the ident server.
+    Heed the warning:
+    </p><div class="blockquote"><table border="0" class="blockquote" style="width: 100%; cellspacing: 0; cellpadding: 0;" summary="Block quote"><tr><td width="10%" valign="top"> </td><td width="80%" valign="top"><p>
+      The Identification Protocol is not intended as an authorization
+      or access control protocol.
+     </p></td><td width="10%" valign="top"> </td></tr><tr><td width="10%" valign="top"> </td><td colspan="2" align="right" valign="top">--<span class="attribution">RFC 1413</span></td></tr></table></div><p>
+   </p><p>
+    Some ident servers have a nonstandard option that causes the returned
+    user name to be encrypted, using a key that only the originating
+    machine's administrator knows.  This option <span class="emphasis"><em>must not</em></span> be
+    used when using the ident server with <span class="productname">PostgreSQL</span>,
+    since <span class="productname">PostgreSQL</span> does not have any way to decrypt the
+    returned string to determine the actual user name.
+   </p></div><div class="navfooter"><hr /><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="sspi-auth.html" title="21.7. SSPI Authentication">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="client-authentication.html" title="Chapter 21. Client Authentication">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="auth-peer.html" title="21.9. Peer Authentication">Next</a></td></tr><tr><td width="40%" align="left" valign="top">21.7. SSPI Authentication </td><td width="20%" align="center"><a accesskey="h" href="index.html" title="PostgreSQL 15.5 Documentation">Home</a></td><td width="40%" align="right" valign="top"> 21.9. Peer Authentication</td></tr></table></div></body></html>
\ No newline at end of file
-- 
cgit v1.2.3