summaryrefslogtreecommitdiffstats
path: root/doc/src/sgml/client-auth.sgml
diff options
context:
space:
mode:
Diffstat (limited to 'doc/src/sgml/client-auth.sgml')
-rw-r--r--doc/src/sgml/client-auth.sgml2244
1 files changed, 2244 insertions, 0 deletions
diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml
new file mode 100644
index 0000000..4337599
--- /dev/null
+++ b/doc/src/sgml/client-auth.sgml
@@ -0,0 +1,2244 @@
+<!-- doc/src/sgml/client-auth.sgml -->
+
+<chapter id="client-authentication">
+ <title>Client Authentication</title>
+
+ <indexterm zone="client-authentication">
+ <primary>client authentication</primary>
+ </indexterm>
+
+ <para>
+ When a client application connects to the database server, it
+ specifies which <productname>PostgreSQL</productname> database user name it
+ wants to connect as, much the same way one logs into a Unix computer
+ as a particular user. Within the SQL environment the active database
+ user name determines access privileges to database objects &mdash; see
+ <xref linkend="user-manag"/> for more information. Therefore, it is
+ essential to restrict which database users can connect.
+ </para>
+
+ <note>
+ <para>
+ As explained in <xref linkend="user-manag"/>,
+ <productname>PostgreSQL</productname> actually does privilege
+ management in terms of <quote>roles</quote>. In this chapter, we
+ consistently use <firstterm>database user</firstterm> to mean <quote>role with the
+ <literal>LOGIN</literal> privilege</quote>.
+ </para>
+ </note>
+
+ <para>
+ <firstterm>Authentication</firstterm> is the process by which the
+ database server establishes the identity of the client, and by
+ extension determines whether the client application (or the user
+ who runs the client application) is permitted to connect with the
+ database user name that was requested.
+ </para>
+
+ <para>
+ <productname>PostgreSQL</productname> offers a number of different
+ client authentication methods. The method used to authenticate a
+ particular client connection can be selected on the basis of
+ (client) host address, database, and user.
+ </para>
+
+ <para>
+ <productname>PostgreSQL</productname> database user names are logically
+ separate from user names of the operating system in which the server
+ runs. If all the users of a particular server also have accounts on
+ the server's machine, it makes sense to assign database user names
+ that match their operating system user names. However, a server that
+ accepts remote connections might have many database users who have no local
+ operating system
+ account, and in such cases there need be no connection between
+ database user names and OS user names.
+ </para>
+
+ <sect1 id="auth-pg-hba-conf">
+ <title>The <filename>pg_hba.conf</filename> File</title>
+
+ <indexterm zone="auth-pg-hba-conf">
+ <primary>pg_hba.conf</primary>
+ </indexterm>
+
+ <para>
+ Client authentication is controlled by a configuration file,
+ which traditionally is named
+ <filename>pg_hba.conf</filename> and is stored in the database
+ cluster's data directory.
+ (<acronym>HBA</acronym> stands for host-based authentication.) A default
+ <filename>pg_hba.conf</filename> file is installed when the data
+ directory is initialized by <xref linkend="app-initdb"/>. It is
+ possible to place the authentication configuration file elsewhere,
+ however; see the <xref linkend="guc-hba-file"/> configuration parameter.
+ </para>
+
+ <para>
+ The general format of the <filename>pg_hba.conf</filename> file is
+ a set of records, one per line. Blank lines are ignored, as is any
+ text after the <literal>#</literal> comment character.
+ A record can be continued onto the next line by ending the line with
+ a backslash. (Backslashes are not special except at the end of a line.)
+ A record is made
+ up of a number of fields which are separated by spaces and/or tabs.
+ Fields can contain white space if the field value is double-quoted.
+ Quoting one of the keywords in a database, user, or address field (e.g.,
+ <literal>all</literal> or <literal>replication</literal>) makes the word lose its special
+ meaning, and just match a database, user, or host with that name.
+ Backslash line continuation applies even within quoted text or comments.
+ </para>
+
+ <para>
+ Each record specifies a connection type, a client IP address range
+ (if relevant for the connection type), a database name, a user name,
+ and the authentication method to be used for connections matching
+ these parameters. The first record with a matching connection type,
+ client address, requested database, and user name is used to perform
+ authentication. There is no <quote>fall-through</quote> or
+ <quote>backup</quote>: if one record is chosen and the authentication
+ fails, subsequent records are not considered. If no record matches,
+ access is denied.
+ </para>
+
+ <para>
+ A record can have several formats:
+<synopsis>
+local <replaceable>database</replaceable> <replaceable>user</replaceable> <replaceable>auth-method</replaceable> <optional><replaceable>auth-options</replaceable></optional>
+host <replaceable>database</replaceable> <replaceable>user</replaceable> <replaceable>address</replaceable> <replaceable>auth-method</replaceable> <optional><replaceable>auth-options</replaceable></optional>
+hostssl <replaceable>database</replaceable> <replaceable>user</replaceable> <replaceable>address</replaceable> <replaceable>auth-method</replaceable> <optional><replaceable>auth-options</replaceable></optional>
+hostnossl <replaceable>database</replaceable> <replaceable>user</replaceable> <replaceable>address</replaceable> <replaceable>auth-method</replaceable> <optional><replaceable>auth-options</replaceable></optional>
+hostgssenc <replaceable>database</replaceable> <replaceable>user</replaceable> <replaceable>address</replaceable> <replaceable>auth-method</replaceable> <optional><replaceable>auth-options</replaceable></optional>
+hostnogssenc <replaceable>database</replaceable> <replaceable>user</replaceable> <replaceable>address</replaceable> <replaceable>auth-method</replaceable> <optional><replaceable>auth-options</replaceable></optional>
+host <replaceable>database</replaceable> <replaceable>user</replaceable> <replaceable>IP-address</replaceable> <replaceable>IP-mask</replaceable> <replaceable>auth-method</replaceable> <optional><replaceable>auth-options</replaceable></optional>
+hostssl <replaceable>database</replaceable> <replaceable>user</replaceable> <replaceable>IP-address</replaceable> <replaceable>IP-mask</replaceable> <replaceable>auth-method</replaceable> <optional><replaceable>auth-options</replaceable></optional>
+hostnossl <replaceable>database</replaceable> <replaceable>user</replaceable> <replaceable>IP-address</replaceable> <replaceable>IP-mask</replaceable> <replaceable>auth-method</replaceable> <optional><replaceable>auth-options</replaceable></optional>
+hostgssenc <replaceable>database</replaceable> <replaceable>user</replaceable> <replaceable>IP-address</replaceable> <replaceable>IP-mask</replaceable> <replaceable>auth-method</replaceable> <optional><replaceable>auth-options</replaceable></optional>
+hostnogssenc <replaceable>database</replaceable> <replaceable>user</replaceable> <replaceable>IP-address</replaceable> <replaceable>IP-mask</replaceable> <replaceable>auth-method</replaceable> <optional><replaceable>auth-options</replaceable></optional>
+</synopsis>
+ The meaning of the fields is as follows:
+
+ <variablelist>
+ <varlistentry>
+ <term><literal>local</literal></term>
+ <listitem>
+ <para>
+ This record matches connection attempts using Unix-domain
+ sockets. Without a record of this type, Unix-domain socket
+ connections are disallowed.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><literal>host</literal></term>
+ <listitem>
+ <para>
+ This record matches connection attempts made using TCP/IP.
+ <literal>host</literal> records match
+ <acronym>SSL</acronym> or non-<acronym>SSL</acronym> connection
+ attempts as well as <acronym>GSSAPI</acronym> encrypted or
+ non-<acronym>GSSAPI</acronym> encrypted connection attempts.
+ </para>
+ <note>
+ <para>
+ Remote TCP/IP connections will not be possible unless
+ the server is started with an appropriate value for the
+ <xref linkend="guc-listen-addresses"/> configuration parameter,
+ since the default behavior is to listen for TCP/IP connections
+ only on the local loopback address <literal>localhost</literal>.
+ </para>
+ </note>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><literal>hostssl</literal></term>
+ <listitem>
+ <para>
+ This record matches connection attempts made using TCP/IP,
+ but only when the connection is made with <acronym>SSL</acronym>
+ encryption.
+ </para>
+
+ <para>
+ To make use of this option the server must be built with
+ <acronym>SSL</acronym> support. Furthermore,
+ <acronym>SSL</acronym> must be enabled
+ by setting the <xref linkend="guc-ssl"/> configuration parameter (see
+ <xref linkend="ssl-tcp"/> for more information).
+ Otherwise, the <literal>hostssl</literal> record is ignored except for
+ logging a warning that it cannot match any connections.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><literal>hostnossl</literal></term>
+ <listitem>
+ <para>
+ This record type has the opposite behavior of <literal>hostssl</literal>;
+ it only matches connection attempts made over
+ TCP/IP that do not use <acronym>SSL</acronym>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><literal>hostgssenc</literal></term>
+ <listitem>
+ <para>
+ This record matches connection attempts made using TCP/IP,
+ but only when the connection is made with <acronym>GSSAPI</acronym>
+ encryption.
+ </para>
+
+ <para>
+ To make use of this option the server must be built with
+ <acronym>GSSAPI</acronym> support. Otherwise,
+ the <literal>hostgssenc</literal> record is ignored except for logging
+ a warning that it cannot match any connections.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><literal>hostnogssenc</literal></term>
+ <listitem>
+ <para>
+ This record type has the opposite behavior of <literal>hostgssenc</literal>;
+ it only matches connection attempts made over
+ TCP/IP that do not use <acronym>GSSAPI</acronym> encryption.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><replaceable>database</replaceable></term>
+ <listitem>
+ <para>
+ Specifies which database name(s) this record matches. The value
+ <literal>all</literal> specifies that it matches all databases.
+ The value <literal>sameuser</literal> specifies that the record
+ matches if the requested database has the same name as the
+ requested user. The value <literal>samerole</literal> specifies that
+ the requested user must be a member of the role with the same
+ name as the requested database. (<literal>samegroup</literal> is an
+ obsolete but still accepted spelling of <literal>samerole</literal>.)
+ Superusers are not considered to be members of a role for the
+ purposes of <literal>samerole</literal> unless they are explicitly
+ members of the role, directly or indirectly, and not just by
+ virtue of being a superuser.
+ The value <literal>replication</literal> specifies that the record
+ matches if a physical replication connection is requested, however, it
+ doesn't match with logical replication connections. Note that physical
+ replication connections do not specify any particular database whereas
+ logical replication connections do specify it.
+ Otherwise, this is the name of
+ a specific <productname>PostgreSQL</productname> database.
+ Multiple database names can be supplied by separating them with
+ commas. A separate file containing database names can be specified by
+ preceding the file name with <literal>@</literal>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><replaceable>user</replaceable></term>
+ <listitem>
+ <para>
+ Specifies which database user name(s) this record
+ matches. The value <literal>all</literal> specifies that it
+ matches all users. Otherwise, this is either the name of a specific
+ database user, or a group name preceded by <literal>+</literal>.
+ (Recall that there is no real distinction between users and groups
+ in <productname>PostgreSQL</productname>; a <literal>+</literal> mark really means
+ <quote>match any of the roles that are directly or indirectly members
+ of this role</quote>, while a name without a <literal>+</literal> mark matches
+ only that specific role.) For this purpose, a superuser is only
+ considered to be a member of a role if they are explicitly a member
+ of the role, directly or indirectly, and not just by virtue of
+ being a superuser.
+ Multiple user names can be supplied by separating them with commas.
+ A separate file containing user names can be specified by preceding the
+ file name with <literal>@</literal>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><replaceable>address</replaceable></term>
+ <listitem>
+ <para>
+ Specifies the client machine address(es) that this record
+ matches. This field can contain either a host name, an IP
+ address range, or one of the special key words mentioned below.
+ </para>
+
+ <para>
+ An IP address range is specified using standard numeric notation
+ for the range's starting address, then a slash (<literal>/</literal>)
+ and a <acronym>CIDR</acronym> mask length. The mask
+ length indicates the number of high-order bits of the client
+ IP address that must match. Bits to the right of this should
+ be zero in the given IP address.
+ There must not be any white space between the IP address, the
+ <literal>/</literal>, and the CIDR mask length.
+ </para>
+
+ <para>
+ Typical examples of an IPv4 address range specified this way are
+ <literal>172.20.143.89/32</literal> for a single host, or
+ <literal>172.20.143.0/24</literal> for a small network, or
+ <literal>10.6.0.0/16</literal> for a larger one.
+ An IPv6 address range might look like <literal>::1/128</literal>
+ for a single host (in this case the IPv6 loopback address) or
+ <literal>fe80::7a31:c1ff:0000:0000/96</literal> for a small
+ network.
+ <literal>0.0.0.0/0</literal> represents all
+ IPv4 addresses, and <literal>::0/0</literal> represents
+ all IPv6 addresses.
+ To specify a single host, use a mask length of 32 for IPv4 or
+ 128 for IPv6. In a network address, do not omit trailing zeroes.
+ </para>
+
+ <para>
+ An entry given in IPv4 format will match only IPv4 connections,
+ and an entry given in IPv6 format will match only IPv6 connections,
+ even if the represented address is in the IPv4-in-IPv6 range.
+ Note that entries in IPv6 format will be rejected if the system's
+ C library does not have support for IPv6 addresses.
+ </para>
+
+ <para>
+ You can also write <literal>all</literal> to match any IP address,
+ <literal>samehost</literal> to match any of the server's own IP
+ addresses, or <literal>samenet</literal> to match any address in any
+ subnet that the server is directly connected to.
+ </para>
+
+ <para>
+ If a host name is specified (anything that is not an IP address
+ range or a special key word is treated as a host name),
+ that name is compared with the result of a reverse name
+ resolution of the client's IP address (e.g., reverse DNS
+ lookup, if DNS is used). Host name comparisons are case
+ insensitive. If there is a match, then a forward name
+ resolution (e.g., forward DNS lookup) is performed on the host
+ name to check whether any of the addresses it resolves to are
+ equal to the client's IP address. If both directions match,
+ then the entry is considered to match. (The host name that is
+ used in <filename>pg_hba.conf</filename> should be the one that
+ address-to-name resolution of the client's IP address returns,
+ otherwise the line won't be matched. Some host name databases
+ allow associating an IP address with multiple host names, but
+ the operating system will only return one host name when asked
+ to resolve an IP address.)
+ </para>
+
+ <para>
+ A host name specification that starts with a dot
+ (<literal>.</literal>) matches a suffix of the actual host
+ name. So <literal>.example.com</literal> would match
+ <literal>foo.example.com</literal> (but not just
+ <literal>example.com</literal>).
+ </para>
+
+ <para>
+ When host names are specified
+ in <filename>pg_hba.conf</filename>, you should make sure that
+ name resolution is reasonably fast. It can be of advantage to
+ set up a local name resolution cache such
+ as <command>nscd</command>. Also, you may wish to enable the
+ configuration parameter <varname>log_hostname</varname> to see
+ the client's host name instead of the IP address in the log.
+ </para>
+
+ <para>
+ These fields do not apply to <literal>local</literal> records.
+ </para>
+
+ <note>
+ <para>
+ Users sometimes wonder why host names are handled
+ in this seemingly complicated way, with two name resolutions
+ including a reverse lookup of the client's IP address. This
+ complicates use of the feature in case the client's reverse DNS
+ entry is not set up or yields some undesirable host name.
+ It is done primarily for efficiency: this way, a connection attempt
+ requires at most two resolver lookups, one reverse and one forward.
+ If there is a resolver problem with some address, it becomes only
+ that client's problem. A hypothetical alternative
+ implementation that only did forward lookups would have to
+ resolve every host name mentioned in
+ <filename>pg_hba.conf</filename> during every connection attempt.
+ That could be quite slow if many names are listed.
+ And if there is a resolver problem with one of the host names,
+ it becomes everyone's problem.
+ </para>
+
+ <para>
+ Also, a reverse lookup is necessary to implement the suffix
+ matching feature, because the actual client host name needs to
+ be known in order to match it against the pattern.
+ </para>
+
+ <para>
+ Note that this behavior is consistent with other popular
+ implementations of host name-based access control, such as the
+ Apache HTTP Server and TCP Wrappers.
+ </para>
+ </note>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><replaceable>IP-address</replaceable></term>
+ <term><replaceable>IP-mask</replaceable></term>
+ <listitem>
+ <para>
+ These two fields can be used as an alternative to the
+ <replaceable>IP-address</replaceable><literal>/</literal><replaceable>mask-length</replaceable>
+ notation. Instead of
+ specifying the mask length, the actual mask is specified in a
+ separate column. For example, <literal>255.0.0.0</literal> represents an IPv4
+ CIDR mask length of 8, and <literal>255.255.255.255</literal> represents a
+ CIDR mask length of 32.
+ </para>
+
+ <para>
+ These fields do not apply to <literal>local</literal> records.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><replaceable>auth-method</replaceable></term>
+ <listitem>
+ <para>
+ Specifies the authentication method to use when a connection matches
+ this record. The possible choices are summarized here; details
+ are in <xref linkend="auth-methods"/>. All the options
+ are lower case and treated case sensitively, so even acronyms like
+ <literal>ldap</literal> must be specified as lower case.
+
+ <variablelist>
+ <varlistentry>
+ <term><literal>trust</literal></term>
+ <listitem>
+ <para>
+ Allow the connection unconditionally. This method
+ allows anyone that can connect to the
+ <productname>PostgreSQL</productname> database server to login as
+ any <productname>PostgreSQL</productname> user they wish,
+ without the need for a password or any other authentication. See <xref
+ linkend="auth-trust"/> for details.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><literal>reject</literal></term>
+ <listitem>
+ <para>
+ Reject the connection unconditionally. This is useful for
+ <quote>filtering out</quote> certain hosts from a group, for example a
+ <literal>reject</literal> line could block a specific host from connecting,
+ while a later line allows the remaining hosts in a specific
+ network to connect.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><literal>scram-sha-256</literal></term>
+ <listitem>
+ <para>
+ Perform SCRAM-SHA-256 authentication to verify the user's
+ password. See <xref linkend="auth-password"/> for details.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><literal>md5</literal></term>
+ <listitem>
+ <para>
+ Perform SCRAM-SHA-256 or MD5 authentication to verify the
+ user's password. See <xref linkend="auth-password"/>
+ for details.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><literal>password</literal></term>
+ <listitem>
+ <para>
+ Require the client to supply an unencrypted password for
+ authentication.
+ Since the password is sent in clear text over the
+ network, this should not be used on untrusted networks.
+ See <xref linkend="auth-password"/> for details.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><literal>gss</literal></term>
+ <listitem>
+ <para>
+ Use GSSAPI to authenticate the user. This is only
+ available for TCP/IP connections. See <xref
+ linkend="gssapi-auth"/> for details. It can be used in conjunction
+ with GSSAPI encryption.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><literal>sspi</literal></term>
+ <listitem>
+ <para>
+ Use SSPI to authenticate the user. This is only
+ available on Windows. See <xref
+ linkend="sspi-auth"/> for details.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><literal>ident</literal></term>
+ <listitem>
+ <para>
+ Obtain the operating system user name of the client
+ by contacting the ident server on the client
+ and check if it matches the requested database user name.
+ Ident authentication can only be used on TCP/IP
+ connections. When specified for local connections, peer
+ authentication will be used instead.
+ See <xref linkend="auth-ident"/> for details.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><literal>peer</literal></term>
+ <listitem>
+ <para>
+ Obtain the client's operating system user name from the operating
+ system and check if it matches the requested database user name.
+ This is only available for local connections.
+ See <xref linkend="auth-peer"/> for details.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><literal>ldap</literal></term>
+ <listitem>
+ <para>
+ Authenticate using an <acronym>LDAP</acronym> server. See <xref
+ linkend="auth-ldap"/> for details.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><literal>radius</literal></term>
+ <listitem>
+ <para>
+ Authenticate using a RADIUS server. See <xref
+ linkend="auth-radius"/> for details.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><literal>cert</literal></term>
+ <listitem>
+ <para>
+ Authenticate using SSL client certificates. See
+ <xref linkend="auth-cert"/> for details.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><literal>pam</literal></term>
+ <listitem>
+ <para>
+ Authenticate using the Pluggable Authentication Modules
+ (PAM) service provided by the operating system. See <xref
+ linkend="auth-pam"/> for details.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><literal>bsd</literal></term>
+ <listitem>
+ <para>
+ Authenticate using the BSD Authentication service provided by the
+ operating system. See <xref linkend="auth-bsd"/> for details.
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><replaceable>auth-options</replaceable></term>
+ <listitem>
+ <para>
+ After the <replaceable>auth-method</replaceable> field, there can be field(s) of
+ the form <replaceable>name</replaceable><literal>=</literal><replaceable>value</replaceable> that
+ specify options for the authentication method. Details about which
+ options are available for which authentication methods appear below.
+ </para>
+
+ <para>
+ In addition to the method-specific options listed below, there is a
+ method-independent authentication option <literal>clientcert</literal>, which
+ can be specified in any <literal>hostssl</literal> record.
+ This option can be set to <literal>verify-ca</literal> or
+ <literal>verify-full</literal>. Both options require the client
+ to present a valid (trusted) SSL certificate, while
+ <literal>verify-full</literal> additionally enforces that the
+ <literal>cn</literal> (Common Name) in the certificate matches
+ the username or an applicable mapping.
+ This behavior is similar to the <literal>cert</literal> authentication
+ method (see <xref linkend="auth-cert"/>) but enables pairing
+ the verification of client certificates with any authentication
+ method that supports <literal>hostssl</literal> entries.
+ </para>
+ <para>
+ On any record using client certificate authentication (i.e. one
+ using the <literal>cert</literal> authentication method or one
+ using the <literal>clientcert</literal> option), you can specify
+ which part of the client certificate credentials to match using
+ the <literal>clientname</literal> option. This option can have one
+ of two values. If you specify <literal>clientname=CN</literal>, which
+ is the default, the username is matched against the certificate's
+ <literal>Common Name (CN)</literal>. If instead you specify
+ <literal>clientname=DN</literal> the username is matched against the
+ entire <literal>Distinguished Name (DN)</literal> of the certificate.
+ This option is probably best used in conjunction with a username map.
+ The comparison is done with the <literal>DN</literal> in
+ <ulink url="https://tools.ietf.org/html/rfc2253">RFC 2253</ulink>
+ format. To see the <literal>DN</literal> of a client certificate
+ in this format, do
+<programlisting>
+openssl x509 -in myclient.crt -noout --subject -nameopt RFC2253 | sed "s/^subject=//"
+</programlisting>
+ Care needs to be taken when using this option, especially when using
+ regular expression matching against the <literal>DN</literal>.
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </para>
+
+ <para>
+ Files included by <literal>@</literal> constructs are read as lists of names,
+ which can be separated by either whitespace or commas. Comments are
+ introduced by <literal>#</literal>, just as in
+ <filename>pg_hba.conf</filename>, and nested <literal>@</literal> constructs are
+ allowed. Unless the file name following <literal>@</literal> is an absolute
+ path, it is taken to be relative to the directory containing the
+ referencing file.
+ </para>
+
+ <para>
+ Since the <filename>pg_hba.conf</filename> records are examined
+ sequentially for each connection attempt, the order of the records is
+ significant. Typically, earlier records will have tight connection
+ match parameters and weaker authentication methods, while later
+ records will have looser match parameters and stronger authentication
+ methods. For example, one might wish to use <literal>trust</literal>
+ authentication for local TCP/IP connections but require a password for
+ remote TCP/IP connections. In this case a record specifying
+ <literal>trust</literal> authentication for connections from 127.0.0.1 would
+ appear before a record specifying password authentication for a wider
+ range of allowed client IP addresses.
+ </para>
+
+ <para>
+ The <filename>pg_hba.conf</filename> file is read on start-up and when
+ the main server process receives a
+ <systemitem>SIGHUP</systemitem><indexterm><primary>SIGHUP</primary></indexterm>
+ signal. If you edit the file on an
+ active system, you will need to signal the postmaster
+ (using <literal>pg_ctl reload</literal>, calling the SQL function
+ <function>pg_reload_conf()</function>, or using <literal>kill
+ -HUP</literal>) to make it re-read the file.
+ </para>
+
+ <note>
+ <para>
+ The preceding statement is not true on Microsoft Windows: there, any
+ changes in the <filename>pg_hba.conf</filename> file are immediately
+ applied by subsequent new connections.
+ </para>
+ </note>
+
+ <para>
+ The system view
+ <link linkend="view-pg-hba-file-rules"><structname>pg_hba_file_rules</structname></link>
+ can be helpful for pre-testing changes to the <filename>pg_hba.conf</filename>
+ file, or for diagnosing problems if loading of the file did not have the
+ desired effects. Rows in the view with
+ non-null <structfield>error</structfield> fields indicate problems in the
+ corresponding lines of the file.
+ </para>
+
+ <tip>
+ <para>
+ To connect to a particular database, a user must not only pass the
+ <filename>pg_hba.conf</filename> checks, but must have the
+ <literal>CONNECT</literal> privilege for the database. If you wish to
+ restrict which users can connect to which databases, it's usually
+ easier to control this by granting/revoking <literal>CONNECT</literal> privilege
+ than to put the rules in <filename>pg_hba.conf</filename> entries.
+ </para>
+ </tip>
+
+ <para>
+ Some examples of <filename>pg_hba.conf</filename> entries are shown in
+ <xref linkend="example-pg-hba.conf"/>. See the next section for details on the
+ different authentication methods.
+ </para>
+
+ <example id="example-pg-hba.conf">
+ <title>Example <filename>pg_hba.conf</filename> Entries</title>
+<programlisting>
+# Allow any user on the local system to connect to any database with
+# any database user name using Unix-domain sockets (the default for local
+# connections).
+#
+# TYPE DATABASE USER ADDRESS METHOD
+local all all trust
+
+# The same using local loopback TCP/IP connections.
+#
+# TYPE DATABASE USER ADDRESS METHOD
+host all all 127.0.0.1/32 trust
+
+# The same as the previous line, but using a separate netmask column
+#
+# TYPE DATABASE USER IP-ADDRESS IP-MASK METHOD
+host all all 127.0.0.1 255.255.255.255 trust
+
+# The same over IPv6.
+#
+# TYPE DATABASE USER ADDRESS METHOD
+host all all ::1/128 trust
+
+# The same using a host name (would typically cover both IPv4 and IPv6).
+#
+# TYPE DATABASE USER ADDRESS METHOD
+host all all localhost trust
+
+# Allow any user from any host with IP address 192.168.93.x to connect
+# to database "postgres" as the same user name that ident reports for
+# the connection (typically the operating system user name).
+#
+# TYPE DATABASE USER ADDRESS METHOD
+host postgres all 192.168.93.0/24 ident
+
+# Allow any user from host 192.168.12.10 to connect to database
+# "postgres" if the user's password is correctly supplied.
+#
+# TYPE DATABASE USER ADDRESS METHOD
+host postgres all 192.168.12.10/32 scram-sha-256
+
+# Allow any user from hosts in the example.com domain to connect to
+# any database if the user's password is correctly supplied.
+#
+# Require SCRAM authentication for most users, but make an exception
+# for user 'mike', who uses an older client that doesn't support SCRAM
+# authentication.
+#
+# TYPE DATABASE USER ADDRESS METHOD
+host all mike .example.com md5
+host all all .example.com scram-sha-256
+
+# In the absence of preceding "host" lines, these three lines will
+# reject all connections from 192.168.54.1 (since that entry will be
+# matched first), but allow GSSAPI-encrypted connections from anywhere else
+# on the Internet. The zero mask causes no bits of the host IP address to
+# be considered, so it matches any host. Unencrypted GSSAPI connections
+# (which "fall through" to the third line since "hostgssenc" only matches
+# encrypted GSSAPI connections) are allowed, but only from 192.168.12.10.
+#
+# TYPE DATABASE USER ADDRESS METHOD
+host all all 192.168.54.1/32 reject
+hostgssenc all all 0.0.0.0/0 gss
+host all all 192.168.12.10/32 gss
+
+# Allow users from 192.168.x.x hosts to connect to any database, if
+# they pass the ident check. If, for example, ident says the user is
+# "bryanh" and he requests to connect as PostgreSQL user "guest1", the
+# connection is allowed if there is an entry in pg_ident.conf for map
+# "omicron" that says "bryanh" is allowed to connect as "guest1".
+#
+# TYPE DATABASE USER ADDRESS METHOD
+host all all 192.168.0.0/16 ident map=omicron
+
+# If these are the only three lines for local connections, they will
+# allow local users to connect only to their own databases (databases
+# with the same name as their database user name) except for administrators
+# and members of role "support", who can connect to all databases. The file
+# $PGDATA/admins contains a list of names of administrators. Passwords
+# are required in all cases.
+#
+# TYPE DATABASE USER ADDRESS METHOD
+local sameuser all md5
+local all @admins md5
+local all +support md5
+
+# The last two lines above can be combined into a single line:
+local all @admins,+support md5
+
+# The database column can also use lists and file names:
+local db1,db2,@demodbs all md5
+</programlisting>
+ </example>
+ </sect1>
+
+ <sect1 id="auth-username-maps">
+ <title>User Name Maps</title>
+
+ <indexterm zone="auth-username-maps">
+ <primary>User name maps</primary>
+ </indexterm>
+
+ <para>
+ When using an external authentication system such as Ident or GSSAPI,
+ the name of the operating system user that initiated the connection
+ might not be the same as the database user (role) that is to be used.
+ In this case, a user name map can be applied to map the operating system
+ user name to a database user. To use user name mapping, specify
+ <literal>map</literal>=<replaceable>map-name</replaceable>
+ in the options field in <filename>pg_hba.conf</filename>. This option is
+ supported for all authentication methods that receive external user names.
+ Since different mappings might be needed for different connections,
+ the name of the map to be used is specified in the
+ <replaceable>map-name</replaceable> parameter in <filename>pg_hba.conf</filename>
+ to indicate which map to use for each individual connection.
+ </para>
+
+ <para>
+ User name maps are defined in the ident map file, which by default is named
+ <filename>pg_ident.conf</filename><indexterm><primary>pg_ident.conf</primary></indexterm>
+ and is stored in the
+ cluster's data directory. (It is possible to place the map file
+ elsewhere, however; see the <xref linkend="guc-ident-file"/>
+ configuration parameter.)
+ The ident map file contains lines of the general form:
+<synopsis>
+<replaceable>map-name</replaceable> <replaceable>system-username</replaceable> <replaceable>database-username</replaceable>
+</synopsis>
+ Comments, whitespace and line continuations are handled in the same way as in
+ <filename>pg_hba.conf</filename>. The
+ <replaceable>map-name</replaceable> is an arbitrary name that will be used to
+ refer to this mapping in <filename>pg_hba.conf</filename>. The other
+ two fields specify an operating system user name and a matching
+ database user name. The same <replaceable>map-name</replaceable> can be
+ used repeatedly to specify multiple user-mappings within a single map.
+ </para>
+ <para>
+ There is no restriction regarding how many database users a given
+ operating system user can correspond to, nor vice versa. Thus, entries
+ in a map should be thought of as meaning <quote>this operating system
+ user is allowed to connect as this database user</quote>, rather than
+ implying that they are equivalent. The connection will be allowed if
+ there is any map entry that pairs the user name obtained from the
+ external authentication system with the database user name that the
+ user has requested to connect as.
+ </para>
+ <para>
+ If the <replaceable>system-username</replaceable> field starts with a slash (<literal>/</literal>),
+ the remainder of the field is treated as a regular expression.
+ (See <xref linkend="posix-syntax-details"/> for details of
+ <productname>PostgreSQL</productname>'s regular expression syntax.) The regular
+ expression can include a single capture, or parenthesized subexpression,
+ which can then be referenced in the <replaceable>database-username</replaceable>
+ field as <literal>\1</literal> (backslash-one). This allows the mapping of
+ multiple user names in a single line, which is particularly useful for
+ simple syntax substitutions. For example, these entries
+<programlisting>
+mymap /^(.*)@mydomain\.com$ \1
+mymap /^(.*)@otherdomain\.com$ guest
+</programlisting>
+ will remove the domain part for users with system user names that end with
+ <literal>@mydomain.com</literal>, and allow any user whose system name ends with
+ <literal>@otherdomain.com</literal> to log in as <literal>guest</literal>.
+ </para>
+
+ <tip>
+ <para>
+ Keep in mind that by default, a regular expression can match just part of
+ a string. It's usually wise to use <literal>^</literal> and <literal>$</literal>, as
+ shown in the above example, to force the match to be to the entire
+ system user name.
+ </para>
+ </tip>
+
+ <para>
+ The <filename>pg_ident.conf</filename> file is read on start-up and
+ when the main server process receives a
+ <systemitem>SIGHUP</systemitem><indexterm><primary>SIGHUP</primary></indexterm>
+ signal. If you edit the file on an
+ active system, you will need to signal the postmaster
+ (using <literal>pg_ctl reload</literal>, calling the SQL function
+ <function>pg_reload_conf()</function>, or using <literal>kill
+ -HUP</literal>) to make it re-read the file.
+ </para>
+
+ <para>
+ The system view
+ <link linkend="view-pg-ident-file-mappings"><structname>pg_ident_file_mappings</structname></link>
+ can be helpful for pre-testing changes to the
+ <filename>pg_ident.conf</filename> file, or for diagnosing problems if
+ loading of the file did not have the desired effects. Rows in the view with
+ non-null <structfield>error</structfield> fields indicate problems in the
+ corresponding lines of the file.
+ </para>
+
+ <para>
+ A <filename>pg_ident.conf</filename> file that could be used in
+ conjunction with the <filename>pg_hba.conf</filename> file in <xref
+ linkend="example-pg-hba.conf"/> is shown in <xref
+ linkend="example-pg-ident.conf"/>. In this example, anyone
+ logged in to a machine on the 192.168 network that does not have the
+ operating system user name <literal>bryanh</literal>, <literal>ann</literal>, or
+ <literal>robert</literal> would not be granted access. Unix user
+ <literal>robert</literal> would only be allowed access when he tries to
+ connect as <productname>PostgreSQL</productname> user <literal>bob</literal>, not
+ as <literal>robert</literal> or anyone else. <literal>ann</literal> would
+ only be allowed to connect as <literal>ann</literal>. User
+ <literal>bryanh</literal> would be allowed to connect as either
+ <literal>bryanh</literal> or as <literal>guest1</literal>.
+ </para>
+
+ <example id="example-pg-ident.conf">
+ <title>An Example <filename>pg_ident.conf</filename> File</title>
+<programlisting>
+# MAPNAME SYSTEM-USERNAME PG-USERNAME
+
+omicron bryanh bryanh
+omicron ann ann
+# bob has user name robert on these machines
+omicron robert bob
+# bryanh can also connect as guest1
+omicron bryanh guest1
+</programlisting>
+ </example>
+ </sect1>
+
+ <sect1 id="auth-methods">
+ <title>Authentication Methods</title>
+
+ <para>
+ <productname>PostgreSQL</productname> provides various methods for
+ authenticating users:
+
+ <itemizedlist>
+ <listitem>
+ <para>
+ <link linkend="auth-trust">Trust authentication</link>, which
+ simply trusts that users are who they say they are.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <link linkend="auth-password">Password authentication</link>, which
+ requires that users send a password.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <link linkend="gssapi-auth">GSSAPI authentication</link>, which
+ relies on a GSSAPI-compatible security library. Typically this is
+ used to access an authentication server such as a Kerberos or
+ Microsoft Active Directory server.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <link linkend="sspi-auth">SSPI authentication</link>, which
+ uses a Windows-specific protocol similar to GSSAPI.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <link linkend="auth-ident">Ident authentication</link>, which
+ relies on an <quote>Identification Protocol</quote>
+ (<ulink url="https://tools.ietf.org/html/rfc1413">RFC 1413</ulink>)
+ service on the client's machine. (On local Unix-socket connections,
+ this is treated as peer authentication.)
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <link linkend="auth-peer">Peer authentication</link>, which
+ relies on operating system facilities to identify the process at the
+ other end of a local connection. This is not supported for remote
+ connections.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <link linkend="auth-ldap">LDAP authentication</link>, which
+ relies on an LDAP authentication server.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <link linkend="auth-radius">RADIUS authentication</link>, which
+ relies on a RADIUS authentication server.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <link linkend="auth-cert">Certificate authentication</link>, which
+ requires an SSL connection and authenticates users by checking the
+ SSL certificate they send.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <link linkend="auth-pam">PAM authentication</link>, which
+ relies on a PAM (Pluggable Authentication Modules) library.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <link linkend="auth-bsd">BSD authentication</link>, which
+ relies on the BSD Authentication framework (currently available
+ only on OpenBSD).
+ </para>
+ </listitem>
+ </itemizedlist>
+ </para>
+
+ <para>
+ Peer authentication is usually recommendable for local connections,
+ though trust authentication might be sufficient in some circumstances.
+ Password authentication is the easiest choice for remote connections.
+ All the other options require some kind of external security
+ infrastructure (usually an authentication server or a certificate
+ authority for issuing SSL certificates), or are platform-specific.
+ </para>
+
+ <para>
+ The following sections describe each of these authentication methods
+ in more detail.
+ </para>
+ </sect1>
+
+ <sect1 id="auth-trust">
+ <title>Trust Authentication</title>
+
+ <para>
+ When <literal>trust</literal> authentication is specified,
+ <productname>PostgreSQL</productname> assumes that anyone who can
+ connect to the server is authorized to access the database with
+ whatever database user name they specify (even superuser names).
+ Of course, restrictions made in the <literal>database</literal> and
+ <literal>user</literal> columns still apply.
+ This method should only be used when there is adequate
+ operating-system-level protection on connections to the server.
+ </para>
+
+ <para>
+ <literal>trust</literal> authentication is appropriate and very
+ convenient for local connections on a single-user workstation. It
+ is usually <emphasis>not</emphasis> appropriate by itself on a multiuser
+ machine. However, you might be able to use <literal>trust</literal> even
+ on a multiuser machine, if you restrict access to the server's
+ Unix-domain socket file using file-system permissions. To do this, set the
+ <varname>unix_socket_permissions</varname> (and possibly
+ <varname>unix_socket_group</varname>) configuration parameters as
+ described in <xref linkend="runtime-config-connection"/>. Or you
+ could set the <varname>unix_socket_directories</varname>
+ configuration parameter to place the socket file in a suitably
+ restricted directory.
+ </para>
+
+ <para>
+ Setting file-system permissions only helps for Unix-socket connections.
+ Local TCP/IP connections are not restricted by file-system permissions.
+ Therefore, if you want to use file-system permissions for local security,
+ remove the <literal>host ... 127.0.0.1 ...</literal> line from
+ <filename>pg_hba.conf</filename>, or change it to a
+ non-<literal>trust</literal> authentication method.
+ </para>
+
+ <para>
+ <literal>trust</literal> authentication is only suitable for TCP/IP connections
+ if you trust every user on every machine that is allowed to connect
+ to the server by the <filename>pg_hba.conf</filename> lines that specify
+ <literal>trust</literal>. It is seldom reasonable to use <literal>trust</literal>
+ for any TCP/IP connections other than those from <systemitem>localhost</systemitem> (127.0.0.1).
+ </para>
+
+ </sect1>
+
+ <sect1 id="auth-password">
+ <title>Password Authentication</title>
+
+ <indexterm>
+ <primary>MD5</primary>
+ </indexterm>
+ <indexterm>
+ <primary>SCRAM</primary>
+ </indexterm>
+ <indexterm>
+ <primary>password</primary>
+ <secondary>authentication</secondary>
+ </indexterm>
+
+ <para>
+ There are several password-based authentication methods. These methods
+ operate similarly but differ in how the users' passwords are stored on the
+ server and how the password provided by a client is sent across the
+ connection.
+ </para>
+
+ <variablelist>
+ <varlistentry>
+ <term><literal>scram-sha-256</literal></term>
+ <listitem>
+ <para>
+ The method <literal>scram-sha-256</literal> performs SCRAM-SHA-256
+ authentication, as described in
+ <ulink url="https://tools.ietf.org/html/rfc7677">RFC 7677</ulink>. It
+ is a challenge-response scheme that prevents password sniffing on
+ untrusted connections and supports storing passwords on the server in a
+ cryptographically hashed form that is thought to be secure.
+ </para>
+
+ <para>
+ This is the most secure of the currently provided methods, but it is
+ not supported by older client libraries.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><literal>md5</literal></term>
+ <listitem>
+ <para>
+ The method <literal>md5</literal> uses a custom less secure challenge-response
+ mechanism. It prevents password sniffing and avoids storing passwords
+ on the server in plain text but provides no protection if an attacker
+ manages to steal the password hash from the server. Also, the MD5 hash
+ algorithm is nowadays no longer considered secure against determined
+ attacks.
+ </para>
+
+ <para>
+ The <literal>md5</literal> method cannot be used with
+ the <xref linkend="guc-db-user-namespace"/> feature.
+ </para>
+
+ <para>
+ To ease transition from the <literal>md5</literal> method to the newer
+ SCRAM method, if <literal>md5</literal> is specified as a method
+ in <filename>pg_hba.conf</filename> but the user's password on the
+ server is encrypted for SCRAM (see below), then SCRAM-based
+ authentication will automatically be chosen instead.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><literal>password</literal></term>
+ <listitem>
+ <para>
+ The method <literal>password</literal> sends the password in clear-text and is
+ therefore vulnerable to password <quote>sniffing</quote> attacks. It should
+ always be avoided if possible. If the connection is protected by SSL
+ encryption then <literal>password</literal> can be used safely, though.
+ (Though SSL certificate authentication might be a better choice if one
+ is depending on using SSL).
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+
+ <para>
+ <productname>PostgreSQL</productname> database passwords are
+ separate from operating system user passwords. The password for
+ each database user is stored in the <literal>pg_authid</literal> system
+ catalog. Passwords can be managed with the SQL commands
+ <xref linkend="sql-createrole"/> and
+ <xref linkend="sql-alterrole"/>,
+ e.g., <userinput>CREATE ROLE foo WITH LOGIN PASSWORD 'secret'</userinput>,
+ or the <application>psql</application>
+ command <literal>\password</literal>.
+ If no password has been set up for a user, the stored password
+ is null and password authentication will always fail for that user.
+ </para>
+
+ <para>
+ The availability of the different password-based authentication methods
+ depends on how a user's password on the server is encrypted (or hashed,
+ more accurately). This is controlled by the configuration
+ parameter <xref linkend="guc-password-encryption"/> at the time the
+ password is set. If a password was encrypted using
+ the <literal>scram-sha-256</literal> setting, then it can be used for the
+ authentication methods <literal>scram-sha-256</literal>
+ and <literal>password</literal> (but password transmission will be in
+ plain text in the latter case). The authentication method
+ specification <literal>md5</literal> will automatically switch to using
+ the <literal>scram-sha-256</literal> method in this case, as explained
+ above, so it will also work. If a password was encrypted using
+ the <literal>md5</literal> setting, then it can be used only for
+ the <literal>md5</literal> and <literal>password</literal> authentication
+ method specifications (again, with the password transmitted in plain text
+ in the latter case). (Previous PostgreSQL releases supported storing the
+ password on the server in plain text. This is no longer possible.) To
+ check the currently stored password hashes, see the system
+ catalog <literal>pg_authid</literal>.
+ </para>
+
+ <para>
+ To upgrade an existing installation from <literal>md5</literal>
+ to <literal>scram-sha-256</literal>, after having ensured that all client
+ libraries in use are new enough to support SCRAM,
+ set <literal>password_encryption = 'scram-sha-256'</literal>
+ in <filename>postgresql.conf</filename>, make all users set new passwords,
+ and change the authentication method specifications
+ in <filename>pg_hba.conf</filename> to <literal>scram-sha-256</literal>.
+ </para>
+ </sect1>
+
+ <sect1 id="gssapi-auth">
+ <title>GSSAPI Authentication</title>
+
+ <indexterm zone="gssapi-auth">
+ <primary>GSSAPI</primary>
+ </indexterm>
+
+ <para>
+ <productname>GSSAPI</productname> is an industry-standard protocol
+ for secure authentication defined in
+ <ulink url="https://tools.ietf.org/html/rfc2743">RFC 2743</ulink>.
+ <productname>PostgreSQL</productname>
+ supports <productname>GSSAPI</productname> for authentication,
+ communications encryption, or both.
+ <productname>GSSAPI</productname> provides automatic authentication
+ (single sign-on) for systems that support it. The authentication itself is
+ secure. If <productname>GSSAPI</productname> encryption
+ or <acronym>SSL</acronym> encryption is
+ used, the data sent along the database connection will be encrypted;
+ otherwise, it will not.
+ </para>
+
+ <para>
+ GSSAPI support has to be enabled when <productname>PostgreSQL</productname> is built;
+ see <xref linkend="installation"/> for more information.
+ </para>
+
+ <para>
+ When <productname>GSSAPI</productname> uses
+ <productname>Kerberos</productname>, it uses a standard service
+ principal (authentication identity) name in the format
+ <literal><replaceable>servicename</replaceable>/<replaceable>hostname</replaceable>@<replaceable>realm</replaceable></literal>.
+ The principal name used by a particular installation is not encoded in
+ the <productname>PostgreSQL</productname> server in any way; rather it
+ is specified in the <firstterm>keytab</firstterm> file that the server
+ reads to determine its identity. If multiple principals are listed in
+ the keytab file, the server will accept any one of them.
+ The server's realm name is the preferred realm specified in the Kerberos
+ configuration file(s) accessible to the server.
+ </para>
+
+ <para>
+ When connecting, the client must know the principal name of the server
+ it intends to connect to. The <replaceable>servicename</replaceable>
+ part of the principal is ordinarily <literal>postgres</literal>,
+ but another value can be selected via <application>libpq</application>'s
+ <xref linkend="libpq-connect-krbsrvname"/> connection parameter.
+ The <replaceable>hostname</replaceable> part is the fully qualified
+ host name that <application>libpq</application> is told to connect to.
+ The realm name is the preferred realm specified in the Kerberos
+ configuration file(s) accessible to the client.
+ </para>
+
+ <para>
+ The client will also have a principal name for its own identity
+ (and it must have a valid ticket for this principal). To
+ use <productname>GSSAPI</productname> for authentication, the client
+ principal must be associated with
+ a <productname>PostgreSQL</productname> database user name.
+ The <filename>pg_ident.conf</filename> configuration file can be used
+ to map principals to user names; for example,
+ <literal>pgusername@realm</literal> could be mapped to just <literal>pgusername</literal>.
+ Alternatively, you can use the full <literal>username@realm</literal> principal as
+ the role name in <productname>PostgreSQL</productname> without any mapping.
+ </para>
+
+ <para>
+ <productname>PostgreSQL</productname> also supports mapping
+ client principals to user names by just stripping the realm from
+ the principal. This method is supported for backwards compatibility and is
+ strongly discouraged as it is then impossible to distinguish different users
+ with the same user name but coming from different realms. To enable this,
+ set <literal>include_realm</literal> to 0. For simple single-realm
+ installations, doing that combined with setting the
+ <literal>krb_realm</literal> parameter (which checks that the principal's realm
+ matches exactly what is in the <literal>krb_realm</literal> parameter)
+ is still secure; but this is a
+ less capable approach compared to specifying an explicit mapping in
+ <filename>pg_ident.conf</filename>.
+ </para>
+
+ <para>
+ The location of the server's keytab file is specified by the <xref
+ linkend="guc-krb-server-keyfile"/> configuration parameter.
+ For security reasons, it is recommended to use a separate keytab
+ just for the <productname>PostgreSQL</productname> server rather
+ than allowing the server to read the system keytab file.
+ Make sure that your server keytab file is readable (and preferably
+ only readable, not writable) by the <productname>PostgreSQL</productname>
+ server account. (See also <xref linkend="postgres-user"/>.)
+ </para>
+
+ <para>
+ The keytab file is generated using the Kerberos software; see the
+ Kerberos documentation for details. The following example shows
+ doing this using the <application>kadmin</application> tool of
+ MIT-compatible Kerberos 5 implementations:
+<screen>
+<prompt>kadmin% </prompt><userinput>addprinc -randkey postgres/server.my.domain.org</userinput>
+<prompt>kadmin% </prompt><userinput>ktadd -k krb5.keytab postgres/server.my.domain.org</userinput>
+</screen>
+ </para>
+
+ <para>
+ The following authentication options are supported for
+ the <productname>GSSAPI</productname> authentication method:
+ <variablelist>
+ <varlistentry>
+ <term><literal>include_realm</literal></term>
+ <listitem>
+ <para>
+ If set to 0, the realm name from the authenticated user principal is
+ stripped off before being passed through the user name mapping
+ (<xref linkend="auth-username-maps"/>). This is discouraged and is
+ primarily available for backwards compatibility, as it is not secure
+ in multi-realm environments unless <literal>krb_realm</literal> is
+ also used. It is recommended to
+ leave <literal>include_realm</literal> set to the default (1) and to
+ provide an explicit mapping in <filename>pg_ident.conf</filename> to convert
+ principal names to <productname>PostgreSQL</productname> user names.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><literal>map</literal></term>
+ <listitem>
+ <para>
+ Allows mapping from client principals to database user names. See
+ <xref linkend="auth-username-maps"/> for details. For a GSSAPI/Kerberos
+ principal, such as <literal>username@EXAMPLE.COM</literal> (or, less
+ commonly, <literal>username/hostbased@EXAMPLE.COM</literal>), the
+ user name used for mapping is
+ <literal>username@EXAMPLE.COM</literal> (or
+ <literal>username/hostbased@EXAMPLE.COM</literal>, respectively),
+ unless <literal>include_realm</literal> has been set to 0, in which case
+ <literal>username</literal> (or <literal>username/hostbased</literal>)
+ is what is seen as the system user name when mapping.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><literal>krb_realm</literal></term>
+ <listitem>
+ <para>
+ Sets the realm to match user principal names against. If this parameter
+ is set, only users of that realm will be accepted. If it is not set,
+ users of any realm can connect, subject to whatever user name mapping
+ is done.
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </para>
+
+ <para>
+ In addition to these settings, which can be different for
+ different <filename>pg_hba.conf</filename> entries, there is the
+ server-wide <xref linkend="guc-krb-caseins-users"/> configuration
+ parameter. If that is set to true, client principals are matched to
+ user map entries case-insensitively. <literal>krb_realm</literal>, if
+ set, is also matched case-insensitively.
+ </para>
+ </sect1>
+
+ <sect1 id="sspi-auth">
+ <title>SSPI Authentication</title>
+
+ <indexterm zone="sspi-auth">
+ <primary>SSPI</primary>
+ </indexterm>
+
+ <para>
+ <productname>SSPI</productname> is a <productname>Windows</productname>
+ technology for secure authentication with single sign-on.
+ <productname>PostgreSQL</productname> will use SSPI in
+ <literal>negotiate</literal> mode, which will use
+ <productname>Kerberos</productname> when possible and automatically
+ fall back to <productname>NTLM</productname> in other cases.
+ <productname>SSPI</productname> authentication only works when both
+ server and client are running <productname>Windows</productname>,
+ or, on non-Windows platforms, when <productname>GSSAPI</productname>
+ is available.
+ </para>
+
+ <para>
+ When using <productname>Kerberos</productname> authentication,
+ <productname>SSPI</productname> works the same way
+ <productname>GSSAPI</productname> does; see <xref linkend="gssapi-auth"/>
+ for details.
+ </para>
+
+ <para>
+ The following configuration options are supported for <productname>SSPI</productname>:
+ <variablelist>
+
+ <varlistentry>
+ <term><literal>include_realm</literal></term>
+ <listitem>
+ <para>
+ If set to 0, the realm name from the authenticated user principal is
+ stripped off before being passed through the user name mapping
+ (<xref linkend="auth-username-maps"/>). This is discouraged and is
+ primarily available for backwards compatibility, as it is not secure
+ in multi-realm environments unless <literal>krb_realm</literal> is
+ also used. It is recommended to
+ leave <literal>include_realm</literal> set to the default (1) and to
+ provide an explicit mapping in <filename>pg_ident.conf</filename> to convert
+ principal names to <productname>PostgreSQL</productname> user names.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><literal>compat_realm</literal></term>
+ <listitem>
+ <para>
+ If set to 1, the domain's SAM-compatible name (also known as the
+ NetBIOS name) is used for the <literal>include_realm</literal>
+ option. This is the default. If set to 0, the true realm name from
+ the Kerberos user principal name is used.
+ </para>
+ <para>
+ Do not disable this option unless your server runs under a domain
+ account (this includes virtual service accounts on a domain member
+ system) and all clients authenticating through SSPI are also using
+ domain accounts, or authentication will fail.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><literal>upn_username</literal></term>
+ <listitem>
+ <para>
+ If this option is enabled along with <literal>compat_realm</literal>,
+ the user name from the Kerberos UPN is used for authentication. If
+ it is disabled (the default), the SAM-compatible user name is used.
+ By default, these two names are identical for new user accounts.
+ </para>
+ <para>
+ Note that <application>libpq</application> uses the SAM-compatible name if no
+ explicit user name is specified. If you use
+ <application>libpq</application> or a driver based on it, you should
+ leave this option disabled or explicitly specify user name in the
+ connection string.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><literal>map</literal></term>
+ <listitem>
+ <para>
+ Allows for mapping between system and database user names. See
+ <xref linkend="auth-username-maps"/> for details. For an SSPI/Kerberos
+ principal, such as <literal>username@EXAMPLE.COM</literal> (or, less
+ commonly, <literal>username/hostbased@EXAMPLE.COM</literal>), the
+ user name used for mapping is
+ <literal>username@EXAMPLE.COM</literal> (or
+ <literal>username/hostbased@EXAMPLE.COM</literal>, respectively),
+ unless <literal>include_realm</literal> has been set to 0, in which case
+ <literal>username</literal> (or <literal>username/hostbased</literal>)
+ is what is seen as the system user name when mapping.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><literal>krb_realm</literal></term>
+ <listitem>
+ <para>
+ Sets the realm to match user principal names against. If this parameter
+ is set, only users of that realm will be accepted. If it is not set,
+ users of any realm can connect, subject to whatever user name mapping
+ is done.
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </para>
+ </sect1>
+
+ <sect1 id="auth-ident">
+ <title>Ident Authentication</title>
+
+ <indexterm>
+ <primary>ident</primary>
+ </indexterm>
+
+ <para>
+ The ident authentication method works by obtaining the client's
+ operating system user name from an ident server and using it as
+ the allowed database user name (with an optional user name mapping).
+ This is only supported on TCP/IP connections.
+ </para>
+
+ <note>
+ <para>
+ When ident is specified for a local (non-TCP/IP) connection,
+ peer authentication (see <xref linkend="auth-peer"/>) will be
+ used instead.
+ </para>
+ </note>
+
+ <para>
+ The following configuration options are supported for <literal>ident</literal>:
+ <variablelist>
+ <varlistentry>
+ <term><literal>map</literal></term>
+ <listitem>
+ <para>
+ Allows for mapping between system and database user names. See
+ <xref linkend="auth-username-maps"/> for details.
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </para>
+
+ <para>
+ The <quote>Identification Protocol</quote> is described in
+ <ulink url="https://tools.ietf.org/html/rfc1413">RFC 1413</ulink>.
+ Virtually every Unix-like
+ operating system ships with an ident server that listens on TCP
+ port 113 by default. The basic functionality of an ident server
+ is to answer questions like <quote>What user initiated the
+ connection that goes out of your port <replaceable>X</replaceable>
+ and connects to my port <replaceable>Y</replaceable>?</quote>.
+ Since <productname>PostgreSQL</productname> knows both <replaceable>X</replaceable> and
+ <replaceable>Y</replaceable> when a physical connection is established, it
+ can interrogate the ident server on the host of the connecting
+ client and can theoretically determine the operating system user
+ for any given connection.
+ </para>
+
+ <para>
+ The drawback of this procedure is that it depends on the integrity
+ of the client: if the client machine is untrusted or compromised,
+ an attacker could run just about any program on port 113 and
+ return any user name they choose. This authentication method is
+ therefore only appropriate for closed networks where each client
+ machine is under tight control and where the database and system
+ administrators operate in close contact. In other words, you must
+ trust the machine running the ident server.
+ Heed the warning:
+ <blockquote>
+ <attribution>RFC 1413</attribution>
+ <para>
+ The Identification Protocol is not intended as an authorization
+ or access control protocol.
+ </para>
+ </blockquote>
+ </para>
+
+ <para>
+ Some ident servers have a nonstandard option that causes the returned
+ user name to be encrypted, using a key that only the originating
+ machine's administrator knows. This option <emphasis>must not</emphasis> be
+ used when using the ident server with <productname>PostgreSQL</productname>,
+ since <productname>PostgreSQL</productname> does not have any way to decrypt the
+ returned string to determine the actual user name.
+ </para>
+ </sect1>
+
+ <sect1 id="auth-peer">
+ <title>Peer Authentication</title>
+
+ <indexterm>
+ <primary>peer</primary>
+ </indexterm>
+
+ <para>
+ The peer authentication method works by obtaining the client's
+ operating system user name from the kernel and using it as the
+ allowed database user name (with optional user name mapping). This
+ method is only supported on local connections.
+ </para>
+
+ <para>
+ The following configuration options are supported for <literal>peer</literal>:
+ <variablelist>
+ <varlistentry>
+ <term><literal>map</literal></term>
+ <listitem>
+ <para>
+ Allows for mapping between system and database user names. See
+ <xref linkend="auth-username-maps"/> for details.
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </para>
+
+ <para>
+ Peer authentication is only available on operating systems providing
+ the <function>getpeereid()</function> function, the <symbol>SO_PEERCRED</symbol>
+ socket parameter, or similar mechanisms. Currently that includes
+ <systemitem class="osname">Linux</systemitem>,
+ most flavors of <systemitem class="osname">BSD</systemitem> including
+ <systemitem class="osname">macOS</systemitem>,
+ and <systemitem class="osname">Solaris</systemitem>.
+ </para>
+
+ </sect1>
+
+ <sect1 id="auth-ldap">
+ <title>LDAP Authentication</title>
+
+ <indexterm zone="auth-ldap">
+ <primary>LDAP</primary>
+ </indexterm>
+
+ <para>
+ This authentication method operates similarly to
+ <literal>password</literal> except that it uses LDAP
+ as the password verification method. LDAP is used only to validate
+ the user name/password pairs. Therefore the user must already
+ exist in the database before LDAP can be used for
+ authentication.
+ </para>
+
+ <para>
+ LDAP authentication can operate in two modes. In the first mode,
+ which we will call the simple bind mode,
+ the server will bind to the distinguished name constructed as
+ <replaceable>prefix</replaceable> <replaceable>username</replaceable> <replaceable>suffix</replaceable>.
+ Typically, the <replaceable>prefix</replaceable> parameter is used to specify
+ <literal>cn=</literal>, or <replaceable>DOMAIN</replaceable><literal>\</literal> in an Active
+ Directory environment. <replaceable>suffix</replaceable> is used to specify the
+ remaining part of the DN in a non-Active Directory environment.
+ </para>
+
+ <para>
+ In the second mode, which we will call the search+bind mode,
+ the server first binds to the LDAP directory with
+ a fixed user name and password, specified with <replaceable>ldapbinddn</replaceable>
+ and <replaceable>ldapbindpasswd</replaceable>, and performs a search for the user trying
+ to log in to the database. If no user and password is configured, an
+ anonymous bind will be attempted to the directory. The search will be
+ performed over the subtree at <replaceable>ldapbasedn</replaceable>, and will try to
+ do an exact match of the attribute specified in
+ <replaceable>ldapsearchattribute</replaceable>.
+ Once the user has been found in
+ this search, the server disconnects and re-binds to the directory as
+ this user, using the password specified by the client, to verify that the
+ login is correct. This mode is the same as that used by LDAP authentication
+ schemes in other software, such as Apache <literal>mod_authnz_ldap</literal> and <literal>pam_ldap</literal>.
+ This method allows for significantly more flexibility
+ in where the user objects are located in the directory, but will cause
+ two separate connections to the LDAP server to be made.
+ </para>
+
+ <para>
+ The following configuration options are used in both modes:
+ <variablelist>
+ <varlistentry>
+ <term><literal>ldapserver</literal></term>
+ <listitem>
+ <para>
+ Names or IP addresses of LDAP servers to connect to. Multiple
+ servers may be specified, separated by spaces.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><literal>ldapport</literal></term>
+ <listitem>
+ <para>
+ Port number on LDAP server to connect to. If no port is specified,
+ the LDAP library's default port setting will be used.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><literal>ldapscheme</literal></term>
+ <listitem>
+ <para>
+ Set to <literal>ldaps</literal> to use LDAPS. This is a non-standard
+ way of using LDAP over SSL, supported by some LDAP server
+ implementations. See also the <literal>ldaptls</literal> option for
+ an alternative.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><literal>ldaptls</literal></term>
+ <listitem>
+ <para>
+ Set to 1 to make the connection between PostgreSQL and the LDAP server
+ use TLS encryption. This uses the <literal>StartTLS</literal>
+ operation per <ulink url="https://tools.ietf.org/html/rfc4513">RFC 4513</ulink>.
+ See also the <literal>ldapscheme</literal> option for an alternative.
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </para>
+
+ <para>
+ Note that using <literal>ldapscheme</literal> or
+ <literal>ldaptls</literal> only encrypts the traffic between the
+ PostgreSQL server and the LDAP server. The connection between the
+ PostgreSQL server and the PostgreSQL client will still be unencrypted
+ unless SSL is used there as well.
+ </para>
+
+ <para>
+ The following options are used in simple bind mode only:
+ <variablelist>
+ <varlistentry>
+ <term><literal>ldapprefix</literal></term>
+ <listitem>
+ <para>
+ String to prepend to the user name when forming the DN to bind as,
+ when doing simple bind authentication.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><literal>ldapsuffix</literal></term>
+ <listitem>
+ <para>
+ String to append to the user name when forming the DN to bind as,
+ when doing simple bind authentication.
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </para>
+
+ <para>
+ The following options are used in search+bind mode only:
+ <variablelist>
+ <varlistentry>
+ <term><literal>ldapbasedn</literal></term>
+ <listitem>
+ <para>
+ Root DN to begin the search for the user in, when doing search+bind
+ authentication.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><literal>ldapbinddn</literal></term>
+ <listitem>
+ <para>
+ DN of user to bind to the directory with to perform the search when
+ doing search+bind authentication.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><literal>ldapbindpasswd</literal></term>
+ <listitem>
+ <para>
+ Password for user to bind to the directory with to perform the search
+ when doing search+bind authentication.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><literal>ldapsearchattribute</literal></term>
+ <listitem>
+ <para>
+ Attribute to match against the user name in the search when doing
+ search+bind authentication. If no attribute is specified, the
+ <literal>uid</literal> attribute will be used.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><literal>ldapsearchfilter</literal></term>
+ <listitem>
+ <para>
+ The search filter to use when doing search+bind authentication.
+ Occurrences of <literal>$username</literal> will be replaced with the
+ user name. This allows for more flexible search filters than
+ <literal>ldapsearchattribute</literal>.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><literal>ldapurl</literal></term>
+ <listitem>
+ <para>
+ An <ulink url="https://tools.ietf.org/html/rfc4516">RFC 4516</ulink>
+ LDAP URL. This is an alternative way to write some of the
+ other LDAP options in a more compact and standard form. The format is
+<synopsis>
+ldap[s]://<replaceable>host</replaceable>[:<replaceable>port</replaceable>]/<replaceable>basedn</replaceable>[?[<replaceable>attribute</replaceable>][?[<replaceable>scope</replaceable>][?[<replaceable>filter</replaceable>]]]]
+</synopsis>
+ <replaceable>scope</replaceable> must be one
+ of <literal>base</literal>, <literal>one</literal>, <literal>sub</literal>,
+ typically the last. (The default is <literal>base</literal>, which
+ is normally not useful in this application.) <replaceable>attribute</replaceable> can
+ nominate a single attribute, in which case it is used as a value for
+ <literal>ldapsearchattribute</literal>. If
+ <replaceable>attribute</replaceable> is empty then
+ <replaceable>filter</replaceable> can be used as a value for
+ <literal>ldapsearchfilter</literal>.
+ </para>
+
+ <para>
+ The URL scheme <literal>ldaps</literal> chooses the LDAPS method for
+ making LDAP connections over SSL, equivalent to using
+ <literal>ldapscheme=ldaps</literal>. To use encrypted LDAP
+ connections using the <literal>StartTLS</literal> operation, use the
+ normal URL scheme <literal>ldap</literal> and specify the
+ <literal>ldaptls</literal> option in addition to
+ <literal>ldapurl</literal>.
+ </para>
+
+ <para>
+ For non-anonymous binds, <literal>ldapbinddn</literal>
+ and <literal>ldapbindpasswd</literal> must be specified as separate
+ options.
+ </para>
+
+ <para>
+ LDAP URLs are currently only supported with
+ <productname>OpenLDAP</productname>, not on Windows.
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </para>
+
+ <para>
+ It is an error to mix configuration options for simple bind with options
+ for search+bind.
+ </para>
+
+ <para>
+ When using search+bind mode, the search can be performed using a single
+ attribute specified with <literal>ldapsearchattribute</literal>, or using
+ a custom search filter specified with
+ <literal>ldapsearchfilter</literal>.
+ Specifying <literal>ldapsearchattribute=foo</literal> is equivalent to
+ specifying <literal>ldapsearchfilter="(foo=$username)"</literal>. If neither
+ option is specified the default is
+ <literal>ldapsearchattribute=uid</literal>.
+ </para>
+
+ <para>
+ If <productname>PostgreSQL</productname> was compiled with
+ <productname>OpenLDAP</productname> as the LDAP client library, the
+ <literal>ldapserver</literal> setting may be omitted. In that case, a
+ list of host names and ports is looked up via
+ <ulink url="https://tools.ietf.org/html/rfc2782">RFC 2782</ulink> DNS SRV records.
+ The name <literal>_ldap._tcp.DOMAIN</literal> is looked up, where
+ <literal>DOMAIN</literal> is extracted from <literal>ldapbasedn</literal>.
+ </para>
+
+ <para>
+ Here is an example for a simple-bind LDAP configuration:
+<programlisting>
+host ... ldap ldapserver=ldap.example.net ldapprefix="cn=" ldapsuffix=", dc=example, dc=net"
+</programlisting>
+ When a connection to the database server as database
+ user <literal>someuser</literal> is requested, PostgreSQL will attempt to
+ bind to the LDAP server using the DN <literal>cn=someuser, dc=example,
+ dc=net</literal> and the password provided by the client. If that connection
+ succeeds, the database access is granted.
+ </para>
+
+ <para>
+ Here is an example for a search+bind configuration:
+<programlisting>
+host ... ldap ldapserver=ldap.example.net ldapbasedn="dc=example, dc=net" ldapsearchattribute=uid
+</programlisting>
+ When a connection to the database server as database
+ user <literal>someuser</literal> is requested, PostgreSQL will attempt to
+ bind anonymously (since <literal>ldapbinddn</literal> was not specified) to
+ the LDAP server, perform a search for <literal>(uid=someuser)</literal>
+ under the specified base DN. If an entry is found, it will then attempt to
+ bind using that found information and the password supplied by the client.
+ If that second connection succeeds, the database access is granted.
+ </para>
+
+ <para>
+ Here is the same search+bind configuration written as a URL:
+<programlisting>
+host ... ldap ldapurl="ldap://ldap.example.net/dc=example,dc=net?uid?sub"
+</programlisting>
+ Some other software that supports authentication against LDAP uses the
+ same URL format, so it will be easier to share the configuration.
+ </para>
+
+ <para>
+ Here is an example for a search+bind configuration that uses
+ <literal>ldapsearchfilter</literal> instead of
+ <literal>ldapsearchattribute</literal> to allow authentication by
+ user ID or email address:
+<programlisting>
+host ... ldap ldapserver=ldap.example.net ldapbasedn="dc=example, dc=net" ldapsearchfilter="(|(uid=$username)(mail=$username))"
+</programlisting>
+ </para>
+
+ <para>
+ Here is an example for a search+bind configuration that uses DNS SRV
+ discovery to find the host name(s) and port(s) for the LDAP service for the
+ domain name <literal>example.net</literal>:
+<programlisting>
+host ... ldap ldapbasedn="dc=example,dc=net"
+</programlisting>
+ </para>
+
+ <tip>
+ <para>
+ Since LDAP often uses commas and spaces to separate the different
+ parts of a DN, it is often necessary to use double-quoted parameter
+ values when configuring LDAP options, as shown in the examples.
+ </para>
+ </tip>
+
+ </sect1>
+
+ <sect1 id="auth-radius">
+ <title>RADIUS Authentication</title>
+
+ <indexterm zone="auth-radius">
+ <primary>RADIUS</primary>
+ </indexterm>
+
+ <para>
+ This authentication method operates similarly to
+ <literal>password</literal> except that it uses RADIUS
+ as the password verification method. RADIUS is used only to validate
+ the user name/password pairs. Therefore the user must already
+ exist in the database before RADIUS can be used for
+ authentication.
+ </para>
+
+ <para>
+ When using RADIUS authentication, an Access Request message will be sent
+ to the configured RADIUS server. This request will be of type
+ <literal>Authenticate Only</literal>, and include parameters for
+ <literal>user name</literal>, <literal>password</literal> (encrypted) and
+ <literal>NAS Identifier</literal>. The request will be encrypted using
+ a secret shared with the server. The RADIUS server will respond to
+ this request with either <literal>Access Accept</literal> or
+ <literal>Access Reject</literal>. There is no support for RADIUS accounting.
+ </para>
+
+ <para>
+ Multiple RADIUS servers can be specified, in which case they will
+ be tried sequentially. If a negative response is received from
+ a server, the authentication will fail. If no response is received,
+ the next server in the list will be tried. To specify multiple
+ servers, separate the server names with commas and surround the list
+ with double quotes. If multiple servers are specified, the other
+ RADIUS options can also be given as comma-separated lists, to provide
+ individual values for each server. They can also be specified as
+ a single value, in which case that value will apply to all servers.
+ </para>
+
+ <para>
+ The following configuration options are supported for RADIUS:
+ <variablelist>
+ <varlistentry>
+ <term><literal>radiusservers</literal></term>
+ <listitem>
+ <para>
+ The DNS names or IP addresses of the RADIUS servers to connect to.
+ This parameter is required.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><literal>radiussecrets</literal></term>
+ <listitem>
+ <para>
+ The shared secrets used when talking securely to the RADIUS
+ servers. This must have exactly the same value on the PostgreSQL
+ and RADIUS servers. It is recommended that this be a string of
+ at least 16 characters. This parameter is required.
+ <note>
+ <para>
+ The encryption vector used will only be cryptographically
+ strong if <productname>PostgreSQL</productname> is built with support for
+ <productname>OpenSSL</productname>. In other cases, the transmission to the
+ RADIUS server should only be considered obfuscated, not secured, and
+ external security measures should be applied if necessary.
+ </para>
+ </note>
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><literal>radiusports</literal></term>
+ <listitem>
+ <para>
+ The port numbers to connect to on the RADIUS servers. If no port
+ is specified, the default RADIUS port (<literal>1812</literal>)
+ will be used.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><literal>radiusidentifiers</literal></term>
+ <listitem>
+ <para>
+ The strings to be used as <literal>NAS Identifier</literal> in the
+ RADIUS requests. This parameter can be used, for example, to
+ identify which database cluster the user is attempting to connect
+ to, which can be useful for policy matching on
+ the RADIUS server. If no identifier is specified, the default
+ <literal>postgresql</literal> will be used.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ </variablelist>
+ </para>
+
+ <para>
+ If it is necessary to have a comma or whitespace in a RADIUS parameter
+ value, that can be done by putting double quotes around the value, but
+ it is tedious because two layers of double-quoting are now required.
+ An example of putting whitespace into RADIUS secret strings is:
+<programlisting>
+host ... radius radiusservers="server1,server2" radiussecrets="""secret one"",""secret two"""
+</programlisting>
+ </para>
+ </sect1>
+
+ <sect1 id="auth-cert">
+ <title>Certificate Authentication</title>
+
+ <indexterm zone="auth-cert">
+ <primary>Certificate</primary>
+ </indexterm>
+
+ <para>
+ This authentication method uses SSL client certificates to perform
+ authentication. It is therefore only available for SSL connections.
+ When using this authentication method, the server will require that
+ the client provide a valid, trusted certificate. No password prompt
+ will be sent to the client. The <literal>cn</literal> (Common Name)
+ attribute of the certificate
+ will be compared to the requested database user name, and if they match
+ the login will be allowed. User name mapping can be used to allow
+ <literal>cn</literal> to be different from the database user name.
+ </para>
+
+ <para>
+ The following configuration options are supported for SSL certificate
+ authentication:
+ <variablelist>
+ <varlistentry>
+ <term><literal>map</literal></term>
+ <listitem>
+ <para>
+ Allows for mapping between system and database user names. See
+ <xref linkend="auth-username-maps"/> for details.
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </para>
+
+ <para>
+ It is redundant to use the <literal>clientcert</literal> option with
+ <literal>cert</literal> authentication because <literal>cert</literal>
+ authentication is effectively <literal>trust</literal> authentication
+ with <literal>clientcert=verify-full</literal>.
+ </para>
+ </sect1>
+
+ <sect1 id="auth-pam">
+ <title>PAM Authentication</title>
+
+ <indexterm zone="auth-pam">
+ <primary>PAM</primary>
+ </indexterm>
+
+ <para>
+ This authentication method operates similarly to
+ <literal>password</literal> except that it uses PAM (Pluggable
+ Authentication Modules) as the authentication mechanism. The
+ default PAM service name is <literal>postgresql</literal>.
+ PAM is used only to validate user name/password pairs and optionally the
+ connected remote host name or IP address. Therefore the user must already
+ exist in the database before PAM can be used for authentication. For more
+ information about PAM, please read the
+ <ulink url="https://www.kernel.org/pub/linux/libs/pam/">
+ <productname>Linux-PAM</productname> Page</ulink>.
+ </para>
+
+ <para>
+ The following configuration options are supported for PAM:
+ <variablelist>
+ <varlistentry>
+ <term><literal>pamservice</literal></term>
+ <listitem>
+ <para>
+ PAM service name.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><literal>pam_use_hostname</literal></term>
+ <listitem>
+ <para>
+ Determines whether the remote IP address or the host name is provided
+ to PAM modules through the <symbol>PAM_RHOST</symbol> item. By
+ default, the IP address is used. Set this option to 1 to use the
+ resolved host name instead. Host name resolution can lead to login
+ delays. (Most PAM configurations don't use this information, so it is
+ only necessary to consider this setting if a PAM configuration was
+ specifically created to make use of it.)
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </para>
+
+ <note>
+ <para>
+ If PAM is set up to read <filename>/etc/shadow</filename>, authentication
+ will fail because the PostgreSQL server is started by a non-root
+ user. However, this is not an issue when PAM is configured to use
+ LDAP or other authentication methods.
+ </para>
+ </note>
+ </sect1>
+
+ <sect1 id="auth-bsd">
+ <title>BSD Authentication</title>
+
+ <indexterm zone="auth-bsd">
+ <primary>BSD Authentication</primary>
+ </indexterm>
+
+ <para>
+ This authentication method operates similarly to
+ <literal>password</literal> except that it uses BSD Authentication
+ to verify the password. BSD Authentication is used only
+ to validate user name/password pairs. Therefore the user's role must
+ already exist in the database before BSD Authentication can be used
+ for authentication. The BSD Authentication framework is currently
+ only available on OpenBSD.
+ </para>
+
+ <para>
+ BSD Authentication in <productname>PostgreSQL</productname> uses
+ the <literal>auth-postgresql</literal> login type and authenticates with
+ the <literal>postgresql</literal> login class if that's defined
+ in <filename>login.conf</filename>. By default that login class does not
+ exist, and <productname>PostgreSQL</productname> will use the default login class.
+ </para>
+
+ <note>
+ <para>
+ To use BSD Authentication, the PostgreSQL user account (that is, the
+ operating system user running the server) must first be added to
+ the <literal>auth</literal> group. The <literal>auth</literal> group
+ exists by default on OpenBSD systems.
+ </para>
+ </note>
+ </sect1>
+
+ <sect1 id="client-authentication-problems">
+ <title>Authentication Problems</title>
+
+ <para>
+ Authentication failures and related problems generally
+ manifest themselves through error messages like the following:
+ </para>
+
+ <para>
+<programlisting>
+FATAL: no pg_hba.conf entry for host "123.123.123.123", user "andym", database "testdb"
+</programlisting>
+ This is what you are most likely to get if you succeed in contacting
+ the server, but it does not want to talk to you. As the message
+ suggests, the server refused the connection request because it found
+ no matching entry in its <filename>pg_hba.conf</filename>
+ configuration file.
+ </para>
+
+ <para>
+<programlisting>
+FATAL: password authentication failed for user "andym"
+</programlisting>
+ Messages like this indicate that you contacted the server, and it is
+ willing to talk to you, but not until you pass the authorization
+ method specified in the <filename>pg_hba.conf</filename> file. Check
+ the password you are providing, or check your Kerberos or ident
+ software if the complaint mentions one of those authentication
+ types.
+ </para>
+
+ <para>
+<programlisting>
+FATAL: user "andym" does not exist
+</programlisting>
+ The indicated database user name was not found.
+ </para>
+
+ <para>
+<programlisting>
+FATAL: database "testdb" does not exist
+</programlisting>
+ The database you are trying to connect to does not exist. Note that
+ if you do not specify a database name, it defaults to the database
+ user name, which might or might not be the right thing.
+ </para>
+
+ <tip>
+ <para>
+ The server log might contain more information about an
+ authentication failure than is reported to the client. If you are
+ confused about the reason for a failure, check the server log.
+ </para>
+ </tip>
+ </sect1>
+
+ </chapter>